Best of E30 - A Five Eyes Intelligence Agency Shows Its Cards
Posted on December 3, 2024 • 8 min read • 1,628 words
Originally published December 3, 2024
What You Need to Know
The Australian Signals Directorate — Australia’s equivalent of the NSA — published its Annual Cyber Threat Report covering August 2023 through July 2024. This isn’t a vendor report selling a product. It’s a signals intelligence agency disclosing what it sees across an entire nation’s threat landscape.
The numbers are staggering: over 36,700 calls to the Cyber Security Hotline (up 12%), 1,100+ cyber security incidents responded to, 82 million malicious domains blocked (up 21%), and 365 high-priority operational taskings completed — up 250% from the prior year.
When a Five Eyes intelligence agency reports a 250% increase in high-priority operations, it means the threat tempo has fundamentally shifted. This isn’t vendor marketing. It’s a government telling its citizens and businesses that the situation is escalating.
The Operational Scale
ASD’s operational data provides a rare window into the volume of cyber threats at a national level:
| Metric | Value | Trend |
|---|---|---|
| Hotline calls | 36,700+ | Up 12% |
| Incidents responded to | 1,100+ | — |
| Critical infrastructure incidents | 11% of total | Key focus area |
| Entities notified of threats | 930 | Proactive outreach |
| Malicious domains blocked | 82 million | Up 21% |
| Domain removal requests | 189,000+ | Up 49% |
| Indicators of compromise shared | 1,372,400 | Shared across ecosystem |
| Reports distributed | 6,400 to 2,000 organizations | — |
| High-priority taskings | 365 | Up 250% |
The 250% surge in high-priority taskings is the standout metric. These aren’t routine monitoring activities — they’re operations significant enough to demand dedicated intelligence resources. A 250% increase in a single year reflects a threat environment that has crossed from elevated to acute.
The 82 million blocked domains (up 21%) and 189,000 removal requests (up 49%) quantify the scale of malicious infrastructure that a nation-state defender is contending with. These numbers dwarf what any single organization sees — they represent the attack surface across an entire national economy.
INTEL [GLOBAL THREAT]: ASD’s 250% increase in high-priority operational taskings signals a step-change in threat tempo at the national level. When a Five Eyes intelligence agency escalates operations at this rate, the underlying threat activity is significant. Organizations should align their threat assumptions with government assessments, not just vendor reports.
The Cost of Cybercrime: By Business Size
ASD provides something most threat reports don’t — actual cybercrime cost data segmented by business size:
| Business Size | Average Cost | Trend |
|---|---|---|
| Small business | $49,600 | Up 8% |
| Medium business | $62,800 | Down 35% |
| Large business | $63,600 | Down 11% |
| Overall | — | Down 8% |
The small business figure deserves attention: costs are rising for the organizations least able to absorb them. While medium and large businesses saw decreases — likely reflecting improved security investments and cyber insurance — small businesses saw an 8% increase to nearly $50,000 per incident.
This aligns with every major report in the Best of collection: the Verizon DBIR showed SMBs absorb 4x more attacks with 88% ransomware rates. The WEF found 35% of small organizations have insufficient resilience. Forescout’s 95% default credential finding hits SMBs hardest. The cost data from ASD makes it concrete — this is what it actually costs.
For boards and executives, these numbers enable risk quantification. When your risk committee asks “what does a cyber incident cost us?” — this is government-verified data, not a vendor estimate.
Top Business Cybercrimes
ASD’s data reveals the crimes that hit businesses most frequently:
| Crime Type | Share |
|---|---|
| Email compromise (no financial loss) | 20% |
| Online banking fraud | 13% |
| Business email compromise (with financial loss) | 13% |
The fact that email compromise leads at 20% — even without direct financial loss — reflects the role email plays as the gateway to larger attacks. A compromised email account doesn’t always result in immediate fraud, but it provides attackers with reconnaissance data, credential harvesting opportunities, and a trusted platform for phishing internal targets.
Business email compromise (BEC) with financial loss at 13% remains one of the most lucrative cybercrime categories globally. The FBI’s IC3 report consistently ranks BEC as the highest-loss crime type. ASD’s data confirms this pattern extends beyond the US.
INTEL [INDUSTRY PATTERN]: Email compromise accounts for 33% of top business cybercrimes (20% without financial loss + 13% BEC with loss). Organizations should treat email security as their highest-ROI investment — implementing DMARC enforcement, phishing-resistant MFA for email access, and monitoring for impossible travel and anomalous forwarding rules.
Nation-State Threats: PRC Pre-Positioning and Russian Adaptation
ASD’s nation-state assessment confirms two critical patterns:
People’s Republic of China (PRC): Chinese state-sponsored actors are using “living off the land” techniques for pre-positioning in critical infrastructure networks. This means they’re not deploying malware — they’re using legitimate tools already present in the environment to establish persistent access that can be activated during a future conflict.
This is the same pattern CrowdStrike documented (79% malware-free, China up 150%), Mandiant confirmed (living-off-the-land pervasive), and Forescout quantified (48% state-sponsored). When multiple independent sources — vendors and intelligence agencies — converge on the same finding, it’s not an assessment. It’s a fact.
The “pre-positioning” language is deliberate. ASD isn’t describing espionage or data theft. It’s describing preparation for potential disruption — adversaries embedding themselves in infrastructure so they can act if geopolitical conditions warrant it.
Russia: Russian state-sponsored actors are adapting techniques to include cloud platform exploitation. As organizations migrate to cloud, Russian threat actors are following — targeting cloud identity systems, exploiting misconfigurations, and leveraging the trust relationships between on-premises and cloud environments.
INTEL [THREAT ALERT]: ASD confirms PRC actors are pre-positioning in critical infrastructure using living-off-the-land techniques — consistent with CrowdStrike, