More Australians are reporting being targeted by cyber criminals, as the nation’s digital spy agency points the finger at China as the major backer of serious hacking of Australian companies and critical infrastructure.
The Australian Signals Directorate (ASD) has released its cyber threat report for the past financial year, a period that included high profile data breaches at the nation’s second largest telco, Optus, and largest private health insurer, Medibank.
The release of the information is timely, given last week’s attack against port operator DP World and ASD’s ongoing involvement with the company to establish what went wrong.
The number of major cyber security incidents where ASD was forced to step in to tackle hackers and stem the damage from attacks remained steady in 2022-23, at more than 1,100.
Serious attacks crippling federal government agencies or critical infrastructure and leading to “isolated” or “extensive compromise” of sensitive data rose from two to five.
While last year’s Optus hack was considered “extensive” by authorities, telecommunications companies have not been included in the Commonwealth’s critical infrastructure regime.
The federal government has signalled its plans to change that this week.
Almost 94,000 reports of cybercrime were made to law enforcement agencies by individuals and businesses across the country – an increase of 23 per cent from the previous financial year – with the average cost of attacks to companies increasing by 14 per cent.
Losses for small businesses hit by cyber attacks averaged almost $30,000 in the 2020-21 financial year, increasing to almost $46,000 last year.
The most cybercrime reports came in from Queensland and Victoria. But authorities believe that is due to victims in those states being more diligent in alerting officials rather than being targeted more frequently than other jurisdictions.
“Queensland and Victoria report disproportionately higher rates of cybercrime relative to their populations,” the report stated.
“However, the highest average reported losses were by victims in New South Wales (around $32,000 per cybercrime report where a financial loss occurred) and the Australian Capital Territory (around $29,000).”
China singled out as culprit
ASD said state-backed cyber hackers continued to threaten major companies and critical infrastructure, with China singled out as the main culprit for such attacks.
Hackers linked to Russia, often referred to by agencies as “Russian-speaking eastern European” criminals, have also been detected targeting Australians.
In May, Australia joined its Five Eyes intelligence partners to name China as responsible for cyber attacks on US infrastructure.
“We’ve never pretended that this relationship is easy,” Defence Minister Richard Marles told the ABC’s AM program.
“We value, clearly, a productive relationship with China — they’re our largest trading partner, so it’s right to be investing in that relationship.
“But China has been a source of security anxiety for our country, and we prepare for that as well.”
ASD highlighted the actions of Russian criminals during the ongoing illegal invasion of Ukraine as an example of state-supported cyber attacks.
“Malicious cyber actors have targeted and disrupted hospitals, airports, railways, telecommunication providers, energy utilities, and financial institutions across Europe,” the report said.
“Destructive malware was also used against critical infrastructure in Ukraine.”
Mr Marles said Australia would grow as a target for state-backed cyber criminals as it bolsters its military technology.
ASD noted the AUKUS agreement, focusing on the development of nuclear-powered submarines, was “likely a target for state actors looking to steal intellectual property for their own military programs”.
While insisting the pact would not be the sole driver of that attention, Mr Marles conceded it would fuel interest in Australia.
“As we become more militarily capable, that is obviously going to draw attention in terms of the areas that other actors are going to be interested in,” he said.
Companies fear legal consequences
Australia’s intelligence establishment has lamented the lack of cooperation offered by some major companies hit by cyber attacks.
There are concerns sensitive data relating to the scale and scope of hacks is being withheld from agencies such as ASD, with company lawyers worried such information will be used against them in later legal action by customers and regulators.
The federal government is considering new legislation, similar to what is in place for agencies in the United States, which would create a “legal safe harbour” and ensure information provided to intelligence agencies in such circumstances could not be used for other purposes.
“That safe harbour concept is absolutely a concept that we want to see pursued,” Mr Marles said.
“We need to be building the greatest possible confidence that we can for companies to interact with ASD in the moment when the attack is actually happening.”
ASD was somewhat resigned to the fact Australia was an attractive target for keyboard criminals given the country’s relative wealth and strong reliance on connectivity, and feared the available data about cyber attacks in Australia represented only a fraction of what was occurring.
In identifying future threats at home, ASD highlighted the food and grocery sector as being vulnerable to future cyber attacks.
“Food and grocery organisations are an attractive target for malicious cyber actors as this sector’s provision of essential supplies has little tolerance for disruption,” the report stated.
“The sector is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems.
“Additionally, many entities in this sector hold sensitive data that may be of value to malicious cyber actors, such as personal information or intellectual property.”