No charges laid for cyber attacks
Dan Tehan: Despite identifying large numbers of serious attacks, prosecutions are difficult
Australia’s cyber spooks say they responded to more than 600 “serious incidents” in the last year, and yet no charges and no prosecutions have been made as a result of any of these cyber attacks.
The Australian Cyber Security Centre’s 2017 Threat Report identified more than 47,000 cyber security incidents in 2016-17, with over half of these being online scams or fraud.
Cyber criminals hacked into an Australian government defence contractor last year and stole a “significant” amount of data.
The report revealed that an Australian small business, which is a national security contractor to the government, had its systems compromised and data stolen in a cyber attack last year.
The attacker had access to the undisclosed company’s IT network for an “extended” period of time and took a “large amount of data”, and was still in the network when the Australian Signals Directorate was notified and took action last November.
Minister assisting the Prime Minister on Cyber Security Dan Tehan said the ASD worked closely with the business to fight off the attacker and implement stronger defences. He said it was unclear who carried out the attack, and couldn’t rule out that it was a State-based actor.
“It could have been a state actor, it could have been cyber criminals, and that’s why it was taken so seriously,” Mr Tehan said.
“We’re not 100 percent sure, and that’s one of the difficulties in this area. That small business has put in place proper cyber security protections that it will hopefully prevent such an incident happening again.”
The hacker gained access to the contractor’s network by “exploiting an internet-facing server”. using administrator credentials to “move laterally” in the network, Mr Tehan said, and then established access to other private networks once they were inside.
The company has not been revealed, with Mr Tehan saying it is up to them to come forward if they wish.
The attack is one of 734 cyber incidents affecting the private sector systems of national interest and critical infrastructure providers identified by the ACSC in its report, which Mr Tehan said in the speech on Tuesday at the National Press Club.
“The [report] is important because it gives us a clear understanding of the state of the cyber risks to our nation and to our local communities. It allows us to see what we are doing right, what needs to be addressed and the priorities we need to immediately focus on,” Mr Tehan said.
Despite the huge number of attacks, he admitted that no arrests or prosecutions had resulted from any of the cyber attacks identified, saying it was “incredibly difficult” when most originated from overseas jurisdictions.
“We are pursuing some of those who have been involved with this activity and we’re working with other governments to try to bring those culprits to be prosecuted where we can.
“But this process takes time, it’s not one where I can stand here and readily say we’ve had success.
“It is so difficult to trace who is responsible and then to get the relevant authorities to prosecute them. A lot of this activity is being generated by countries that we don’t have close law enforcement networks with,” Mr Tehan said.
The report found more than 7000 major Australian businesses were hit with cyber security incidents
Mr Tehan said “business is booming” for cyber criminals, and there is a “growing sophistication” with these kinds of attacks, one of which costed a large Australian company $US500,000.
“It is clear that the malicious actors looking to target major systems and critical infrastructure are increasing the sophistication of their vectors,” he said.
“But they are not alone. Like nation states, cyber criminals are using more complex methods to target businesses, large and small. In particular, they are using increasingly personalised techniques to trick their victims,” he said.
“We are concerned and that’s why we release the threat report each year, because we want to be fully transparent about what is occurring.
“The key message is that all of us have a role to play when it comes to keeping us safe online, whether that be government, business or mums and dads or community organisations.”
The report identified 47,000 cyber security incidents in 2016-17, an increase of 15 per cent from the previous year. Of these, more than 7000 affected major Australian businesses, and 671 warranted a response from the ASD, down from 1095 in the previous year.
Mr Tehan dubbed it the “year of global ransomware” which saw phishing emails specifically costing Australian companies more than $20 million, an increase of 230 per cent from 2015-16, through “exploiting known vulnerabilities”.
“Small businesses in particular were targeted by theme phishing emails, which use common payment arrangements to steal money. They are using increasingly personalised techniques to trick their victims,” Mr Tehan said.
“They will then create a fake invoice that looks exactly like the original and change one thing: the bank account details. The small business pays the invoice thinking it is going to the stationary supplier, for example.”
“No one is any the wiser until the stationary company calls chasing its unpaid invoice.”
The report does not detail how many of the cyberattacks on Australia came from state-based actors.
“We don’t go into that level of detail, but...cyber espionage is alive and well. There are state actors out there who are using malicious activity to try and get access to state secrets or other types of information,” Mr Tehan said.
“We’re aware of that. We’re cognisant of it and we are doing everything we can to make sure that we are protecting our systems.”