Why cyberattacks against Australian organisations are increasing

A surge of large-scale data breaches has affected Australia particularly in the last 12 months. These attacks disrupted critical infrastructure services and governments at a scale that affected a large portion, if not most, of the population. The cost of rebuilding systems, investigating the causes of the incident, reissuing documents, and possible fines for Australian organizations has been significant. Optus, for example, has put at least $140 million towards such expenses, according to its half-year financial results published in November 2022.

More recently, several entities have surfaced as victims of the vulnerability found in MOVEit Transfer. This included the Office of the Australian Information Commissioner, the very organisation to which organizations must report cyber breaches.

The profitability of PII and the risks in APIs

As one of the largest economies in Asia Pacific, Australia has become a high-priority target for attacks. Personally identifiable information (PII) is one of the targets for cybercriminals due to its high value. "Personally identifiable information in Australia is very important, and when you have PII that means that your chances to get paid nowadays in Australia...some actors may find them better than they used to be before," Guy Segal, VP security services for APAC at Sygnia, tells CSO.

Having PII in hand enables cybercriminals to perform other crimes. "With more Australians conducting their shopping and banking online, cybercriminals are also stealing PII of Australians, which enables them to commit any number of crimes, such as opening a credit card or bank accounts and applying for loans," explains Dean Houari, director of security technology and strategy for APJ at Akamai Technologies.

It isn't just PII that is leaked. Compromised credentials were the second-most frequent attack vector, used in 24% of attacks in 2022, according to a Sophos study of 200 IT professionals in mid-sized organizations in Australia. Although, the same report found that ransomware attacks in Australia decreased from 80% in 2021 to 70% in 2022, the latter was still 4% higher than the global average.

Most attacks are still phishing attacks and, Gartner analyst Richard Addiscott explains. These are used to either drop malware or gather credentials. "We’re also seeing far more focused attacks on identity infrastructure itself, where the vast majority of investment over the last few years and it hasn’t been small, has been on the authentication practises of our end users rather than protecting the actual infrastructure that these identity systems sit on. So, these are a lot more fragile than we might expect."

Stolen credentials were the means used by attackers in at least two of the three major attacks in Australia -- Medibank and Latitude Financial.

Another risk lies in unprotected APIs. A report by Akamai found that the financial services industry is a popular target for a wide range of cyberattacks, with application and API attacks against the vertical more than tripling in 2022. "APIs are used in over 80% of web applications and Australia is one of the leading countries in its usage use of APIs by business organisations to conduct business online in particular in the online retail and banking sectors," Houari says. Despite the many benefits APIs offer, he warns there are also many risks such as the lack of default authentication, the challenge to keep up with supply chain vulnerabilities, and the sheer number of APIs being exposed by development teams. 

"The leading type of vector attacks in the past two years were remote code execution (RCE) and remote file inclusion (RFI). This indicates the shift to infiltration-type attacks by exploiting API vulnerabilities as a first stage to conduct data breaches and ransomware attacks. These attacks have incurred a significant financial and reputational loss on Australian businesses, with ransomware becoming the most lucrative type of cyber-attack," Houari says.

Attackers' motivations and how they operate

Espionage, ransomware, and attacks on critical infrastructure presented significant threats to Australian organisations in 2022, and what attackers were after was to seek information, money, and disruption, according to a PwC report. Houari confirms this, telling CSO that Australian businesses are increasingly under attack by mostly financially motivated, organised cybercriminal gangs. "These attackers are pervasive and persistent and will keep targeting businesses until they find a vulnerability or obtain credentials to infiltrate these internal networks."

When money is the goal, attackers will do broad sweeps of the internet looking for holes into particular organisations, Gartner's Addiscott says. Smaller businesses won't have huge amounts of PII and therefore not be as attractive. "But as soon as they [attackers] see something with an organisation the size of Medibank, Optus, and obviously Latitude with a significant footprint in personal data, that will be a high value target for them once they identify vulnerabilities in those systems." This means that the recent major attacks were likely a combination of targeted and opportunity attacks.

Most attacks these days seem to originate from Russia, South America, and China, says Segal, who predicts that, since Australia is a strong ally of the US and UK, it is likely to become more targeted by "superpower attacks."

Many hackers are operating as tech start-ups with the backing of nation-states in some instances, says Houari. "Oftentimes, these hackers do not use sophisticated tools as they know that high-profile businesses will use tools designed to detect known attacks. Sometimes, the risk comes when businesses are exposed in areas that are not considered as a high-priority attack surface, such as server patching, phishing, API security, or internal network security."

Ransomware attacks are multi-staged. First, hackers obtain valid credentials or exploit known vulnerabilities by infiltrating systems. This is followed by reconnaissance where hackers move laterally within the network to identify key targets and obtain higher level credentials. "Once that is done, then the actual data breach and ransomware attacks will unfold in minutes leaving the business crippled and at the mercy of attackers' demands," says Houari.

How Australian regulations affect businesses cyber efforts

Regulations in Australia are more suitable for the changes within the threat landscape, says Segal. Some CISOs are completely focused on the improvement of the cyber posture of the organisation, while others, instead of dealing with improving their security posture, are dealing with reports and compliance.

"Compliance doesn’t prevent, compliance doesn’t detect, and compliance will never assist you in recovering and response," he says. "Yes, you need to be compliant. You need to deal with the relevant regulations, but you should always look on how you can still improve your security posture and be better prepared to prevent, detect and respond."

One of the issues is how state governments all operate under different frameworks and, as previously reported, following cybersecurity guidance is not even mandatory for NSW councils, for example. "If you’re an organisation who operates across jurisdictional boundaries across this country, and you’re subject to those particular regulations, then it can be a challenge. Absolutely," Addiscott says. He also believes that for most organisations their first and primary motivator for any cybersecurity program is achieving their minimum compliance posture.

Being compliant with regulations is not a guarantee that an organisation won't be breached. Whether existing regulations are helping or hindering cyber defences in Australia, Addiscott says they aren't necessarily hindering, "but I don’t think they’re necessarily helping either."