Australia suffered its worst ever wave of breaches
Australia was hit by a brutal onslaught of breaches in 2022 that exposed the personal data of millions and put the nation’s cybersecurity in the spotlight.
Telecom giant Optus revealed in September that the data of ten million customers, including names, contact details and passport numbers, had been exposed. A few weeks later, health insurer Medibank confirmed that it too had been breached, with information including Medicare numbers and details of treatment stolen from 9.7 million people and later published online.
These hacks were the tip of an ominous iceberg, as organisations including MyDeal, TPG Telecom and Vinomofo suffered serious cyber incidents. Criminals exploited a range of vulnerabilities, including compromised credentials, a misconfigured API, slow patching and unsecured test data. Reports of scams rocketed after the incidents, and while several arrests have been made, the damage – towards personal data, public confidence and share prices – has been significant. The breaches are a reminder that hacks can hit any company, large or small. You can never reduce the risk to zero, but by managing your attack surface you can make yourself a far harder target.
The government hits back with tighter regulation
The Australian government responded to the breaches with strong words – Minister for Home Affairs Clare O’Neil declared agencies would “hunt down the scumbags” – and introduced a raft of new measures, including a new taskforce and larger breach fines.
Some of these changes were planned before the latest wave of incidents, with April changes to the Critical Infrastructure Act making the reporting of major incidents mandatory for more sectors, including utilities, financial services, health care and education. But, with a new government in office and attacks on key infrastructure growing – EnergyAustralia, the University of Western Australia, the National Disability Insurance Scheme and the national census all announced incidents – further measures were always likely.
Under the old Privacy Act, companies that suffered “serious or repeated” breaches could be fined $2.22 million. Changes to the law in November mean fines can now reach $50 million, three times the value of any benefit obtained, or 30 percent of adjusted turnover for the financial year, whichever figure is higher. Other changes will facilitate data sharing between banks and telecom companies. O’Neil wants to make Australia “the world’s most cyber-secure country by 2030” via public engagement, closer international ties, stronger critical infrastructure and a taskforce that can strike back at cyber threats. The strategy will be thrashed out in 2023: watch this space.
Cyberwar focuses on Ukraine, but its tentacles reach around the world
Russia invaded Ukraine in February 2022, but it has been launching cyberattacks on the country for a decade. As the conflict intensified, so did cyber warfare, with Australia and New Zealand both hit by state-linked groups.
In the weeks after the invasion, cyberattacks on Ukraine tripled. The electrical grid was hit and Ukrainian officials’ phones were hacked. Ukraine enlisted a “hacktivist” army, although its influence appears to have been limited, while hackers from Russia’s GRU agency shifted their aim from phishing attacks to edge devices such as firewalls and email servers to gather intelligence and cause disruption. The conflict quickly spread, with Microsoft reporting that 42 allies of Ukraine had been affected by Russian cyber espionage.
State-linked actors were not solely associated with Russia: in June, researchers revealed that the Chinese group Aoqin Dragon had been spying on Australia for a decade, while the Australian Cyber Security Centre underlined that "regional dynamics in the Indo-Pacific are increasing the risk of crisis and cyber operations are likely to be used by states." Several Australian breaches, including the Medibank hack, have been associated with state-linked groups, while New Zealand MPs have been advised not to use TikTok in parliament after fears the Chinese government could access their data. Some attacks may be targeted, but many more are indiscriminate: all organisations should be on their guard.
Crypto bloodied as government plans regulation
Cryptocurrencies were stung by a series of reverses in 2022. Over one million Australians own crypto, and the currencies are central to ransomware and dark web transactions.
Since the glory days of 2021, the news for cryptocurrencies has been decidedly mixed. In January, a collapse in Multi-Factor Authentication (MFA) saw $35 million stolen from currency exchange crypto.com. Several so-called “stablecoins” lost their pegging to real-world currencies such as the US dollar. Then, in November, crypto exchange FTX collapsed, leaving 30,000 out of pocket in Australia alone, amid news that it had not been properly assessed by the Australian Securities and Investments Commission.
With the European Central Bank claiming Bitcoin is on an “artificially induced last gasp before the road to irrelevance”, what does 2023 hold for cryptocurrencies? More scrutiny is certain, with a joint US-Australian-US operation arresting the gang behind a $100 million crypto and foreign exchange scam and the Australian government cataloguing digital currency use – it claims to be the first nation in the world to do so – and eying up further regulation. If it’s done right, better protection and regulation of crypto looks like good news for investors and CISOs – and bad news for the criminals.
Ransomware deadlier than ever, high profile busts show the gangs can be beaten
Leaks and arrests showed that the big ransomware gangs aren’t invulnerable, but as breach follows breach, they remain as deadly as ever.
"Ransomware remains the most destructive cybercrime," concluded the ACSC in its annual report. It may be less common than phishing or Business Email Compromise (BEC), but ransomware’s financial impact can be huge. Attacks this year include the Medibank breach, which cost the firm at least $30 million and caused its share price to plummet. Other high-profile incidents affected Australian Clinical Labs, an Australian Defence platform and New Zealand’s Mercury IT.
But it wasn’t all bad news. In March, 60,000 leaked internal messages from the Russian Conti gang revealed recruitment problems and grumbles about pay, in the clearest yet glimpse into a ransomware gang. There were high profile arrests too, with key members of the rEvil group arrested and charged in February. And new plans may hit the gangs where it hurts, with the Australian government considering a ban on ransom payments and calls for global action on information sharing and crypto regulation growing. After the gloomy news of this year’s breaches, anything that puts the gangs on the back foot will be welcomed.