Release of the Australian Cyber Security Centre’s 2017 Threat Report

October 10, 2017 |

Today the Hon Dan Tehan launched the Australian Cyber Security Centre’s (ACSC) 2017 Threat Report at the National Press Club. Threat reports are now quite common throughout developed economies by both governments and specialist security companies.  The results are in line with other overseas reports both in terms of increasing attacks, greater sophistication and ransomware becoming a particularly challenging problem.

In his speech Tehan highlighted an example of a contractor in the security industry suffering a data breach in November 2016.  That has resulted in significant coverage such as in computerworld and the ABC.

People are falling for online scams, email phishing, identity theft, credit card fraud, and ransomware at an alarming rate.

Yet these crimes continue to fly under the public radar.

This must change.

Last time I spoke at the National Press Club on cyber security, I highlighted the real threats to our national interest. I stated that cyber espionage is alive and well. I told you that threats to our Government systems and critical infrastructure were real. I warned that the risk of cyber terrorism will become a reality in a few years’ time.

All of this remains true.

Today, in launching the Australian Cyber Security Centre’s (ACSC) 2017 Threat Report, I would like to highlight how cyber security is not just the business of national security but something that must become second nature to all Australians.

Cyber security is not just the domain of our intelligence agencies or our Defence Forces to protect against stolen secrets and cyber-attacks.

Cyber security is as relevant for mums and dads, small business owners and local communities to keep their data, their money, and their identities secure.

This ACSC 2017 Threat Report is important because it gives us a clear understanding of the state of the cyber risks to our nation and to our local communities.

It allows us to see what we are doing right, what needs to be addressed and the priorities we need to immediately focus on.

The ACSC in the last 12 months has identified 47,000 cyber incidents, a 15 percent increase on last year.

Over half of these incidents were online scams or fraud, which saw an increase of over 22 percent.

In contrast, only one instance of cybercrime has fallen, the prevalence of illegal or prohibited material. This is down 3.1 percent.

In 2016/17, the ACSC reported that 7,283 cyber security incidents affected major Australian businesses.

The ACSC also responded to 734 cyber incidents affecting private sector systems of national interest and critical infrastructure providers.

Most concerning, is that these attacks were more elaborate than those we have seen in previous years.

It is clear that the malicious actors looking to target major systems and critical infrastructure are increasing the sophistication of their vectors.

But they are not alone. Like nation states, cybercriminals are using more complex methods to target businesses, large and small. In particular, they are using increasingly personalised techniques to trick their victims.

The ACSC has seen targeting of non-traditional victims, such as automotive, accommodation, and hospitality businesses increase by around 50 percent.

While all these figures are alarming, cybercrime is still under-reported.

Can I highlight one more important message, if you are hit by cybercrime, don’t regret it, report it.

If you don’t tell us you’ve been hit, we can’t help you. It’s hard enough to catch the criminals who did it. But if you don’t report it, it makes it impossible and leads to more victims.

These are the key messages that have been reinforced by the 2017 Threat Report.

First, business for cybercriminals is booming across the nation and it is impacting all of us.

Second, victims of cybercrime need to report.

And finally, the best way to improve our cyber security is for government, business and individuals to work together.

As the Report notes, the responsibility remains with all of us – individuals, the private sector and government. We must increase the effectiveness of our prevention, the effectiveness of our detection and speak up when we are impacted.

This 2017 Threat Report has covered the year of global ransomware.

In May, WannaCry led to over 200,000 victims, over 300,000 infected computers and created economic losses in the hundreds of millions.

It exploited a vulnerability that had been discovered and fixed earlier in the year. Only those who had not updated their software were impacted by this attack.

It showed that having the solution did not mean that everyone took the required measures to protect themselves.

In the Ukraine, banks closed and confidence plummeted. In the United Kingdom, the National Health Service was frozen and patients were left without care.

Barely six weeks later, Petya ransomware attacked global companies including DLA Piper, Maersk Shipping, and FedEx. The recovery effort has taken months with share prices for listed companies suffering.

These events provide the context for the 2017 Threat Report. It has been a year where known vulnerabilities have been exploited by a range of malicious cyber actors.

In terms of government, in 2016/17 our networks were regularly targeted by cybercriminals, issue-motivated groups and individuals, and nation states.

Last financial year, the Australian Signals Directorate (ASD) as part of the ACSC responded to 671 cyber security incidents considered serious enough to warrant operational responses.

As the Report states, no federal or state government network is exempt from malicious cyber activity. Today, I can publically speak about one such incident.

In November 2016, the ACSC became aware that a malicious cyber actor had successfully compromised the network of a small Australian company with contracting links to national security projects.

ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data. The adversary remained active on the network at the time of the ACSC investigation.

Analysis showed that the malicious actor gained access to the victim’s network by exploiting an internet or public-facing server, which they accessed using administrative credentials.

Once in the door, the adversary was able to establish access to other private servers on the network.

The ACSC worked with the affected company to remediate the compromise, remove the malicious actor and provide tailored advice on how to prevent this happening in the future.

What is happening to mums and dads and the community more generally is just as alarming.

Business is booming for cybercriminals and cybercriminals are treating cyber as business.

Cybercriminals have become so successful that they have started to expand using franchise models.

The ACSC has seen operators of cyber threat software and hardware selling their kits and easy-to-use applications to other operators or affiliates who may not have the technical skill to create the software from scratch.

The days of the cyber threat being deployed by a hooded computer geek in a basement are over. Sophisticated organised criminal networks are taking control and franchising their business model.

Ransomware, data-theft, spyware and other infrastructure can be purchased on the darkweb by anyone with an internet connection.

Of particular note is Ransomware-as-a-Service, which sees anyone with a computer being able to use ransomware kits so long as they pay a fee to the original creator or seller. This model means that cybercrime is expanding rapidly.

In 2017, the Australian Cyber Security Centre has seen an increase in business email compromise through targeted phishing emails.

Email phishing is where a person will send out thousands of emails hoping some of the recipients will take the bait by clicking on a dodgy link or opening an attachment.

The advice is, if you can’t identify the sender of an email, don’t open it or click on any attachments.

The ACSC Threat Report shows that cybercriminals are beginning to target businesses and individuals with better and more sophisticated bait on their phishing lines.

Small businesses in particular were targeted by themed phishing emails, which use common payment arrangements to steal money.

For example, a cybercriminal might gain access to a small business’ email system. Once inside the system, the cybercriminal can see emails like anyone else in the business.

They can then set up email rules to allow them to intercept incoming mail and hide their presence entirely from the small business.

When they are ready, the criminal can then intercept the emails they want to forge – let’s say an email with an invoice from the small business’ stationery supplier.

They will then create a fake invoice that looks exactly like the original and change one thing: the bank account details. Then they send the revised stationary invoice to the small business for it to be paid.

If the criminal is careful, they may have already sent an email a week prior notifying the small business that the payment details for the stationary invoice were about to change to avoid raising suspicion.

As far as the small business is concerned, nothing has happened.

The small business pays the invoice thinking it is going to the stationary supplier.

No one is any the wiser until the stationery company calls chasing its unpaid invoice.

In one real world example, this kind of business email compromise cost a large Australian business half a million US dollars.

Over the course of 2016-17, reports to the ACSC indicated losses of over 20 million dollars due to business email compromise. This was up from 8.6 million dollars in 2015-16, representing an increase of over 130%.

This is only a small percentage of total activity. As I have previously mentioned, both misreporting and underreporting of cybercrime occurs constantly.

If you’re affected by cybercrime, speak up – don’t regret it, report it.

Of the reported incidents that impacted business, fewer than 60 percent came forward to report what had happened. For the other 40 percent, the incidents were identified by the ACSC.

And these are only the incidents that we know about.

There may be many reasons for people being shy in their reporting. The fear of public reaction to being a victim of a cybercrime is something that all businesses can understand. There may also be a lingering lack of knowledge about what to do when you are hit.

We already know what happens when victims of cybercrime don’t speak up. Anyone with a Yahoo email account can tell you the anger they will have felt when finding out that their email account had been compromised for years before the company came forward.

Equally, we know what happens when organisations are candid. Last year the Red Cross came forward when it realised that data on their blood donors had been made publically available unintentionally. As soon as they realised that personal information had been publicly released, they held a press conference, proactively notified those affected and offered support services.

In the public eye, honesty is a better approach than a cover up. The way the Red Cross handled their unintentional data spill is proof positive of this.

If you are a victim of cybercrime, you have done nothing illegal.

Hiding cybercrime only allows cybercriminals to continue to break the law.

When your house or car is broken into, you report it to the police. We must have the same mindset when it comes to cybercrime.

This week is Stay Smart Online Week, and the theme for this year is ‘simple steps to online safety.’ We have identified five simple steps that can help Australians be safer online.

