The Australian Cyber Security Centre (ACSC) has released its third annual threat report, indicating a significant increase in cybercrime incidents across Australia. The report shows that over the last financial year, the ACSC received more than 76,000 cybercrime reports, marking a 13% rise from the previous year. This frequency equates to a cybercrime report every seven minutes, an uptick from the prior rate of one every eight minutes.
This increase comes against the backdrop of several high-profile data breaches, including cyber attacks on major entities such as Optus and Medibank, which have exposed the personal data of millions of Australians. However, the ACSC notes that the actual scale of cybercrime is likely larger, as many attacks remain unreported.
The head of ACSC, Abigail Bradshaw, highlighted the growing sophistication in cybercriminal activities. She pointed out the commercialization of malicious malware, cybercrime tools, and the weaponization and monetization of sensitive stolen data by criminal gangs. Bradshaw expressed particular concern over the rapid exploitation of critical software vulnerabilities by criminal groups and hostile states, noting that some vulnerabilities are now being exploited within days or hours, a significant acceleration from the past.
The ACSC’s report also sheds light on two serious cyber attacks that led to extensive compromises of critical infrastructure, a federal government agency, or government shared services. Details of these incidents, however, were not disclosed in the report.
There has been a notable rise in ransomware attacks, with businesses reporting a significant increase in incidents where personal information of Australians is released as part of extortion tactics. The ACSC responded to 135 ransomware incidents last financial year, which is a 75% increase from the previous year.
The financial impact of cybercrime on Australian businesses has also escalated. The average cost of each cybercrime incident reported has risen to nearly $40,000 for small businesses, about $88,000 for medium businesses, and over $62,000 for large businesses. In addition to direct financial losses, the report highlights the prevalence of business email compromise scams, which have led to significant financial damages, with some businesses in Western Australia incurring losses exceeding $1 million.
Bradshaw also commented on the international dimensions of cybercrime, noting the use of cyber warfare in Russia’s invasion of Ukraine and the mobilization of online criminal gangs to target Ukrainian government entities. This trend represents a notable integration of cyber and conventional warfare. The report also observes that various criminal and independent groups have conducted cyber activities supporting Russian or Ukrainian interests, independent of their respective government commands.
Earlier this year, the ACSC had issued warnings to Australian organizations to be vigilant against potential cyber attacks from Russian-aligned cyber groups, especially following Australia’s support to Ukraine. However, the report does not specify instances of Russian groups targeting Australian businesses or government entities directly.