Executive Summary
Over the 2021–22 financial year, the deterioration of the global threat environment was reflected in cyberspace. This was most prominent in Russia’s invasion of Ukraine, where destructive malware resulted in significant damage in Ukraine itself, but also caused collateral damage to European networks and increased the risk to networks worldwide.
In Australia, we also saw an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year.
This equates to one report every 7 minutes, compared to every 8 minutes last financial year. The ACSC identified the following key cyber security trends in the 2021–22 financial year:
■ Cyberspace has become a battleground. Cyber is increasingly the domain of warfare, as seen in Russia’s use of malware designed to destroy data and prevent computers from booting in Ukraine. But Russia was not alone in its use of cyber operations to pursue strategic interests. In July 2021, the Australian Government publicly attributed exploitation of Microsoft Exchange vulnerabilities to China’s Ministry of State Security. And a joint Five-Eyes Advisory in November 2021 confirmed exploitation of these vulnerabilities by an Iranian state actor. Regional dynamics in the Indo-Pacific are increasing the risk of crisis and cyber operations are likely to be used by states to challenge the sovereignty of others.
■ Australia’s prosperity is attractive to cybercriminals. According to a 2021 Credit Suisse report, Australia has the highest median wealth per adult in the world. In 2021–22, cybercrimes directed at individuals, such as online banking and shopping compromise, remained among the most common, while Business Email Compromise (BEC) trended towards targeting high value transactions like property settlements.
■ Ransomware remains the most destructive cybercrime. Ransomware groups have further evolved their business model, seeking to maximise their impact by targeting the reputation of Australian organisations. In 2021–22, ransomware groups stole and released the personal information of hundreds of thousands of Australians as part of their extortion tactics. The cost of ransomware extends beyond the ransom demands, and may include system reconstruction, lost productivity, and lost customers.
■ Worldwide, critical infrastructure networks are increasingly targeted. Both state actors and cybercriminals view critical infrastructure as an attractive target. The continued targeting of Australia’s critical infrastructure is of concern as successful attacks could put access to essential services at risk. Potential disruptions to Australian essential services in 2021–22 were averted by effective cyber defences, including network segregation and effective, collaborative incident response.
■ The rapid exploitation of critical public vulnerabilities became the norm. Australian organisations, and even individuals, were indiscriminately targeted by malicious cyber actors. Malicious actors persistently scanned for any network with unpatched systems, sometimes seeking to use these as entry points for higher value targets. The majority of significant incidents ACSC responded to in 2021–22 were due to inadequate patching.
In the face of rising threats to the digital-dependent Australian economy, cyber defence must be a priority for all Australians. The most effective means of defending against cyber threats continues to be the implementation of the Essential Eight cyber security strategies. To support this, the ACSC launched several new initiatives in 2021–22 to improve Australia’s cyber resilience, such as a Cyber Threat Intelligence Sharing (CTIS) platform which automates sharing of indicators of compromise. The Australian Government’s ten year investment in ASD, known as REDSPICE, will further harden Australia’s cyber defences in 2022–23 and beyond.
