Over the past year, Australia has been the target of numerous successful cyber-attacks. These attacks have affected a significant percentage of the country’s population of 24 million people -- with some individuals affected in multiple breaches. According to the Australian Cyber Security Centre’s Annual Cyber Threat Report 2021-2022, there were a staggering 76,000 cybercrime reports from July 2021 to June 2022 -- a 13% increase from the previous financial year.
In September 2022, Australian telecommunications giant Optus was hit in one of the largest data breaches in Australian history. The Optus attack constituted the first incident in a series of devastating, large-scale cyber attacks that exposed significant flaws in Australia’s national cyber resilience.
On Sept. 23, 2022, Optus released a statement on its website and social media confirming a “significant” cyberattack against their systems. Personally Identifiable Information attributed to approximately 10 million current and former Optus customers -- around 40% of Australia's population -- was compromised, including names, birth dates, home addresses, phone numbers, emails, passport numbers and driving license numbers.
The breach sent shockwaves through the nation, and the circumstances surrounding it quickly became a subject of debate. A company insider claimed human error had accidently exposed their application programming interface (API) on a test network, providing the entry point that caused the attack. Optus rejected this claim, asserting that a highly complex and sophisticated attack had occurred, where the attacker used advanced techniques to scrape a portion of the company’s consumer database, leaving open questions about the motives and depth of the breach. On Oct. 6, the Australian federal government announced the implementation of an emergency regulation that would allow Optus to share customer information to banks and government agencies to detect and prevent identity fraud in the aftermath of the attack.
With headlines surrounding the Optus attack still dominating the Australian news cycle, days later, on Oct. 13, another public statement regarding a second potential cyber attack shocked the nation once again. Medibank, Australia’s largest private health insurance provider, alerted the Australian Securities Exchange (ASX) that it had detected “unusual activity” on its networks, emphasizing that there was no evidence that sensitive data, including customer information, had been compromised. Medibank retracted this claim one week later, confirming that customer data had indeed been compromised in the attack.
See also: Say Goodbye to Cyber's 'Dating Profile'
On Oct. 26, Medibank revealed the scope of the customer data compromised, admitting that hackers had full access to three primary customer data categories -- AHM customer data, international customer data and Medibank customer data. On Nov. 7, Medibank announced that 9.7 million customers were likely to be affected. Customers were informed that Medibank would not be paying the USD$10 million ransom payment, despite the hackers’ threats to publish the stolen data on the dark web. The investigations that followed the breach revealed that Medibank’s systems had been accessed as a result of a compromised login credential (user and password) used by an unnamed third-party IT services provider.
In March of this year, malicious actors once again leveraged compromised credentials from a third-party vendor to breach the systems of Latitude, an Australian financial services provider. Data from 14 million customers in Australia and New Zealand was stolen. Again, this data included names, addresses, emails, phone numbers, birth dates, driver’s license numbers and passport numbers. Some dated back to 2005, drawing scrutiny over why the company kept customer records beyond the required seven years. The company is now under investigation to determine if it took sufficient measures to prevent the attack, and there is a class-action lawsuit against Latitude for its failure to protect customer data.
The Latitude breach was swiftly followed by another attack. This time, HWL Ebsworth was the victim. In April, Russian-linked ransomware gang Alphv attacked the major Australian law firm, publishing (1.1 terabytes of a total 3.5 terabytes stolen from HWL Ebsworth’s systems) on its dark web dedicated leak site. At least four Australian banks were implicated by the breach -- with Westpac, NAB, the Commonwealth Bank and ANZ among the many public and private sector entities that may have had data stolen. Further, an estimated 60 departments or government agencies have used HWL Ebsworth’s services, including the Defence Department, Home Affairs, the Australian federal police, prime minister and cabinet, Services Australia and the Fair Work ombudsman.
Many other attacks have made the headlines, targeting schools and universities, hospitals and healthcare providers, government entities (including the Tasmanian government) and more. This series of large-scale attacks has led to sharp criticism of Australian government officials for their lack of cohesive cybersecurity policy. As a result, Australian Cyber Security Minister Clare O’Neil made public admissions that Australia had been in “a cyber slumber,” falling at least five years behind other developed nations regarding cybersecurity and data privacy. O’Neil, who is overseeing the overhaul of the national cybersecurity strategy, said the high-profile Optus, Medibank, Latitude and HWL data breaches are only the “tip of the iceberg” of the cyber threats facing Australia. She has invited Australians to join the “whole-of-nation effort” to bolster the country’s cyber resilience.
