Cyber security incidents now having 'substantial' impact more often: ACSC

The Australian Cyber Security Centre responded to more than 1600 cyber security incidents over the past financial year, with the federal, state and local government sectors accounting for more than one-third.

The latest annual cyber threat report [pdf], released on Wednesday, reveals the ACSC responded to 1630 cyber security incidents in the 2020-21 financial year, around 636 fewer than in 2019-20.

But a higher proportion of the incidents that it responded to were categorised as ‘category four’ or “substantial in impact”.

ACSC triages cyber security incidents based on the severity of impact and extent of compromise using six categories, with ‘category one’ - or incidents that impact national security, essential services and critical infrastructure - being the worst.

“Category four incidents accounted for nearly half (49 percent) of the reported cyber security incidents in the 2020-21 financial year,” the report said.

“This is a change from the previous financial years, when the highest proportion of cyber security incidents was at category five (36 percent), and category four cyber security incidents accounted for only a third of total cyber security incidents (35 percent).”

ACSC put the change partially down to “an increase in attacks by cyber criminals on larger organisations and the impact of these attacks on victims”.

The highest proportion of incidents, however, continued to relate to “low-level malicious activity” such as targeted reconnaissance or phishing, which accounted for more than half of all incidents.

Government still the worst offender

Of the cyber security incidents reported to ACSC in 2020-21, government continued to be the top reporting sector, accounting for more than one-third of all incidents.

The Commonwealth government reported 19.5 percent of incidents, followed by state, territory and local government with 15.2 percent of incidents.

But ACSC said the higher reporting frequency was partially due to “obligations to report significant cyber security incidents to the ACSC” and “may not necessarily reflect an increased susceptibility”.

Australia’s critical infrastructure sectors, including education, health, communications, electricity, water and transport, represented around a quarter of reported cyber security incidents.

ACSC said the “top ten reporting sectors accounted for approximately 77 percent of all incidents for the 2020-21 financial year”.

Source: ACSC

Assistant minister for Defence Andrew Hastie pointed to the frequency of incidents on critical infrastructure as a reason for the Security Legislation Amendment (Critical Infrastructure) Bill.

“The Government is taking action. We have introduced legislation to ensure that, in the event of a large-scale cyber attack on our critical infrastructure, our cyber and law enforcement agencies are empowered to provide greater and more immediate support,” he said.

Ransomware reports climb 15 percent

Around 10 percent of cyber security incidents that ACSC responded to were related to ransomware, with the professional, scientific and technical services sector and health sector the worst affected.

Manufacturing; education and training; and the state, territory and local government sectors make up the remainder of the top five reporting sectors for ransomware.

“The top five reporting sectors for ransomware-related incidents accounted for approximately 50 percent of all ransomware-related incidents reported to the ACSC,” the 2020-21 report said.

ACSC received almost 500 ransomware cyber crime reports in total through its ReportCyber service in 2020-21, which it said represented an increase of nearly 15 percent on 2019-20.

Total cyber crime reports climbed to more than 67,500 in 2020-21, or one report every eight minutes, representing a 13 percent increase.

First bankruptcy caused by BEC

Business email compromise (BEC) accounted for around seven percent of cyber crime reports in 2020-21, a slight decrease on the previous financial year.

But while the number of reports of BEC has dropped, self-reported financial losses have increased by 15 percent, with total losses coming in at approximately $81.45 million in 2020-21.

It is just a fraction of the total self-reported losses from cyber crime in 2020-21, which totalled more than $33 billion.

BEC also resulted in the bankruptcy of an Australian hedge fund in September 2020, believed to be the “first bankruptcy case as a direct result of a cyber crime incident”.

“The BEC involved false invoices with the company transferring $8.7 million (AUD) to bank accounts controlled by the offenders,” the report said.

“While the business recovered the majority of its funds, it suffered significant reputational damage and its main client withdrew.

“This forced the hedge fund to go into receivership and resulted in its bankruptcy.”