Self Assessment

THE CHANGING CYBER THREAT LANDSCAPE : Australia and New Zealand

Published On : 2024-12-20
Share :
THE CHANGING CYBER THREAT LANDSCAPE : Australia and New Zealand

EXECUTIVE SUMMARY

Australia and New Zealand’s cyber threat landscape has become increasingly complex, with challenges affecting critical infrastructure, healthcare, finance, manufacturing, mining, and more. This Report stresses the growing dangers posed by cybercriminals and state-sponsored threat actors alike while highlighting the proactive measures that businesses can take to strengthen their defenses.

Organizations are increasingly recognizing that cybersecurity is no longer a peripheral concern but a central element of operational resilience and national security.

The rapid evolution of cybercrime in the region is driven by an expanding ecosystem of access brokers, extortionists, and sophisticated adversaries. Common attack vectors such as business email compromise remain a persistent challenge, while ransomware, data exfiltration, and hacktivist denial-of-service attacks disrupt business continuity and inflict substantial financial and reputational harm. Additionally, supply chain vulnerabilities are being exploited at an unprecedented scale, heightening risks across interconnected systems.

Geopolitical factors have amplified these threats, with ideologically driven groups like the People’s Cyber Army and Mysterious Team Bangladesh targeting government websites, financial institutions, and critical infrastructure in response to Australia’s geopolitical alignments. These attacks are designed to disrupt essential services, influence public perception, and create pressure on national resources, signaling a shift towards politically motivated cyber aggression in the region.

In response to this escalating threat landscape, both Australia and New Zealand have adopted transformative measures to strengthen their cybersecurity postures. Strategic initiatives, such as national cybersecurity strategies, enhanced budgetary commitments, and robust legislation, are driving a coordinated approach to combatting cyber risks. This report offers a detailed analysis of the current threat environment and provides actionable insights for mitigating risks in high-priority sectors, including finance, healthcare, government, and infrastructure. Key focus areas include leveraging governmental directives, capitalizing on increased regional cybersecurity investments, adhering to evolving regulatory requirements, and fostering international collaboration to counteract the growing sophistication of cybercriminals and politically motivated threat actors.

The findings of this report stress the urgency of adopting a comprehensive cybersecurity framework, integrating advanced technologies, and fostering a culture of security awareness to stay ahead of evolving threats and ensure long-term resilience.

THREAT LANDSCAPE TODAY

01 MOVEMENT FROM DIGITAL TO KINETIC TARGETS
Trend: Ransomware attacks on critical infrastructure
Motives: Disruption/Geopolitical/Extortion

02 DATA EXFILTRATION FROM IOT DEVICES
Trends: Spyware, Malware and Plug-ins to collect data
Motives: Reputation impact, disruption, extortion

03 EXPLOITATION OF LEGACY SYSTEM
Trends: Brute Force Attacks, Credential Reuse and Data Exfiltration via Malware
Motive: Operational Disruption, Espionage, IP Exfiltration

04 CROSS-ENVIRONMENT ATTACK
Trend: Social engineering/phishing. Jump server
Exploits, Remote access tool compromise
Motives: Operational Disruption, Espionage, IP Exfiltration

05 USE OF BOTNETS, AI, DEEPFAKE
Trends: Device Scanning, Firmware, Phishing/malware Download
Motives: Disruption, Data Harvesting, Remote Attacks (DDOS)

06 SUPPLY CHAIN OF INFRASTRUCTURE, UTILITY COMPANIES REMAIN AT RISK
Trends: Multi-behavioral malware (IT/OT), Different operating system
Target: CII trade secrets documents containing proprietary processes

