This appeared a few days ago:
Low cost, high reward: The hackers holding Australia to ransom
By David Swan and Colin Kruger
January 6, 2024 — 5.00am
If the skull and crossbones wasn’t already threatening enough, the accompanying message made the situation clear.
“If you see this text, then your files are no longer accessible, because they have been encrypted” was the text that greeted workers when they switched on their computers at Cadbury’s factory in Hobart. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
The Petya ransomware attack in June 2017 halted chocolate bar production in Hobart and ultimately cost Cadbury’s parent company, Mondelez International, an estimated $140 million in lost revenue. It was also among the first of what has become an avalanche of ransomware attacks to hit Australian businesses, which industry insiders say are chronically underprepared to deal with such incidents.
St Vincent’s Health and Court Services Victoria recently joined the fast-growing list of high-profile organisations scrambling to respond to debilitating cyber incidents, which have by now impacted almost every Australian.
The attacks are not an outlier but are instead a “new normal”, according to cyber professionals, who say a cultural shift is needed more than any new suite of technical defences. They say Australia was never a primary target for cybercriminals until recently, and they hope the recent spate of attacks will serve as a belated wake-up call after years of a lack of interest and underinvestment.
Jamieson O’Reilly is the founder of cybersecurity firm Dvuln, which Australian companies and government agencies pay to find IT vulnerabilities. “Security in Australia is by and large still considered a grudge purchase,” O’Reilly says. “We need a cultural shift.”
A 17-year-old can pay less than $100 to gain access to an infected computer belonging to an employee of a billion-dollar company, according to O’Reilly, and the balance of power now rests squarely with the hackers.
While the idea of a teenage “script kiddie” – a novice hacker using unsophisticated tools – might seem like the stuff of a bad 1990s movie, the threat to some of Australia’s biggest businesses is very real.
“Optusdata”, the anonymous hacker who in late 2022 made away with the personal data of more than 10 million Optus customers before backing down from a $1.5 million ransom threat, was described as “unprofessional” and “stupid” by their hacker peers on the dark web.
The Optus mass data breach occurred through an unprotected and publicly exposed end point, meaning anyone who discovered it could connect to it without submitting a username or password. The attack was far from sophisticated, according to O’Reilly and other experts.
“For attackers, especially those utilising low-cost, high-reward strategies, the investment is minimal compared to the potential pay-off, which can range from financial gain to significant data breaches – or even reputational damage to the targeted organisation,” O’Reilly says.
According to the Australian Signals Directorate, an intelligence agency, more than 127,000 hacks against Australian servers were recorded between the 2022 and 2023 financial years. This marked an increase of more than 300 per cent over the prior year – and O’Reilly says that matches what he’s seeing on the ground.
In the shadows
O’Reilly spends much of his time monitoring the dark web, which ransomware groups use to leak data and boast about their bounties. He regularly reports his findings to the Australian Signals Directorate.
The dark web is a shadowy part of the internet accessible only through special software, allowing users to remain anonymous. It is commonly used for illegal activities such as buying and selling drugs and weapons, as well as stolen credentials.
The group suspected to be behind the 2022 Medibank data breach, Russian cybercriminal gang REVil, posted customer names, birthdates and Medicare details under “good” and “naughty” lists on its dark web site named Happy Blog. The leaked data included patients who had undergone treatment for drug addictions and terminated non-viable pregnancies.
“I recommend to sell Medibank stocks,” the group said in the post, along with a quote from Confucius: “A man who committed a mistake and doesn’t correct it is committing another mistake.”
A person claiming to be the Medibank hacker told this masthead in broken English via email during the incident that they would have not leaked the stolen data had the company paid up. Medibank publicly ruled out paying the hackers the $US9.7 million ($14.5 million) they demanded, and the federal government had also advised against payment.
The government is currently weighing a total ban of ransomware payments, though company directors say the payments may be justified to avoid catastrophic outcomes.
“We do business in our way, and we never targeted any particular people for that – only companies,” the purported hacker said via email.
“We ask a similar price, as on blackmarket for that detailed data about Medi customers. And where Medi refuses to pay – we should earn some money, to cover our efforts. Talking that way, Medibank in fact forces us, to sphread [sic] customers data.”
With attacks surging, the federal government is under increasing pressure to help organisations defend themselves. Cybersecurity Minister Clare O’Neil described financially motivated hackers and extortionists as “public enemy No.1” when she launched the government’s new cyber strategy late last year.
O’Neil said Australia faced the most challenging circumstances since the Second World War, and that cybersecurity would be integral to how the events of the coming decade played out.
‘A good start’
The federal government’s “six shield” strategy includes $291 million in support for small and medium-sized businesses, including the creation of a cyber health-check program offering free and tailored cybersecurity assessments to business owners. It has a stated goal of making Australia the world’s safest cyber nation by 2030.
Many cybersecurity professionals aren’t convinced that’s possible but acknowledge it’s a goal worth pursuing.
“What Claire O’Neil and the current government have been doing is a good start, but it’s been attempted before, and we need to ensure it survives future political changes. Cybersecurity is no longer a nice to have; it’s a fundamental component of everything we do,” O’Reilly says.
He says Australia needs to find a way to ensure cybersecurity strategies are consistent across jurisdictions and are not beholden to the government of the day.
“One thing we can learn from our so-called ‘adversaries’, the people hacking us, is that consistency is key.”
In late 2022, in response to the Optus and Medibank breaches, the parliament passed legislation that can result in businesses being fined $50 million for repeated or serious data breaches.
Tony Burnside, head of Asia Pacific at cybersecurity giant Netskope, says we should be encouraged that Australia has a hands-on and proactive government when it comes to cybersecurity.
