Government departments and agencies have been targeted by criminal gangs and possibly state-sponsored actors in a sustained cyber attack amid warnings that the nation is falling behind in the race against escalating digital threats.
Cyber security firm Mimecast has revealed details of the cyber attack in which Emotet malware was directed at public sector organisations more than 15,000 times over a four-day period last October in a concerted campaign to infect critical networks and retrieve sensitive information.
The attack was first flagged by the Australian Cyber Security Centre late last year, but Mimecast has revealed it was part of a broader effort spanning most of October and targeting not just government agencies but education institutions and the transport and storage sectors.
Details of which organisations were targeted and what, if any, information has been compromised, have not been released.
"Given the repeated nature of the threats and the resource and effort behind them, it is almost certain the threat actors involved represent an organised and determined criminal or state-sponsored threat," it said.
Revelations of the attacks follow the results of a survey showing more than a third of Australians are unwilling to provide personal information to the government because they don't trust it will be kept secure, posing a major challenge to Prime Minister Scott Morrison's drive to deliver more services online.
While there is no evidence that the malware attacks were successful, they have underlined the concerns of cyber security experts about the nation's vulnerability.
Mimecast Australia Principal Technical Consultant Garrett O'Hara said the country's strong links with both the United States and China, valuable intellectual property and well-off English speaking population made it a "really, really important nation" for attackers.
Mr O'Hara said there was "so much to be proud of" in what Australia was doing on cyber security but admitted there was a lot of variation in the preparedness of organisations.
His concerns were echoed by leading cyber security expert Professor Greg Austin, who warned that departments and agencies were falling behind in the race against escalating digital threats.
Professor Austin, of the University of New South Wales' Australian Centre for Cyber Security, said that although central government agencies were working to improve cyber security "across the board", their efforts were being undermined by significant underinvestment in education.
He said the interconnectedness of modern society meant cyber security had to be a collective effort supported by widespread capability.
As an example, Professor Austin cited My Health Record. While data security arrangements at the central agency might be adequate, "we just have to ask ourselves, what are the information security talents of people in the average doctor's surgery?"
He said there were "huge resourcing holes" in the government's approach.
In 2016, the government committed $1.9 million over four years to promote cyber security education, which Professor Austin said was "barely a drop in the ocean".
He warned the government's approach was leaving the nation vulnerable.
"The government prefers to find the slick marketing slogans that can somehow wish this away, but at the end of the day they can't control the security environment of a lot of government services...because the cyber defences in general aren't water tight," Professor Austin said.
"In an environment of relatively slow reform in most government departments and an environment of escalating threats and attacks, Australia, like most countries, remains more vulnerable than we would like."