Potential Causes of Concern
Several factors have been cited as contributing to Australia's relative cyber unreadiness compared with other countries.
- Lack of appropriate regulations and mandatory cybersecurity standards for companies holding large amounts of personal data. Unlike Europe, Australia has no overarching data protection or privacy laws with strict security and breach response requirements. The existing regulations set minimum standards that companies can meet without necessarily achieving strong security. This allows some organizations to underinvest in their cybersecurity programs and infrastructure. There are also no cybersecurity licensing requirements or mandatory external assessments of controls to encourage best practice. Furthermore, the enforcement of existing frameworks, such as the Notifiable Data Breaches (NDB) scheme, is perceived as lax, with few consequences for noncompliance, while critical infrastructure operators face limited oversight and have discretion over how they meet security obligations. Experts argue that prescriptive security-focused laws, properly enforced through auditing and penalties, are urgently needed to lift industry standards across the board in Australia.
- Underinvestment in cyber defenses. Budgets allocated to cybersecurity programs by both government agencies and private organizations have fallen short of what experts recommend based on evolving threats and expanding attack surfaces. This underfunding has resulted in insufficient resources dedicated to basic but critical defensive controls like encryption, multi-factor authentication, regular security testing, patching and logging/monitoring. Australia has struggled to meet its own cybersecurity strategy target of investing 2% of GDP in cyber defenses due to inadequate budget appropriations over time. This target itself is also considered insufficient, as comparable nations spend significantly more. This wide-scale underinvestment has created shortages in defensive capabilities that are ripe for adversarial exploitation.
- Shortage of cybersecurity skills and talent. Despite the rapid escalation of global cyber threats, Australia has failed to produce enough skilled professionals to match the growing demand across both government and private sector organizations. Cybersecurity occupations are consistently listed in national skilled occupation shortages, yet efforts to boost the talent pool through education and training have been insufficient. Those universities and vocational programs that do offer cyber courses struggle to attract students due to a lack of industry engagement and the perceptions of limited career opportunities in Australia. Immigration pathways for global talent have also been limited, preventing firms and agencies from easily supplementing the domestic cyber workforce.
- Widespread use of outdated legacy IT systems. Many large organizations, and government agencies in particular, still rely on digital infrastructures and systems that are decades old, using obsolete software and technologies no longer supported by vendors. These legacy architectures were not built with security as a primary consideration, relying on outdated protocols and lacking basic security controls. Upgrading such sprawling legacy estates is an immense logistical and budgetary challenge for organizations, due to the complex interfacing of old and new. Delaying these upgrades, however, leaves serious security vulnerabilities and exposures that attackers can readily exploit through unpatched backdoors.
- A misplaced focus on data sovereignty. Australia’s focus on data localization (requiring data to be stored in Australia) has discouraged offshore cloud adoption where security is generally stronger. These local data storage requirements have placed significant cost burdens on enterprises, taking funding away from cybersecurity programs and skills development. In reality, the most significant attacks typically target people/processes rather than infrastructure or location. Accordingly, these overly protectionist policies provided a false sense of security while slowing digital transformation, leaving some organizations with outdated legacy systems that are hard to defend. In today's connected digital ecosystems, where organizations increasingly leverage multiple cloud platforms for flexibility and resilience, true data sovereignty is impossible. Rather than mandating unachievable data storage models, priority should be placed on establishing robust encryption, access controls and response obligations wherever Australian data is accessed or processed.
Earlier this year, O’Neil stated that Australia must prepare for a “dystopian future” in which increasingly digitally connected cities may be “held hostage through interference in everything from traffic lights to surgery schedules.” When addressing the Sydney Dialogue conference in April 2023, she said that Australia “faced a scale and intensity in the threat landscape that far outstrips the recent cases we have seen.”
O’Neil called out state-sponsored attackers, financially motivated cyber actors and extortionists as public enemy number one. To combat these nefarious groups and individuals, she put together a new cyber strategy, including a series of national exercises focused on protecting critical infrastructure, and aims to make Australia “the world’s most cyber-secure country by 2030.”