TRENDS IN THE AUSTRALIA/ NEW ZEALAND THREAT LANDSCAPE

  • In FY2023-24, the Australian Signals Directorate (ASD) responded to over 1,100 cyber incidents, with 11% of these attacks focused on critical infrastructure. Furthermore, there was a 12% increase in calls to the Australian Cyber Security Hotline, with more than 36,700 inquiries related to cyber threats.
  • This surge reflects the growing concern about cybersecurity vulnerabilities across sectors. Data breaches, ransomware attacks, and politically motivated Distributed Denial of Service (DDoS) attacks have been prevalent, underlining the urgent need for more robust security measures across organizations in Australia and New Zealand.
  • Organizations in Information Technology, Manufacturing, Mining, Tourism, Logistics, and Construction Industries are actively exploited by state-sponsored and financially motivated threat actors.
  • Heightened geopolitical tensions in the Asia-Pacific region have led to an increase in state-sponsored cyberattacks and espionage, targeting government entities and private sectors.
  • Threat actors are leveraging AI and automation to enhance the sophistication of attacks, enabling faster data exfiltration, more convincing social engineering tactics, and targeted zero-day vulnerabilities. As the adoption of IoT, cloud computing, and 5G networks expands, attackers are exploiting vulnerabilities in these technologies, emphasizing the need for stronger security protocols and resilience measures.

WHAT ATTRACTS CYBER THREAT ACTORS TO AUSTRALIA AND NEW ZEALAND?

  • Economic Significance: Australia and NZ are developed and prosperous nations with strong economies. As such, they represent lucrative targets for cybercriminals seeking financial gains through activities, such as ransomware attacks, financial fraud, or intellectual property theft.
  • Political and Strategic Importance: Both nations are geopolitically significant and are part of international alliances. Cyber threat actors, including state-sponsored groups, target the country for political or strategic reasons. Espionage, information warfare, and disruption of critical infrastructure could be objectives in this context.
  • Geopolitical Tensions: Geopolitical tensions in the Asia-Pacific region can also contribute to cyber threats against Australia and NZ. State-sponsored groups or hacktivist organizations may be motivated by political or ideological conflicts.
  • Global Interconnectedness: Australia and NZ are deeply integrated into the global economy and information networks, and as such, are exposed to cyber threats originating from different parts of the world. The global nature of cyber threats means that any country with extensive international connections is susceptible.
  • Increasing Internet Penetration: With more citizens coming online, cybercriminals see a ripe landscape for schemes like fraud, ransomware, and phishing, targeting less cyber-aware populations.
  • Financial Gains: Cyber espionage has emerged as a significant motivation behind many data breaches and unauthorized access incidents, especially in sectors with valuable intellectual property or sensitive personal information. Incidents like the unauthorized access to BlueScope Steel and the leak of Microsoft employee data exemplify attacks driven by data theft and espionage.

INDUSTRIAL SECTOR IN FOCUS

INFORMATION TECHNOLOGY
With a strategic emphasis on the Information and Communication Technology (ICT) sector, both the Australian and New Zealand governments have launched various initiatives to drive its development, recognizing it as a critical industry. The goal is to significantly boost their digital economies, offering substantial growth prospects for the ICT market. In Australia, the digital economy is projected to contribute AUD 250 billion to GDP by 2030, while New Zealand aims to strengthen its position as a leading digital nation. This ambitious trajectory is highlighted by robust annual growth rates and substantial investments in technology and innovation.

Within this dynamic and expanding digital landscape, the IT industry in Australia and New Zealand attracts significant attention from cyber threat actors. The convergence of economic ambitions and rapid technological advancements renders the IT sector particularly vulnerable to cyber threats. Threat actors target this sector to exploit vulnerabilities for financial gains, intellectual property theft, or competitive advantage. As such, addressing cybersecurity challenges and implementing robust protective measures is crucial to safeguarding the IT infrastructure and ensuring the resilience of the digital economies in both countries.

AGRICULTURE INDUSTRY
Australia’s agriculture sector is a vital component of the national economy, significantly contributing to both domestic production and international exports. The sector’s diverse range of primary products, including wheat, milk, fruits, nuts, vegetables, and meat, play a crucial role in the country’s GDP. Key export commodities such as beef, wheat, wine, wool, and lamb highlight Australia’s prominence in global agricultural trade. Notably, the beef industry stands out as Australia’s largest agricultural enterprise, making the nation the world’s second-largest beef exporter, following Brazil. Approximately 72% of Australia’s agricultural production is exported internationally.

However, the agricultural sector faces increasing cyber threats, ranking as the sixth most susceptible to data breaches. These threats include data breaches, ransomware, phishing campaigns, scam emails, and malware. The sector’s complexity, spanning small-scale enterprises to large global operations, results in varied levels of IT proficiency and cybersecurity awareness. Despite growing technological investments, there remains a significant gap in prioritizing cybersecurity.

The adoption of digital platforms, payment gateways, and advanced agricultural machinery, such as precision agriculture technologies, creates vulnerabilities. These range from unauthorized access to personal and business data to the compromise of production systems and theft of intellectual property. Addressing these challenges is crucial to ensure the resilience and security of Australia’s agricultural industry against evolving cyber threats.

TOURISM
Beyond its economic contributions, Australia and NZ’s allure as a tourism hotspot is undeniable. Their diverse offerings cater to a broad spectrum of travellers, making the tourism industry a lucrative target, with its wealth of sensitive data, including traveller information, financial transactions, and reservation details. Additionally, the sector’s interconnected ecosystem, encompassing travel agencies, hospitality services, and online platforms, presents numerous avenues for cybercriminals to exploit vulnerabilities, ranging from data breaches and financial fraud to ransomware attacks.

LOGISTICS
The logistics industry plays an indispensable role in bolstering Australia and NZ’s economies, overseeing the intricate processes of production, storage, inventory management, and the efficient delivery and distribution of goods and services. As of 2023, the Australia Freight and Logistics Market commands a significant valuation of approximately 89.86 billion USD, with projections indicating a growth trajectory to reach 113.94 billion USD by 2029. This growth underscores the sector’s vitality, driven by the nation’s robust import and export dynamics. However, as the logistics industry evolves and expands, it concurrently becomes a focal point for cyber threats within the Australian threat landscape. Threat actors are increasingly targeting the logistics sector, drawn by its pivotal role in the supply chain ecosystem, an extensive network of stakeholders, and vast volumes of valuable data and goods in transit.

MINING
Australia’s mining sector continued to be a cornerstone of its economy in 2024, despite facing ongoing challenges. The sector remained a major contributor to the nation’s GDP and a significant source of export revenue, driven by strong demand for key commodities like iron ore, coal, and gold. However, the industry navigated a complex landscape marked by global economic uncertainties, geopolitical tensions, and the ever-present threat of climate change. The global economic slowdown, coupled with rising interest rates and inflationary pressures, posed challenges to the mining sector. Commodity prices experienced some volatility, impacting profitability and investment decisions. The growing emphasis on environmental, social, and governance (ESG) factors continued to shape the industry. Mining companies faced increasing pressure to reduce their environmental footprint, improve social and community engagement, and enhance governance practices. This led to a renewed focus on sustainable mining practices, including energy efficiency, water management, and responsible sourcing.

INDUSTRIAL SECTOR IN FOCUS

MANUFACTURING
Australia’s manufacturing sector in 2024 reflects a dynamic and diversified landscape, with core industries including food and beverages, machinery and equipment, chemicals, and metal products. Over the next two decades, the industry is poised to embrace a transformation characterized by increased integration, collaboration, and an export-oriented approach. Central to this evolution is the adoption of high-value, customized solutions within global value chains, emphasizing advanced design, R&D, and comprehensive after-sales services. The sector is also shifting toward sustainable practices and favoring low-volume, high-margin production models to meet changing market demands.

The 2024 CommBank Manufacturing Insights Report highlights that 72% of Australian manufacturers project robust production growth and are prioritizing capital expenditure in advanced technologies to enhance productivity, quality, and operational capacity. However, alongside these technological advancements comes an expanding cyber-attack surface. The sector’s dependence on interconnected systems and data-driven processes has heightened its vulnerability, with cyber threats ranging from intellectual property theft and espionage to operational disruptions and financial extortion. This makes cybersecurity a critical priority as the industry advances into a more technology-reliant future.

HEALTH
The governments of Australia and New Zealand have developed many programs for the progress of the health industry, with a strategic focus on the development of healthcare systems, since it holds huge significance. This helps in building better health conditions and easy accessibility, thus benefiting the nations as a whole by enabling overall development and economic stability. The health sector in Australia is supposed to contribute AUD 200 billion towards the GDP by 2025, and New Zealand is also making enough investments in enhancing health outcomes and infrastructure.

In this fast-changing landscape, the health industry in Australia and New Zealand stands vulnerable to serious cyber threats. The integration of digital health records, telemedicine, and advanced medical technologies exposes it to vulnerabilities. The cyber adversaries target this sector to exploit the weaknesses for financial gains, data theft, or disrupting the health care services. These threats, therefore, underscore the importance of effective cybersecurity measures that ensure sensitive health information is well-protected and the resiliency of healthcare systems is duly guarded. Overcoming these challenges will ensure patient data protection, retained trust, and continued high-quality delivery of healthcare services in both nations.

GEOPOLITICAL DYNAMICS AND CYBER THREATS IN ANZ Region

Australia’s geopolitical stance and its relationships with global powers profoundly influence its cybersecurity strategies.

Following a period of geopolitical normalcy, characterized by the resumption of trade relations with China and the enduring US alliance, Australia once again faced global disruptions in 2024. Moreover, Trump’s upcoming return to the White House brings a mix of opportunities and challenges for Southeast Asia. The new administration seems set to revitalize the Indo-Pacific strategy crafted during Trump’s first term, emphasizing countering China and bolstering alliances and partnerships across the region. But the new approach will bear more continuity with the previous administration than first meets the eye. This also relates to New Zealand.

On the same day U.S. President Joe Biden hosted the inaugural United States-Japan-Philippines summit at the White House, a quieter yet strategically significant meeting unfolded just a few blocks away. On April 11, New Zealand Foreign Minister Winston Peters met with U.S. Secretary of State Antony Blinken at the State Department, where the two officials issued a joint statement emphasizing that their nations are “working more closely than ever.”

This meeting marked a notable development in U.S.-New Zealand relations, which have historically been strained, partly due to Wellington’s earlier engagement with China. It highlighted how Beijing’s assertive behavior is increasingly driving regional actors toward Washington’s strategic embrace. While U.S.-New Zealand ties had cooled in the 1980s, relations began to improve in the 2010s, a shift catalyzed by Beijing’s actions. For New Zealand, revelations of widespread Chinese political interference in the country’s 2017 national elections were a turning point, transforming its perception of China from a partner to a concern.

Foreign Minister Peters has since called for New Zealand to deepen its engagement with security alliances like the Five Eyes intelligence network and NATO. Moreover, New Zealand may soon collaborate with AUKUS (Australia-United Kingdom-United States) on non-nuclear security initiatives, including cyber defense, hypersonic weapons, artificial intelligence, quantum technology, and undersea capabilities. Unsurprisingly, these developments have not been well-received in Beijing.

After weathering the COVID-19 storm and mending fences with China, Australia seemed poised to reclaim its traditional geopolitical role in 2024. The AUKUS partnership, a trilateral security pact with the US and UK, solidified its strategic alignment with the West, while trade ties with China gradually normalized.

However, this apparent stability masks an inherent contradiction. AUKUS and the nuclear submarine deal signed with the US, is widely viewed as a counterbalance to China’s growing assertiveness in the South China Sea, a vital trade route for Australia. Yet, China remains Australia’s largest trading partner, highlighting the delicate balancing act Australia must perform between its security and economic interests.

Despite this tension, Australia has managed to maintain good relations with its neighbors, including Indonesia, once perceived as a potential security threat. This diplomatic dexterity underscores Australia’s ability to navigate the complex geopolitical landscape of the Indo-Pacific.

The problem for both Australia and New Zealand is that China views alliances including AUKUS and the so-called “Quad” (Australia, Japan, the Philippines, and the United States) as part of a broader U.S.-led effort to contain its influence. While these partnerships are not the primary focus of Trump-era foreign policy, which prioritized Iran and China, their growing importance could make them key players in Southeast Asia’s geopolitics. Any progress by Washington in strengthening these relationships is likely to provoke subtle responses from Beijing, including the use of cyber tactics. Meanwhile, on the economic front, a downturn in the Chinese economy has reduced demand for iron ore and heightened the need for Australia to expand its trading networks.

