Australian companies kicking security own-goals as military data theft highlights escalating cyber risk

​Spearphishing most frequent breach of government agencies but BEC fraud, compromised systems dominate private-sector cases

Revelations that 30GB of sensitive Australian military data were exfiltrated from a subcontractor have underscored the risk faced by Australian companies that continue to leave themselves exposed by failing to employ “established and relatively straightforward cyber security measures”, the federal government’s peak cybersecurity body has warned as new data points confirms that local businesses are seeing increasing losses to cyber-attackers.

Despite rising awareness, business email compromise (BEC) alone took $20m last year and vulnerabilities were threatening every level of Australia’s business and IT service-provider communities – a number of which had been hit with compromises that gave attackers access to their systems and those of the companies they serviced.


Learn how to prevent the top email fraud tactics including : Business Email Compromise techniques - Strategy Guide download


“Some Australian service providers have been compromised, and through them, so have some of their customers,” the Australian Cyber Security Centre (ACSC) warned in its newly released ACSC Threat Report 2017.

“Extensive state-sponsored activity” had been detected targeting Australian government and private-sector networks, the report said. And while government cyber security minister Dan Tehan said state-sponsored actors were being considered as culprits in the theft of detailed schematics of vehicles including the F-35 Joint Strike Fighter, P-8 Poseidon and C-130 transport plane, it was still unclear who was responsible.

Self-reported figures about Australian private-sector breaches suggested that compromised systems were the core attack in 56 percent of reported cases – well ahead of malicious emails fingered in 22 percent of cases. Data exposure, theft or leaks were blamed in 5 percent of incidents, as were denial of service (DoS) attacks.

The dominance of system compromise was made worse by the fact that “too many of the incidents the ACSC responds to could have been prevented,” ACSC coordinator Clive Lines wrote in introducing the report.

The trend was “a clear wake-up call for everyone to be conscious of contemporary cyber security risks and best practice mitigations,” the report noted. “As tradecraft and threats adapt and evolve, adversaries will act faster to exploit new vulnerabilities and develop more innovative approaches.”

Not that they would necessarily need to do so: Internet of Things (IoT) security was called out as introducing “significant security risks”, while “simple and cheap” opportunistic targeting of poor-security online systems was continuing to drive compromises that were leaking data.

Government protections working. Self-reported government statistics painted a different picture, suggesting government agencies had fallen into line with mandates that they comply with the ASD Top 4 guidelines: the predominant compromise among government agencies was human-facilitated – spearphishing, blamed in 47 percent of cases – with Web-server compromise (13 percent), stolen credentials (12 percent), data breaches (10 percent), enabling infrastructure (9 percent) and DoS attacks (9 percent).

Ransomware – Cryptolocker, Torrentlocker and Cryptowall were the most frequently-observed in 2016 and 2017, exacerbated by easily-accessed ransomware-as-a-service (RaaS) offerings – had emerged as a key threat that ACSC deals with, but credential-harvesting malware was threatening Australia’s financial sector and “will likely increase on smartphones”, the report warned.


Criminals are now targeting individuals, not companies or infrastructure. See key findings in the 2017 Human Factor Report.


Social engineering had also remained a significant threat, with reported losses to BEC attacks surging from $8m the year before, to over $20m in the last year. This echoed a recent report from the Australian Criminal Intelligence Commission as well as warnings from the US FBI that BEC losses in the US alone had grown by 1300 percent to total more than $US3 billion ($A3.77b).”

One incident the ACSC handled saw a cybercriminal pose as CEO and COO of a “large business” to convince the financial controller to send more than $US500,000 ($A628,500) to overseas accounts as two fraudulent payments. The transfer was effected while the CEO was travelling, with the instigator creating a false email trail that purportedly included approval of the request for payment.

Companies that serve as outsourcers to their customers were singled out as being “highly attractive” to cybercriminals because they are often well-trusted and granted “extensive access” to internal systems that can be used to slipstream into the victim’s network. One multinational construction services company was hit with such an attack, with an account associated with a managed service provider (MSP) exploited to install malware on the target network.

“When you enable other organisations access to your network, your network is exposed to their security posture,” the ACSC report warns. “You are effectively increasing your own risk. And when you don’t know the risks associated with a connected network, it is much more difficult to mitigate them.”

ACSC had been increasingly engaging with private-sector companies to manage and remediate breaches, with one incident seeing ACSC and CERT Australia providing “technical guidance” to 144 partner companies that could have been impacted after one Australian breach of an MSP.

The ACSC has been steadily shifting to a more proactive footing, and will next year adapt operational response, stakeholder engagement and technical capabilities including its 24/7 response capability and a whole-of-economy focus. The organisation will soon start moving to a purpose-built facility, spread across two buildings in Canberra’s Brindabella Park, that will allow it to operate at “multiple security classification levels” that the organisation said would reflect the government’s long-stated goal “to build meaningful and effective cyber security partnerships with the private sector.”


WATCH NOW: In this video, learn about the top trends in email attachments, social media posts, and URLs.



Tags Vulnerabilitiesproofpointprivate-sectorBECbusiness email compromise (BEC) attacksemail phishing

Show Comments