An “Australian energy provider” was hacked by a sophisticated state actor just days after a new exploit was revealed. The criminal was swiftly spotted and locked out before damage was done after authorities proactively prompted urgent checks in the critical infrastructure community to chase down threats.

That’s the real-life picture of a day at work at the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC), which has just released its 2022 Threat Report, an annual stocktake of malicious activity hitting Australia as well as global cyber diseases we’re likely to contract.

In April 2022, ASD and ACSC spotted a new exploit in the wild and hit the ‘patch-or-UR-Pwned’ alarm (our words) that catapults system admins out of bed.

“Immediate actions from the energy provider in response to ACSC’s notification confirmed 2 servers had been exploited. Existing network segmentation, specifically a demilitarised zone (DMZ)—a network kept separate from the core network to protect information from less trusted networks, such as the internet—worked as intended. As a result, energy operations were not disrupted,” ACSC said.

It’s a regular annoyance, too.

“In 2021, the corporate ICT network of Queensland Government-owned electricity generator CS Energy–which generates 10 per cent of the electricity for the national electricity market—was targeted by the Conti ransomware group. On 27 November 2021, CS Energy became aware of a ransomware incident affecting its corporate network and immediately severed the external internet connection to its corporate network and initiated business continuity procedures,” ACSC said.

Most cyber reports are essentially marketing for security firms spruiking a solution; this report, the third annual stocktake, is more of an official real-estate report on what’s been burgled, bashed or infested. Think of it as a property report, without the real estate spiv hyping it up. It is worth a read.

Threat growth strong, not exponential

Putting the recent major data spill incidents at Optus, Medibank and now potentially Defence to one side — all fell outside of the 2021-2022 financial year reporting period — the Threat Report paints a picture of investment in rugged defence, hygiene and intelligence sharing is finally starting to pay off but is still needing serious attention.

More than 76,000 cybercrime reports were made via ReportCyber, the report said “an increase of nearly 13 per cent from the previous financial year.”

It’s a nasty figure, but not so nasty that it’s exponential and essentially out of control, like recent non-computer viruses.

But it’s also a fairly respectable performance given cyber reporting for incidents like data breaches is now essentially mandatory, creating a new industry for the hyperventilators and pearl-clutchers from the commercial security solutions and risk advisory industries.

Extortion still paying nicely

For commercial hackers (as opposed to state-sponsored military, black and grey operations posing as commercial hackers or renting their services and servers) the go-to rainmaker remains ransomware, with the industry now reaching industrial maturity.

One of the reasons the cyber extortion pests keep coming back is because people keep paying them, despite the rather obvious consequences of paying blackmailers.

Insurers are in there too, setting standards and trying to limit payouts on policies by haggling with criminals, a practice the ACSC clearly frowns upon but has not, as far as we’re aware explicitly called to be banned.

“Victims of ransomware attacks continued to use third-party negotiators to facilitate payment of ransom demands in 2021–22. The level of coverage provided under cyber insurance policies is also a contributing factor in how these incidents are handled and resolved by victims, and whether a business decides to pay the ransom,” the report said.

Rebranding ransomware

Drilling down into ransomware-as-a-service (RaaS), the ACSC said it had “observed the emergence of new and possibly rebranded RaaS operations over 2021–22.”

A rebrand. That’s just so on-brand.

“The availability of RaaS offerings affords cybercriminals a choice about the tools they can use. Ransomware syndicates also continued to professionalise by using third parties to negotiate with victims, assist them in receiving their ransom payments, and arbitrating disputes between actors,” the ACSC said.

“A 2022 study published by the Australian Institute of Criminology found only 19 per cent of ransomware victims sought advice or support from police or the ACSC. However, the study found nearly 60 per cent sought help from at least one formal source outside of their family or friends. The study found 23.2 per cent of small to medium business victims paid the ransom, with many millions of dollars being paid in ransoms and other associated costs.”

Victim states

For reasons no sane federal agency would ever want to explore at the moment, cybercrime stats by state and territory show both Queensland Victoria as reporting “disproportionately higher rates of cybercrime relative to their populations.”

However, victim impact hits hardest in the Northern Territory (over $40,000 per cybercrime report where a financial loss occurred) and Western Australia (over $29,000). It’s worth remembering these stats include businesses and organisations as well as individuals.

It’s understood that Business Email Compromise (BEC) and other invoicing and payments-related scams play a role in the high dollar values.

Business feels the Goldilocks effect

Between the dire earnestness of large corporates putting their cyber concerns on parade, and small businesses screaming underneath the avalanche of ever-increasing compliance obligations, the tastiest victims for predators are medium-sized businesses, a bit of an eye opener.

According to the ACSC report, mid-sizers had “the highest average loss per cybercrime report where a financial loss occurred”, possibly because they were “less likely than large organisations to apply cyber security mitigations as outlined in the ACSC’s Strategies to Mitigate Cyber Security Incidents.”

The other possibility is that they “may be more likely to report cybercrime to ReportCyber, as they are less likely than larger organisations to have sufficient in-house or commercial incident response capabilities.”

Either way, they’re getting whacked hard, with small business copping a $39,555 average loss, medium business an $88,407 loss and large business a $62,233 loss.

Sectoral hit list

Health care and social assistance sectors reported the highest number of cyber security incidents according to the ACSC, both vastly busier off the back of covid, although it’s unclear if there is a direct link.

That said, the ACSC report noted “the retail sector dropped out of the top 10” and was replaced by the electricity, gas, water and waste service sector in terms of getting rumbled.

“The top 10 reporting sectors accounted for approximately 75 per cent of all incidents for the 2021–22 financial year. As such, these sectors are a focus for ACSC partnership and outreach activities.”

Outsourcing crime: Cybercrime-as-a-Service meets Ransomware-as-a-Service

Many public servants may view the prices of the consulting firms as borderline criminal, but in the real criminal world, it’s the consulting and managed services model that’s being applied to hacking and extorting victims.

“The evolution of Cybercrime-as-a-Service (CaaS) continued to increase the overall cybercrime threat to Australia. CaaS encompasses an ever-increasing range of purchasable tools, services and information used to facilitate cybercriminal operations. Examples of CaaS include, but are not limited to, the complicit provision of server infrastructure used to host cybercriminal campaigns, the sale of access to compromised victim networks, money laundering services, and the development and obfuscation of malware.

“Examples of CaaS include, but are not limited to, the complicit provision of server infrastructure used to host cybercriminal campaigns, the sale of access to compromised victim networks, money laundering services, and the development and obfuscation of malware. The availability of these enabling functions means that individual actors are not required to be an expert in every component of a criminal operation. In effect, cybercriminals are outsourcing elements of their operations, and a growing black market is serving their needs.”

Well, why not? Everyone else charges by the hour.

Up the creek, Maroochydore style

“Over 2021–22, there were further examples of ransomware groups targeting critical infrastructure. For instance, the BlackCat ransomware group targeted government and critical infrastructure organisations, as well as the finance and construction sectors globally,” the report said.

“The threat to critical infrastructure is not limited to large utilities such as electricity providers. For example, local governments can be an attractive target, as some councils have responsibility for essential services such as water and sewage.”

Local governments are, as a matter of record, where Australia’s first critical infrastructure hack happened twenty years ago when Maroochydore Shire was treated to the ire of an ex-employee emptying a local wastewater plant into a creek.

As they say in police media, ‘shit happens, death and degree varies’.