Any movement closer to the US, something the upcoming American administration might demand for lending further support (in terms of forcing Australia and New Zealand to “choose” between the US and China, inherently carries risks of overt and covert retaliation from Beijing, particularly through economic warfare and cyberattacks. As U.S. military engagements in the region increase, including more frequent port visits to Australia and New Zealand, the geopolitical stakes will continue to rise, testing the resilience and unity of these emerging alliances.

China is a global champion in using cyber attacks as a tool of statecraft and has a bigger hacking program than that of every other major nation combined. Should Australia and New Zealand get their balancing act wrong, they would face consequences in the fifth domain swiftly.

MAJOR CYBERSECURITY INCIDENTS TARGETING ANZ REGION

  • Compass Group Australia, a leading food and support services company, had fallen victim to a ransomware attack orchestrated by the Medusa ransomware group. The attackers claim to have accessed 785.5 GB of organizational data, significantly impacting the company’s operations.
  • Australia furniture retailer Early Settler was a victim of a data breach that exposed customer names, email addresses, phone numbers, delivery addresses, and, in some cases, dates of birth.
  • Engedi, a not-for-profit organization based in Mackay, Queensland, has become the latest victim of a ransomware attack by the Rhysida group. The attack was publicly disclosed on August 22, when Rhysida listed Engedi on their darknet leak site, claiming to have exfiltrated sensitive data and threatening to publish it unless a ransom of 10 bitcoin (approximately $94,000 AUD) is paid.
  • The Harry Perkins Institute of Medical Research, one of Australia’s leading medical research institutes, had reportedly suffered a cyberattack carried out by the notorious MEDUSA ransomware group. The hackers allegedly exfiltrated 4.6 TB of internal building camera recordings of the institute and demanded a ransom of $500,000.
  • Reward Hospitality is a leading distributor of hospitality supplies and commercial catering equipment in the Asia Pacific region, particularly in Australia, New Zealand, and the Pacific Islands. The company operates 26 locations across Australia and employs approximately 1,350 staff members. Reward Hospitality specializes in providing a diverse range of products and services tailored to meet the specific needs of various sectors within the hospitality industry, including commercial kitchen design, equipment supply, tableware, disposables, and catering supplies.
  • Insula Group is an Australian-owned company specializing in IT services and software solutions, particularly within the residential construction and finance broking sectors. The company is recognized for its innovative software products that have significantly contributed to the success of various players in its target industries.

STRATEGIC REASONS TO TARGET ANZ REGION

  • FINANCIAL GAINS
  • GEOPOLITICAL LEVERAGE
    • Regional Influence
    • Recruiting and Influencing Individuals
  • INTELLIGENCE AND ESPIONAGE
    • Surveillance and Data Collection
    • Monitoring Strategic Assets
  • ECONOMIC AND INDUSTRIAL IMPACT
    • Economic Destabilization
    • Resource Manipulation
    • Hindering Foreign Investment
  • MILITARY AND STRATEGIC PREPARATION
    • Creating Backdoors
    • Infrastructure Mapping

TRENDS FROM THE DARK WEB – ANZ Region

  • CYFIRMA Dark Web telemetry and Early Warning system detected 70 campaigns with victims in Australia since the start of 2021.
  • After an increase in 2022, the following years recorded low numbers.

In 2024, there is a rise in the number of observed campaigns, a slight increase compared to the preceding year. This uptick highlights the heightened interest of threat actors in the economic and geopolitical dynamics of Australia.

  • The most attacked industries in campaigns with recorded victims in the ANZ region are Government, Industrial Conglomerates Financial Services, Healthcare, and IT Services.