Boosting Australian Cyber Resilience With Cyber Threat Intelligence Solutions
A crucial part of O’Neil’s strategy is building a team of 100 cybersecurity specialists who will be “permanently focused on hunting down people seeking to hack our systems, and hacking back.” As with any organization’s threat-hunting efforts, rich cyber threat intelligence (CTI) that sheds light on threat actors’ activities and targets, as revealed on millions of deep and dark web sites and forums, will be paramount to Australia’s threat-hunting mission. Armed with such intelligence, the Australian government and business community can understand threat actors’ tactics, techniques and procedures (TTPs) and benefit from early warnings regarding the very first indications of potential risk -- before an attack materializes. By monitoring their attack surface and preemptively implementing necessary defensive measures to block cybercriminal efforts, Australian companies will be better equipped to manage and reduce their overall organizational threat exposure and protect their systems from attack.
How these high-profile attacks could have been prevented
Optus: Although the cause of the attack remains disputed, for this purpose, we will examine the incident based on the assumption that an unsecured API was the source of the breach. In this case, a solution such as External Attack Surface Management (EASM) could have helped detect and mitigate this exposure before it was weaponized.
EASM solutions work to continuously discover an organization's digital assets and footprint across the external attack surface on various surfaces, such as public IP addresses, domains and APIs. EASM involves performing scans from an external perspective to understand how attackers view and potentially access your systems through exposed external assets connected to the organizational network.
Had Optus implemented EASM:
- The API exposed to the open internet would have been discovered during external scans.
- Its configuration without proper authentication or encryption would have been identified as a security weakness ripe for cybercriminal exploitation.
- Optus could then have corrected the issue by reconfiguring the API with valid credentials or HTTPS to reduce the attack surface.
- EASM monitoring would ensure any new APIs deployed externally were also appropriately protected.
- Valuable metadata about Optus' digital properties and dependencies would be collected, helping to discover additional high-risk vulnerabilities and exposures.
By knowing their external attack surface and identifying misconfigurations, EASM gives organizations visibility to gaps that threat actors could exploit from the internet before evasive attacks occur. This could have helped Optus avoid such a significant breach.
Medibank: The Medibank breach was the result of compromised credentials used by a trusted third-party IT services provider. Real-time cyber threat intelligence from the deep and dark web could have helped to identify this exposure and prevent the attack.
- Initial access brokers actively trade stolen access credentials (usernames and passwords, remote desktop protocol access, etc.) on dedicated deep and dark web forums and markets.
- Real-time deep and dark web cyber threat intelligence continuously monitors these underground platforms to identify compromised credentials the moment they are listed for sale.
- Had Medibank harnessed cyber threat intelligence from initial access broker markets, it likely would have detected the third party's admin credentials being leaked/sold soon after theft occurred.
- Most initial access trading happens within days or weeks of a breach. Faster detection is possible through combining Attack Surface Management solutions with CTI to receive immediate alerts of potentially compromised organizational access.
- Once alerted, Medibank could have rapidly contacted the third party to validate, check login logs, reset credentials and reduce organizational exposure.
- With the admin credentials changed before the attacker could purchase, leverage and weaponize the compromised access, data exfiltration may have been stopped or limited.
Early warnings of credential compromise through deep and dark web monitoring of organizational assets provides a critical window to contain breaches before significant damage. By monitoring the organizational attacks surface in real time across the deep and dark web -- in particular, across initial access broker marketplaces -- Medibank may have been able to detect this exposure and prevent its weaponization before cybercriminals were able to exfiltrate sensitive data belonging to approximately 10 million Medibank customers.
Latitude: The source of the Latitude payroll data breach has not yet been confirmed publicly. While official investigations continue, cybersecurity experts analyzing the case reportedly believe the attacker(s) gained initial access either through credential theft via a phishing attack targeting Latitude employees or by exploiting an unpatched vulnerability in an internet-facing Latitude application or service. If this were a case of compromised credentials, the steps Medibank could have taken would also apply here. If the cause of the breach was through the exploitation of an unpatched vulnerability, vulnerability exploit intelligence would likely have equipped Latitude with the necessary insight to prioritize treatment before the exposure had been weaponized in attack.
Had Latitude implemented vulnerability exploit intelligence:
- Continuous scoping and discovery of their organizational attack surface, coupled with CPE-CVE matching, would have alerted Latitude to an unpatched, exposed vulnerability within their asset inventory.