“The new cybersecurity strategy, which I think we can say has been well received overall, focuses on the right issues that need to be addressed now, and will act as a good framework for new legislation that will help Australian organisations and individuals be more secure,” he says.
“Our global alliances, especially in the context of AUKUS, also equip us with solid offensive and defensive state cybersecurity capabilities.
“Some organisations and parts of the populations are still fairly vulnerable compared to other countries, though... We weren’t exactly a primary target for cybercriminals until recently, and this has created some complacency and a feeling that major cyberattacks wouldn’t occur here.
“In the past 18 months there has been a wake-up call.”
Bolstering the defences
Netskope’s most-recent threat report found the majority of cyber threats targeting Australian organisations were criminally motivated, with only 12 per cent of attacks having a geopolitical motivation. Both the Medibank and Optus hackers demanded millions in ransom payments.
At Medibank’s shareholder meeting in November, chairman Mike Wilkins emphasised that the private health insurer had ramped up its security.
“The board has been overseeing a group-wide program of work that aims to continue uplifting and embedding the technology, processes and security culture within Medibank to support our customer promise of being a trusted health partner,” he said.
Port operator DP World, another recent hacking victim, is improving its security as well.
“We undertook a thorough review of our security controls with the assistance of third-party cyber expertise,” a spokesman says.
“In order to reduce the likelihood of similar incidents occurring, we are working through a cyber remediation plan to implement additional controls, limit access to external applications to certain addresses and countries only, implement additional end-point and network detection and response capabilities.”
CBA chief Matt Comyn said the bank was “conscious of and spend a lot of time, effort and resources on issues such as cybersecurity given the risks presented by such threats nationally and globally”.
“We’ve already seen a number of examples of how damaging a breach of cybersecurity can be and that is a warning to us all to take the necessary and vitally important steps to protect ourselves from these increasing attacks,” Comyn said.
But some of Australia’s biggest companies such as IAG, the insurance group behind brands like NRMA Insurance, CGU, SGIO, are not waiting for hackers to come knocking.
“We take cyber and data risk very seriously and we continue to invest heavily in this area,” says IAG’s chief risk officer, Peter Taylor.
“We are also an active participant in broader industry and government initiatives to enhance cyber resilience more generally.”
Cybersecurity provider CyberCX is working with St Vincent’s Health to remediate and respond to its recent cyberattack. It’s still unclear whether any sensitive health data was stolen in that attack, which people close to the investigation say was likely financially motivated. The company is also working with the Australian Open to safeguard the coming tournament.
All organisations at risk
The Medibank and St Vincent’s Health data breaches were facilitated through compromised staff accounts, according to investigators. Hackers typically compromise accounts through social engineering or phishing attacks – emails that seem legitimate and encourage users to enter their login information.
All Australian organisations are at risk, according to CyberCX’s financial services and insurance industry director, Shameela Gonzalez.
“More than green text on a black screen, executives are anxious about the 2am phone call, or the contact from a customer instead of catching it themselves,” Gonzalez says.
“It’s the combined challenge of scrambling to understand what has happened, re-securing systems without inflicting more damage, and communicating effectively in a matter of hours … It’s a tough ask, even before you consider that someone out there is working just as hard to do you harm.
“Simply buying more tools and more technology isn’t the answer here.”
Gonzalez agrees with O’Reilly in that one clear answer when it comes to cybersecurity is a cultural one.
“Organisations that weather and thrive following a cyber incident have a strong culture of resilience, have invested in securing their networks and systems to do what they can to prevent a breach, and have prepared as best they can for an attack in this ‘when’, not ‘if’ environment.”
Another answer may be for businesses to simply collect less data on their consumers. In November, the government flagged a review of mandatory data legislation, passed in 2015, which requires telecommunication companies to hold customer information including names, call records and other data for two years.
Attacks To Intensify
Ashwin Ram, cybersecurity evangelist at Check Point Software, says an organisation in Australia is being attacked on averaged nearly 700 times a week over the past six months.
He says it’s a mistake, however, to read the recent headlines about the St Vincent’s Health and Court Services Victoria hacks and assume that they are the work of a criminal mastermind. “There’s nothing sophisticated about these cyberattacks,” Ram says.
“These recent ones appear to be financially motivated, and cybercriminals are extorting as much as possible from their victims. Many attacks begin with some form of social engineering, such as the one against Court Services Victoria, where email was the delivery mechanism for initial access.
“The most common attack vectors include phishing, cloud misconfiguration, software vulnerabilities, and compromised credentials, as was the case in the St Vincent’s Health breach. ”
For Ram, it’s not the regularity of the attacks that is most worrying. It’s that cybercriminals also now have access to generative AI tools, allowing them to create highly effective phishing campaigns that are nearly impossible to detect.
Attacks to intensify
Ram and other cyber experts are predicting a further surge in cyberattacks over the next year given the rise in AI tools such as ChatGPT.
“Over the next year, cybercriminals will increasingly leverage generative AI to develop new tools for cyberattacks,” he says. “This trend will also lower the barrier to entry, enabling less technically proficient individuals to engage in malicious activities, as advanced skills are no longer a prerequisite for creating attack tools.”
More here:
https://www.smh.com.au/technology/low-cost-high-reward-the-hackers-holding-australia-to-ransom-20240105-p5evcg.html
It is a rather sad state of affairs that so early in the year we have to be reminded of the evil-doers out there and how we are really continuing to loose to war!
Each year the stakes are just that much higher and it really seems that we have reached some form or truce in the cyber war with the harm done being bad but not bad enough to provoke a really successful and sustained response!
I wonder will this be the year where AI and intelligent agents of some sort just clean up behind us and harm is reduced to an insignificant level permanently. I am sure such an outcome is in our futures. If not this year, some time soon!
David.