19 July 2016
Undeniable and Unrelenting—The Cybercrime Threat to Australia
Australian Criminal Intelligence Commission CEO Chris Dawson APM
Thank you for providing me with the opportunity to address this important congress. As we’ve heard today, there are substantial ongoing efforts to ensure the protection of Australia’s national security and public safety. It is encouraging to me, as I am sure it is to all Australians, to know the contributions you are all making to keep our nation safe. I’m going to be talking about a particular serious and organised crime that poses a high threat to Australia—cybercrime. Cybercrime continues to grow and is constantly adopting new technologies and methodologies to undertake illegal activities. I’ll also be discussing how the Australian Criminal Intelligence Commission is ensuring Australia is prepared for these cybercrime threats. As crime becomes ever more diversified, sophisticated and complex, we must find more innovative ways of identifying and preventing such criminal activity. I’ll outline the three key cybercrime threats to Australia, its connection with national security, and how the Australian Criminal Intelligence Commission is working to disrupt these cybercriminals.
The Australian Criminal Intelligence Commission
Serious and organised crime is expanding its reach globally and injecting itself into new markets—both legitimate and illegitimate—in order to increase opportunities to generate illicit wealth. It works to conceal unlawfully derived profits, seeking to intermingle those funds with legitimately earned money. In addition to the cost of law enforcement efforts, there are also costs associated with managing social harms, and the loss of legitimate business and taxation revenue. Serious and organised crime also compromises the health, safety and wellbeing of individuals and communities. The presence of crime and its impact on the community is pervasive and it’s essential that law enforcement and partners work together to ensure our activities are well coordinated and cohesive powers.
On 1 July, the Australian Criminal Intelligence Commission was formed following the merge of the Australian Crime Commission and CrimTrac. Our new agency will strengthen the ability to respond to crime affecting Australia. Through our investigative, research and information delivery services, we will work with law enforcement partners to improve the ability to stop criminals exploiting emerging opportunities and perceived gaps in law enforcement information.
Our vision is to create a safer Australia that is better connected, informed and capable of responding to crime and criminal justice issues. We will do this though an improved national ability to discover, understand and respond to current and emerging crime threats and criminal justice issues, including the ability to connect police and law enforcement to essential policing knowledge and information.
Our new agency is governed by a Board under the Australian Crime Commission Act 2002. We have a very potent intelligence collection capability in the form of our coercive powers—essentially being able to compel an individual, corporation or Commonwealth Government agency to produce documents or other information. We also have a range of other collection capabilities, including human source, telephone and data intercept, technical and physical surveillance and cyber forensics. These capabilities provide us with the means to access a broad range of information and data from across the public and private sectors. We then exploit this information through the application of advanced analytical tools to find out more about the known criminals and to discover criminal activity that has previously been concealed from law enforcement.
Impact of cybercrime
Organised crime is expanding its reach and injecting itself into new markets. One of these markets is the global cybercrime market. Like the broader cyber security threat to Australia, cybercrime is undeniable and unrelenting. It is committed by dedicated transnational cybercriminals who will undertake any activity to make a profit. We describe cybercrime as a crime involving an intrusion on a computer, system or network. It is predominantly financially motivated. The internet, computers and mobile devices are an integral part of everyday life and cybercriminals have seized the opportunity to exploit Australian victims.
Cybercrime impacting Australia continues to grow. The ACIC has estimated the cost of cybercrime to Australia in the 2013–14 financial year to be at least $1.1 billion. But we consider that to be an underestimate. Cybercrime not only costs Australia by diverting funds from the legitimate economy to the illegitimate economy, it also causes damage to individual Australians, including damage to personal identity and reputation, loss of business or employment opportunities and impact on emotional and psychological wellbeing.
Cybercriminals based offshore are reaching into Australia’s homes and personal lives from a distance. These criminals invade Australian lives by interjecting themselves into the everyday online business of Australians. These are things that are now simply a way of life for all of us—the place where we do our banking, read the newspaper, share photos on social media, do our shopping, and email our friends and family.
Global cybercrime economy
We are always finding out more about these cybercriminals and how they do their business. Financially-motivated criminals inflicting cybercrime on Australia are predominantly based offshore and operate across jurisdictions. They are adaptable, resilient and sophisticated. We see similarities in the offenders behind high-profile cybercrimes that have impacted Australia and other English-speaking countries. The cybercriminals are usually based in Russia or Eastern Europe. For example, pictured here are key players in the SpyEye and Zeus campaigns. These are all types of credential harvesting malware that have affected many Australian victims over recent years. They identify themselves using pseudonyms or user names. They are masters of anonymous communication and network access which they use to mask their activities.
We know that cybercrime mirrors aspects of traditional organised crime structures. Cybercrime uses structured enterprises operating within a global cybercrime economy. This global cybercrime economy provides a low-risk environment for the criminals where they conceal their identities, trading their goods and services in online cybercriminal underground forums. The types of goods and services marketed on these forums include the required infrastructure; delivery mechanisms; coding, anti-virus checking and communication services; cashout and money transfer services. Helpdesk services are also available, providing 24 hour support for those undertaking cybercrime activities.
Three cybercrime threats to Australia
Focussing in on the cybercrime threat landscape, the latest intelligence assessments have found that cybercrime remains a pervasive threat to Australia’s national interests. The three key cybercrime threats are: credential harvesting malware, ransomware and DDoS extortion. Credential harvesting malware is designed to harvest a user’s credentials when they are logging onto a website. This is done completely covertly with the victim being unaware their credentials are being stolen. The malware that facilitates this harvesting is usually delivered to a victim’s computer or device via an email with a malicious attachment.
There are many different types of credential harvesting malware deployed by cybercriminals. Dyre and Dridex are types that targeted Australian victims during 2015. Dyre targeted financial institutions in predominantly English-speaking countries, with over 200 banks worldwide targeted including at least 26 in Australia. The countries hardest hit by Dridex were the USA, UK and Australia.The FBI estimates at least $US10 million was lost in the USA due to Dridex.
Ransomware is a type of malware that facilitates extortion. Like the majority of credential harvesting malware that we see, it usually infects a victim’s computer following the victim opening a malicious email attachment. Following infection, ransomware locks a computer’s content and displays a message requiring victims pay a ransom to obtain a decryption key that will supposedly allow them to regain access.
The emails delivering ransomware to Australian victims use the branding of trusted and well-known Australian corporations as part of its social engineering techniques. Ransomware is most damaging when it targets businesses, infrastructure and governments but it also has financial and psychological impacts on the community. As you can see, Ransomware is the threat of most concern amongst respondents to the 2015 Australian Cyber Security Centre: Cyber Security Survey of Major Australian Businesses.
Also of particular concern, are the recent ransomware incidents in the USA where the operation of hospitals were disrupted because of ransomware. Picture this scenario, it’s the middle of the night and you are rushing a loved one to the hospital. You run into the emergency department, but the computers are down. You are told the best way for your loved one to receive care is to get back in the car and go to another hospital. This is not a ‘what if’ scenario – this happened in the USA earlier this year.
In February and March, at least 12 hospitals in the USA had their operations disrupted because of ransomware and patients had to be transported to other hospitals. Computers essential for functions such as pharmacy needs and CT scans were offline. It was also reported that ransomware was beginning to target universities and police stations.
Imagine the potential impacts for Australians if these services were disrupted because of ransomware . And it’s not just essential services—imagine the impact of major infrastructure being affected, for example ports and airports. The potential ramifications are serious, costly and dangerous. Like ransomware, DDoS extortion also demands the payment of a fee. However, DDoS extortion usually occurs without any compromise on the computer. It is the threat of the compromise that the cybercriminals use to make their money. DDoS or ‘distributed denial of service’ describes an activity where hackers deny customers service on a website by directing large volumes of traffic to the site until it collapses. DDoS extortion involves a victim receiving an email which threatens DDoS activity unless a ransom is paid. Organisations are worried about DDoS because if their website is disrupted, it means clients cannot do business with the site. This is an example of a DDoS extortion email. The last sentence of the emails seems to sum up their threat. It says ‘We do bad things, but we keep our word’. We have concerns that if DDoS extortion was targeted at a specific sector—for example, repeated attempts against the same large corporate entities, or several large corporate entities across a specific type of industry—Australia’s confidence in the online environment could be undermined.
National security and cybercrime
National security and cybercrime should no longer be considered in isolation as high-end organised criminality is increasingly intermingled with broader national security threats. Transnational serious and organised cybercrime actors, specifically those who develop, share, sell and use sophisticated tools and techniques to access networks and systems impacting Australia’s interests, are of serious concern to government agencies.
Cybercrime and other cyber security threats involve similar technical methodologies and are increasingly difficult to differentiate. For example, foreign state-sponsored adversaries are using malicious software typically used for financially motivated cybercrime to mask their identities and activities.
One of the challenges faced by law enforcement and intelligence agencies include detecting this constantly evolving threat activity and its motivation—whether the actors behind the cyber intrusions are financially motivated cybercriminals or state sponsored adversaries. Some examples of this crossover include these individuals who were involved in organisations with ties to the Government of Iran that launched DDoS activity against the websites of US financial institutions.
As they were targeting US financial institutions there was commentary as to whether this was just another case of cybercrime or something different. Sometimes cybercriminals will use DDoS activity to distract from their other activities in order to delay responses. From December 2011 to August 2013, the men affected customers’ access to online banking services and one repeatedly
Another example is GameOver Zeus, a type of credential harvesting malware. I must emphasise that the individual pictured here is the most wanted in regards to GameOver Zeus which was predominantly used for financially motivated cybercrime. In June 2014, approximately 1 million computers worldwide were through to be infected, causing an estimated loss of $US100 million. The Australian Federal Police assisted in operational activity, led by the FBI, which resulted in the takedown of GameOver Zeus infrastructure. While GameOver Zeus was designed for financially motivated cybercrime there have been some reports that it had been used for a different purpose—cyber espionage. One instance focused on Georgia and Turkey.