The malware landscape remains dominated by familiar threats, Winnti, Emotet, and various ransomware strains, including LockBit3.0, are responsible for a significant portion of cyberattacks. Remote Access Trojans (RATs) like PlugX, NukeSped RAT, Remcos RAT, and Cobalt Strike are also prevalent, enabling attackers to maintain persistent access to compromised systems and facilitate further attacks. These tools are often used by both state-sponsored and financially motivated actors.

The most active suspected threat actors in campaigns with recorded victims in Australia are MISSION2025, Lazarus group (DPKR), FIN7, TA505, combined Chinese Threat actors (Pandas) as well as combined Russian cybercriminal syndicates. MISSION2025 reigned supreme, their relentless campaigns yielding the highest observed count. Close behind were the notorious Lazarus Group and FIN7, notorious for their sophisticated techniques and lucrative exploits.

State-sponsored actors like TA505 and Stone Panda continued to pose significant threats, their operations often intertwined with geopolitical agendas. Groups like Fancy Bear and Cozy Bear, known for their involvement in high-profile intrusions, maintained a persistent presence.

TRENDS FROM THE DARK WEB – Australia Region

  • The top attacked technology are by a large margin Web Applications, simply due to the fact that they are internet facing.
  • Second place is operating systems, followed by Application Infrastructures, and combined Remote Access tools.

Top Attacked Technology

TRENDS FROM THE DARK WEB – New Zealand Region

  • The top attacked technology is by a large margin Web Applications, simply due to the fact that they are internet facing.

Top Attacked Technology

CAMPAIGNS TO DEFEND AGAINST

We observed 17 campaigns targeting various industries in Australia during 2024. Russian, Chinese, and North Korean state-sponsored threat actors are behind most of these campaigns. Here are some details about observed sample campaigns.

Campaign Name Suspected Threat Actor Geography Target Industries Targeted Services/ vulnerabilities Malware Name
Blue Yonder MISSION2025, Volt Typhoon South Korea, United States, Japan, Taiwan, United Kingdom, Australia, Thailand, India Aerospace & Defense, Airlines, Government, Industrial Conglomerates, Insurance, Banks, IT Services, Diversified Financial Services, Automobiles, Technology Hardware, Storage & Peripherals Web Application Mirai, Volt, Lightspy
Thunderstorm Volt Typhoon, Emissary Panda United States, Japan, Taiwan, United Kingdom, Australia, Thailand, India Government, Industrial Conglomerates, Insurance, Banks, It Services, Diversified Financial Services, Technology Hardware, Storage & Peripherals Virtual Private Network (VPN) Solutions, Routers, Web Application Volt
Red River Unknown English-Speaking Hackers, Unknown Vietnamese Hackers South Korea, Vietnam, United States, Japan, Taiwan, United Kingdom, Australia, Thailand, India Aerospace & Defense, Diversified Telecommunication Services, Government, Industrial Conglomerates, Wireless Telecommunication Services, IT Services, Diversified Financial Services, Machinery, Technology Hardware, Storage & Peripherals Web Application Cobalt Strike

Campaign details tracked by DeCYFIR where threat actors are targeting Australia/New Zealand organizations.

THREAT ACTORS TO WATCH

MISSION2025, APT41, Stone Panda

TA505, Cozy Bear, Fancy Bear, FIN7

LAZARUS GROUP

DATA LEAKS

Data leaks play a crucial role in the landscape of cyber threats, acting as a significant vulnerability that can lead to a wide range of security issues and potential damages. When sensitive or confidential information is accidentally exposed or intentionally stolen and released, it can lead to identity theft, financial fraud, and a severe loss of trust and reputation for the affected organization. Such leaks often provide cybercriminals with the necessary data to conduct more targeted and effective attacks, such as phishing schemes, ransomware attacks, or further unauthorized access into secure systems. Additionally, data leaks can result in hefty regulatory fines and legal challenges, especially if the leaked information includes personally identifiable information (PII) protected under data privacy laws.

A well-known user on an Underground Forum is selling SSH access to an Australia-based manufacturing company.

CYFIRMA observed a data leak related to an Australia-based organization. The leaked database contains 10,000 rows including first name, last name phone number, and more.