- Effective vulnerability exploit intelligence would then have helped determine the real-time risk of exploitation, considering critical factors such as the availability of exploit kits and POCs, instances of exploitation in the wild and heightened cybercriminal discussions surrounding the vulnerability.
- With insight into cybercriminal discourse and activity across the deep, dark and clear web, and a real-time understanding of the likelihood of exploitation, Latitude would have been equipped with the early warning they needed to recognize this as an urgent, high-risk threat to their organization.
- This preemptive intelligence would have allowed Latitude to accurately prioritize treatment, immediately patching the vulnerability or isolating the unpatched asset to mitigate the damage of exploitation before the vulnerability had been weaponized in attack.
Armed with comprehensive visibility into their organizational threat exposure, Latitude could have likely uncovered and addressed the vulnerability much sooner -- before data theft occurred.
HWL Ebsworth: The cause of the HWL Ebsworth data breach has not yet been officially confirmed publicly. However, the usual modus operandi of notorious ransomware gang Alphv, which claimed responsibility for the attack and leaked data from it, suggests that Alphv infiltrated the law firm's network via a targeted phishing email campaign. Alphv is known to use personalized phishing lures containing malware payloads disguised as legitimate files or links. The goal of these phishing emails is to install info-stealing malware on corporate devices to extract login credentials and other initial access vectors -- similar to the Medibank case.
As discussed, cyber threat intelligence can detect stolen corporate credentials offered for sale on initial access broker sites, providing early warning of exposure before the access vector is purchased and weaponized. Cyber threat intelligence can also help organizations preemptively block info-stealing malware before it has infected a corporate endpoint and compromised access to the network.
- Initial access broker listings typically note the stealer that was used to compromise the machine. Continuous monitoring of these and other deep and dark web sources can provide critical insight into the indicators of compromise (IOCs) associated with credential theft malware.
- By integrating real-time, context-rich IOC intel into their security tools, HWL Ebsworth could have preemptively blocked indicators associated with known access compromise threats at the network/endpoint level before user exposure via phishing lures.
- Intelligence on keyloggers, info-stealers, remote access Trojans and other post-intrusion tools advertised for sale on the cybercriminal underground -- including contextual attributes such as source, threat actor, malware family and confidence score -- delivers critical insight into attacker techniques to identify blind spots and harden the attack surface before exploitation.
Timely integration of contextual indicators into HWL Ebsworth's security infrastructure would have blocked these access vectors preemptively at network and device level.
Timely integration of a comprehensive and continuously updated feed of indicators of compromise from both open and underground sources into HWL Ebsworth's security infrastructure would have enabled the firm to preemptively block known access compromise threats, denying the vectors before phishing exposure.
The series of high-profile cyber attacks over the past year have shaken confidence in Australia's cyber resilience, highlighting the need to reassess security strategies across all sectors. However, they have also provided important lessons for improvement.
Moving forward, Australia must reevaluate the outdated focus on data sovereignty, recognizing the borderless nature of the cyber threat landscape. A comprehensive, nationwide cybersecurity strategy that embraces innovation is critical, and a paradigm shift in the way that Australia conceptualizes cybersecurity is central to success. Taking inspiration from her allies in the U.S., Australia must mandate minimum security standards for companies and critical infrastructure, regularly assess compliance and strictly enforce consequences for breaches. Cybersecurity budgets must be significantly boosted to address workforce gaps and equip security teams with the tools they need to defend their systems in the face of increasingly sophisticated cybercriminals. Cyber threat intelligence and attack surface management solutions should be adopted to preemptively hunt down threats and identify weaknesses before they are exploited.
Equipped with insight into the epicenter of cybercriminal activities and discourse, security teams can confidently bolster their defenses based on a real-time understanding of threat actors, their tactics, tools, techniques and procedures and likely vectors for attack. With the right skills, resources and oversight in place, Australian businesses and government entities can substantially reduce their risk of becoming the next headline cyber incident. Most importantly, they will be better able to safeguard Australians' personal data and digital security.
By learning from these events and taking a preemptive, intelligence-led approach, Australia has a chance to emerge stronger. Now is the time for decisive action that constructs a robust security architecture for the country -- one that can withstand the cyber challenges of tomorrow.