They are:

  1. Limit what you share – be proactive in managing your privacy. You don’t need to publish your birthdate, birthplace and profession on Facebook. The more details your put online, the easier it is to steal your identity.
  2. Create strong passwords – at least 16 characters long. We know that 81% of hacking related breaches leverage either stolen and or weak passwords. “Password1” does not cut it.
  3. Protect yourself online – regularly update all software, and ensure you have anti-virus software on all your devices including your smartphone and tablet. Updating apps on a smartphone can be something that is often put off.We’ve all ignored the updates waiting for us in the appstore. But the longer a version of software exists, the longer anyone has to find where the security is weak. Any cybercriminal will know the vulnerabilities of an old version of a piece of software and exploit it.
  4. Back up your data – back up your data as often as you can. If the worst happens and you do become compromised, having a copy reduces the damage. Particularly with regard to ransomware and requests to pay a ransom for your information, it will be an easy demand to ignore if you already have a copy. Backup important information daily.
  5. Avoid online scams – watch out for suspicious messages, links and attachments. You should always be suspicious of unsolicited emails requesting personal or financial information. If you have doubt regarding the legitimacy of an email, contact the organisation to confirm by using a phone number or form sourced from the legitimate website.

These seem like simple and obvious measures and they are. Just like locking the door or installing an alarm, they’re simple things we can do to keep ourselves safer.

For its part, the Government is taking action to protect all Australians. It involves developing a better culture of cyber security and cracking down on cyber threats.

Earlier this year, the Prime Minister asked the Australian Signals Directorate to use its offensive cyber capabilities to target organised offshore cyber criminals.

The use of this capability, which is already being used offshore to help efforts against terrorist organisations such as ISIS, is subject to stringent legal oversight and consistent with our obligations under international law.

The use of offensive cyber capabilities will add to the Government’s crime-fighting arsenal and form part of our broader strategy to prevent and shut-down safe-havens for offshore cyber criminals.

Cyber security and law enforcement measures will naturally continue to sit at the forefront of our response to cyber threats.

As the Prime Minister has said, we must take the fight to the criminals.

Since I last addressed the National Press Club, we have made significant progress on implementing Australia’s Cyber Security Strategy.

While there is still more to be done, as we move towards the second anniversary of the Strategy we are starting to see the benefits of initiatives by both Government and business.

In January, the Australian Cyber Security Growth Network (AustCyber) became operational and has been working to ensure that Australian businesses take advantage of the billion dollar opportunities in the global cyber security industry. We must remember that every threat is a commercial opportunity for an Australian cyber business.

In February, we opened the first Joint Cyber Security Centre in Brisbane. These centres enable industry, government and law enforcement to work together to combat cyber threats. Tomorrow, the Attorney-General and I will be opening another centre in Melbourne.

In April, we released the ASX 100 Health Check of Australia’s leading businesses. These cyber Health Checks provided a valuable snapshot of the cyber resilience of Australia’s largest companies.

In June, we established the Academic Centres of Cyber Security Excellence to grow our cyber security workforce, ensure we are world-leading in research, and help educate our population on cyber security threats and opportunities.

That same month, we announced the creation of the Joint Cyber Unit as part of the new Information Warfare Division in Defence. The Unit will be tasked and authorised to conduct offensive cyber operations in response to cyber-attacks against Australian Defence Force (ADF) deployed ICT systems, such as those in tanks, on aircraft and on ships. We are also looking to establish cyber reserves within our ADF.

In July, the Government accepted the recommendations of the Independent Review of the Intelligence Community to reform the Australian Cyber Security Centre and the Australian Signals Directorate. Importantly, this will see the growth of the ACSC’s ability to respond to cyber incidents around the clock.

In September, the Government and industry partners committed $140 million to establish a Cyber Security Cooperative Research Centre. The centre will deliver key cyber security advancements including ensuring the security of critical infrastructure by developing innovative approaches and the next generation of industry, government and research leaders in cyber security.

Last week, we launched Australia’s first International Cyber Engagement Strategy, which put us at the forefront of international efforts to promote and protect a peaceful and stable online environment. The global nature of cyberspace means we must cooperate internationally to advance and protect our shared interests in cyberspace. Importantly, the strategy reaffirms Australia’s strong view that existing international law applies in cyberspace, complimented by norms of responsible state behaviour.

And yesterday, we launched a new online communications campaign as part of Stay Smart Online Week. These videos outline how to implement the simple measures I have spoken about to secure our information and be safe online. Awareness of these measures across the community is critical.

Building cyber resilience through cultural change and creating new capability takes time. But time is of the essence and we must act quickly.

As the 2017 Threat Report shows, each day, there are Australian businesses that are being robbed, held to ransom, or shut down.

In the next twelve months, there will be more globally significant attacks. There are new cyber threats on the horizon, such as cyber terrorism.

They all pose a danger of financial and social damage.

It is why cyber security must become second nature to all Australians.

It is why we must follow the simple steps to keep ourselves safe online.

It is why we must report when we are hit.

In the end it is up to all of us – Government, business and individuals – to take the fight to criminals online and keep all Australians safe.

Leave a Reply