CYFIRMA observed a data leak related to an Australia-based marketing company. The leaked database contains 11,000 rows.

CYFIRMA observed a data leak related to an Australia-based construction service provider. The database contains 59,000 rows including email and hashed passwords.

CYFIRMA observed a data leak related to an Australia-based online platform for learning trading. The database contains 59,700 rows including first name, last name, email, passwords, and more.

CYFIRMA observed a data leak related to a New Zealand-based beverage manufacturer. The database contains 6,969 rows of user data including first name, last name, email, password and more.

CYFIRMA observed a data leak related to a New Zealand-based radio network provider. The database contains 2.5 million rows of user data including names, phone numbers and more.

HACKTIVIST

The Quantum of DDoS attacks increased globally after the start of the Russia-Ukraine war and Israel-Gaza conflict when pro-Russian, pro-Ukraine, and pro-Palestine hacktivists started targeting each other with DDoS campaigns and also started targeting alliance nations to show support to their respective country.

RipperSec is a Pro-Palestine hacktivist group that has conducted multiple DDoS attacks on an Australia-based organization.

The same group targeted a Financial services provider based in Australia.

Fighter Blackhat Cyber Crime, an Indonesia-based hacktivist group, has announced a cyberattack against Australia and Ukraine. They have declared OpsAustralia and OpsUkraine to show their support for Palestine.

A threat actor named “Fredens of Security” has claimed to have leaked a database associated with the Australian region

Another pro-Palestine hacktivist group “ShadowDefenders” has claimed to have leaked a database associated with the New Zealand region.

RANSOMWARE

Active Ransomware Groups

RansomHub ransomware is the most active group in Australia and has primarily targeted the Construction, Manufacturing, Hospitality, and Education sectors, affecting the largest % of victims at 13.25% among all targeted organizations.

Active Ransomware since 2021

Ransomware attacks in New Zealand have fluctuated dramatically between 2021 and 2024. In 2021, the country experienced a minimal number of such incidents. However, 2022 saw a steep rise in ransomware attacks. This surge was followed by a notable decline in 2023, only to see a sharp increase once again in 2024, highlighting the volatile nature of cyber threats during this period.

2023

2024 so far

Ransomware Activity Comparison

Observing the trends in victim numbers in Australia from 2023 until now shows somewhat significant growth during 2023, with a ramp-up in later months. The first three quarters of 2024 did not record many victims, most likely due to LockBit takedown.

This is in line with ransomware gangs expanding their focus from just the US and EU to the rest of the world, particularly Asia. Thanks to the affiliate Ransomware-as-a-Service programs, multi-lingual, global threat actors can deploy and execute some of the most dangerous ransomware like LockBit3.

The days of nearly exclusive Russian-speaking gangs solely targeting the US and EU are gone, and increasingly warming ties between Russia, China, and North Korea are showing in cybercrime and ransomware.

Since January 2024, ransomware incidents in Australia and New Zealand have highlighted a notable trend. Emerging groups like RansomHub, Sarcoma,  SafePay, and others are increasingly targeting Australian entities, surpassing the activity of well-established groups such as Akira, Play, and others. These new actors demonstrate heightened aggression, likely aiming to exploit vulnerabilities with innovative tactics. Their dominance signals a shift in the ransomware landscape, emphasizing the need for proactive measures against evolving threats in the region.

  • Manufacturing
  • Retail
  • Construction
  • Transportation
  • Education
  • Consumer Services
  • Business Services
  • Software
  • Healthcare
  • Hospitality
  • Real Estate
  • Finance
  • Insurance
  • Agriculture
  • Advertising
  • Metals & Mining

Looking at the industries of identifiable ransomware victims in Australia and New Zealand, we can observe a diverse range of affected industries ranging from education to manufacturing.

RANSOMWARE BY INDUSTRY– 2023 UNTIL NOW

Since the start of 2023, Professional & Consumer Goods & Services have been the most frequent victims of ransomware. This is due to a high number of small and medium-sized businesses, including small law or accounting firms.