The information identified that GameOver Zeus botnets were being used to facilitate search queries within these countries including specific searches for documents with certain levels of government classification,details of specific government intelligence agency employees and information about politically sensitive issues in that region. The information also said that following political changes in Ukraine, one botnet—which had previously been used for financially motivated cybercrime—was used for a large amount of infections in Ukraine where attempting to gain access to politically sensitive information appeared to be the motivation.
Australia’s preparedness for cybercrime
Cybercrime exploits the ability to operate internationally, and similar to most serious and organised crime activities, countering the threat requires a global collaborative approach across the private sector, law enforcement agencies, and intelligence agencies—both domestically and internationally. The ever-changing criminal and technological landscape requires advancements in law enforcement information and intelligence sharing arrangements to combat crime.
We recognise the global nature of crime and are expanding our international footprint to complement and work in collaboration with the international networks of domestic partners including the AFP. An important part of strengthening and expanding our international reach is through our role in the Five Eyes Law Enforcement Group, which consists of heads of major law enforcement agencies from the United States, United Kingdom, Canada, New Zealand and Australia.
The group’s principal focus is to create a collective, collaborative and unified ‘Five Eyes’ approach to the threat and harm of serious and organised crime of mutual interest. As part of this we are involved in working groups which look at different crime types, including cybercrime. Through these working groups we exchange information and intelligence to create a picture of current and emerging threats and risks by leveraging country or inter-agency expertise, information and tools to create a hostile environment for organised crime.
I recently appointed a senior executive officer with responsibility for our operational strategy with a focus on national and international engagement. The key focus of this work is on collaboration. Through our international and national collaboration we continue to build a richer national picture of cybercrime. We share intelligence products, participate in joint operations and investigations and work to disrupt criminal behaviour and criminal entities.
We also have analysts deployed to the FBI’s International Cyber Crime Coordination Cell in Virginia, USA. Our growing connection with international agencies ensures we receive the international support needed to bring cyber criminals to justice and deter others from doing business in Australia. Also of vital importance is our involvement in the Australian Cyber Security Centre or ACSC.
You have heard from Clive Lines, the coordinator of the ACSC earlier today. The Australian Criminal Intelligence Commission is proud to be contributing to this Government initiative, established to ensure that Australian networks are among the hardest in the world to compromise. We are also part of the Australian Cybercrime Online Reporting Network (ACORN) which is a national policing initiative of the Commonwealth, State and Territory governments established in November 2014.
It allows the public to easily report instances of cybercrime. It also provides advice to help people recognise and avoid common types of cybercrime. By understanding the enablers of cybercrime, law enforcement and government agencies can work together to make it harder and less profitable to commit cybercrime.
Through reports submitted to the ACORN by the public, we will develop an enhanced understanding of how cyber criminals are targeting Australians. The community, through reporting cybercrime via ACORN can also contribute to the collaborative effort of combating cybercrime. As of 30 June 2016, ACORN has received more then 66,000 reports, of which online scams and fraud make up 49 per cent. Within this, the key types of fraud being reported are online purchase and sales, contributing 21 per cent.
Breaking the business model of cyber criminals requires a focused, joined up effort. We need to disrupt and deny cyber criminals within Australia through an end-to-end approach with partner agencies including the AFP and CERT Australia, as well as state and territory agencies. The Cyber Security Review, led by the Department of the Prime Minister and Cabinet, found that cybercrime is costing the Australian economy up to $1 billion annually in direct costs alone, with conservative estimates of around $17 billion per year overall.
In response to this the Australian Cyber Security Strategy was developed with over 190 organisations. Released in April 2016, it allocates $230 million to enable innovation, growth and prosperity. The strategy focuses on five key themes—a national cyber partnership, strong cyber defences, global responsibility and influence, growth and innovation and a cyber smart nation.
As part of the strategy, we have received $16 million over four years to expand our cybercrime intelligence capability both within our agency and as part of our role with the Australian Cyber Security Centre. This will equate to 25 additional personnel. The funding we have received is reflective of the critical, enduring nature of the cybercrime threat, which will only grow over the coming years.
My vision for a safer Australia is one that is better connected, informed and capable of responding to cybercrime. This will only happen if Australian government agencies and law enforcement continue to work together with industry, business and international partners to fill in the gaps of our global understanding of cybercrime.
The establishment of the Australian Criminal Intelligence Commission provides an opportunity for a comprehensive national picture of crime and national security threats in Australia. It also provides police with more accurate and up-to-date information when engaging with members of the public. This leverages the strength of each agency to improve the collective response to crime. The more we can do to strengthen our capacity, the faster our partners will be able to prevent, detect and disrupt significant criminal threats.
It also helps us to target resources to counter the greatest harms and emerging trends, to ensure serious and organised crime does not become entrenched in, and undermine the integrity of, our economy and community, government, criminal justice system and commercial enterprises.