According to the Australian Signals Directorate’s latest Annual Cyber Threat report Cyber threats surged in 2024–25, with state-sponsored actors and increasingly sophisticated cybercriminals driving a sharp rise in attacks on Australian businesses.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is the Australian Government’s technical authority on cyber security.
Their latest report highlights the growth in state-sponsored threats targeting government, critical infrastructure, and businesses, aiming to steal sensitive information and disrupt essential services. During FY2024–25, ASD’s ACSC notified entities more than 1,700 times of potentially malicious cyber activity – an 83% increase from last year.
Cybercriminals continue to target Australian businesses through ransomware attacks and stolen credentials harvested through malware. Artificial Intelligence (AI) has further enabled malicious cyber actors to execute attacks on a larger scale and at a faster rate.
Key statistics from the ASD report include
- A total of 84,700 cybercrime reports were received. That’s one report every 6 minutes, consistent with last year.
- Ransomware accounted for 11% of all cyber incidents, with 35% of ransomware victims having their data posted online.
- Identity fraud remains the top reported cybercrime threat, up by 8%
- Publicly reported common vulnerabilities and exposures increased by 28%.
- The average self-reported cost of cybercrime per report for individuals is $33,000 (up by 8%)
- The average self-reported cost of cybercrime for businesses continues to rise:
- small business: $56,600 (an increase of 14%)
- medium business: $97,200 (an increase of 55%)
- large business: $202,700 (an increase of 219%)
- The top 3 self-reported cybercrime threats for business are:
- Email compromise, resulting in no financial loss which accounted for 19% of the total cybercrime reports received.
- Business Email Compromise (BEC) fraud, resulting in financial loss made up 15% of the total cybercrime reports received.
- Identity fraud made up 11% of the total cybercrime reports received.
Critical infrastructure targeted
Cybercriminals continue to opportunistically target Critical Infrastructure (CI) operators, drawn by the sensitivity of the data they hold and the essential nature of their services. ASD’s ACSC issued over 190 notifications of potential malicious cyber activity to CI entities, an increase of 111% from the previous year.
The three most targeted types of critical infrastructure were:
- Financial and insurance services (32%)
- Transport, postal and warehousing (26%)
- Information media and telecommunications (16%)
Bellrock continues to observe cyber attacks focused on the following sectors:
- Healthcare: Targeted for sensitive patient data, with ransomware attacks causing service outages and delays in care.
- Education: Schools and universities faced data breaches and ransomware attacks, disrupting learning and exposing student records.
- Logistics and Transport: Attacks on supply chain systems led to operational delays and financial losses.
- Government and Critical Infrastructure: State-sponsored actors targeted networks for espionage and potential disruption, particularly in energy, water, and telecommunications.
- Professional Services: Law firms and accounting practices continue to be hit with Business Email Compromise (BEC) and ransomware, exploiting their access to client data and financial systems.
The rise of commercial cybercrime
Cybercriminals continue to pursue credential theft, purchasing stolen usernames and passwords from the dark web.
The ASD notes that home routers are often targeted, leaving businesses exposed as employees may be working from home. Once credentials are harvested, unauthorised access appears legitimate thereby making detection and response significantly more challenging.
Ransomware remains the most profitable form of cybercrime, with attackers targeting systems for financial gain through multi-layered extortion. These tactics involve encrypting victims’ networks while simultaneously exfiltrating data and threatening to publish it if ransom demands are not met.
Cybercrime marketplaces now offer a range of infostealer malware which are tools designed to infect devices and steal sensitive data like passwords, credit card details, crypto wallets, and browser information. The commercialisation of these offerings has lowered the technical barrier to entry, enabling threat actors to operate at scale and monetise stolen data quickly.
Cyber incident reporting
Businesses are encouraged to report suspicious cyber activity to the ASD. Earlier this year, in May, the Australian Government introduced a mandatory ransomware reporting regime for businesses with turnovers of $3 million or more, and for entities responsible for Critical Infrastructure (for more information see our article here). In November 2024, the Australian Government passed the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 which legislates a ‘limited use’ obligation for ASD’s ACSC. This limited use provision is designed to bolster the free flow of information ensuring that information provided about a cyber incident cannot be used for regulatory enforcement purposes.
Many cyber incidents remain preventable through the adoption of basic cyber hygiene practices. The ASD recommends several mitigation strategies with the most effective of these mitigation strategies being the Essential Eight.
You can access the full Annual Cyber Threat Report here.
Speak to a Bellrock advisor regarding how to better protect and prepare for cyber risks.