RANSOMWARE BY INDUSTRY– 2023 & 2024 until now

Separating 2023 and 2024 we can see some movements. For example, the Finance industry fell from 8.5% to just a 5.0% share of all victims, and Real Estate & Construction jumped up to 8.7% from 7.0%.

RANSOMWARE – 2023 until Now

All Sectors

All Sectors

PHISHING

During the last 3 months period CYFIRMA’s advanced telemetry systems observed a total of 1,95,140 phishing campaigns.

This data represents the ASN-based origin of the phishing emails captured.

While the US remains the largest source by far, Southeast Asian countries are steadily growing as a source of Phishing attacks.

Australia ranked 13th overall.

Note: The US is the most targeted country by cybercrime and as a result, it also contains the most compromised devices used in botnets as proxies to deploy malware and send phishing around the world.

Narrowing down the selection of countries to the Asia-Pacific region we can have a more detailed view of the regional threat landscape.

Hong Kong stands out largely due to the fact it is commonly used by Chinese cyber criminals as a proxy to send phishing outside China. Similarly, Singapore is known for business-friendly hosting practices which also allow for malicious hosting as proxies. Furthermore, the good international reputation of Singapore allows attackers to bypass region-based IP blocking.

Looking at observed themes originating from Australia and New Zealand, the most prominent are Financial and Cloud Services, suggesting that local cybercrime is focused on local account takeovers. These accounts can be sold for a small price to be used for other malicious activities, such as spam or scams by more advanced threat actors.

These are generally considered low-hanging fruits using available info stealers malware sent by phishing as opposed to high-skill hacking. The high focus on financial themes implies that the main share of cybercriminals is financially motivated.

Drilling down into what specific brands are impersonated and in turn targeted by Australian-based campaigns, we see that Generic/Spear Phishing and Australia Post platforms are by far the most common.

We do observe a significant amount of Generic/Spear Phishing.

We can also see a lot of foreign brands, correlating with activities of advanced threat actors aiming abroad.

ASSET EXPOSURES & VULNERABILITIES

The Top 15 exposed IoT devices by vendors: Australia

Exposed IoT devices play a significant role in cyber attacks due to their often inadequate security features and widespread adoption across various sectors. These devices can serve as entry points or targets in larger network breaches, primarily because they frequently lack robust encryption, undergo infrequent updates, and have default or weak credentials that are easily exploited. Once compromised, IoT devices can be used to form botnets, enabling attackers to conduct DDoS (Distributed Denial of Service) attacks, data breaches, or surveillance. Their connectivity and access to larger networks also make them a valuable asset for attackers looking to move laterally within infrastructure, escalate privileges, or disrupt critical services. This vulnerability is exacerbated by the rapid expansion of IoT devices in homes, industries, and cities without corresponding advancements in their security frameworks.

ASSET EXPOSURES & VULNERABILITIES

Most Exploited vulnerabilities in the ANZ Region

Exploited Vulnerabilities Vendor Product
CVE-2021-26855 Microsoft Exchange Server (ProxyLogon)
CVE-2024-1709 ConnectWise ScreenConnect
CVE-2024-28995 SolarWinds SolarWinds Serv-U
CVE-2022-26134 Atlassian Confluence Server
CVE-2024-21887 Ivanti Ivanti Secure Connect and Policy Secure
CVE-2024-36401 Geoserver Geoserver
CVE-2023-20198 Cisco Cisco IOS XE
CVE-2023-4966 Citrix Citrix ADC and Citrix Gateway
CVE-2023-28771 Zyxel ZyXEL P660HN-T1A v1, ZyXEL P660HN-T1A v2, Billion 5200W-T
CVE-2024-43047 Qualcomm Multiple Chipsets
CVE-2023-6548 Citrix NetScaler ADC and Gateway
CVE-2023-20887 VMware  Aria Operations
CVE-2024-40711 Veeam Backup and Recovery
  • All the observed exploited vulnerabilities in the above list are also part of the CISA Known Exploited Vulnerability list.
  • As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2024-1709, CVE-2023-4966, CVE-2022-26134, CVE-2018-13379, CVE-2021-44228, CVE-2018-10562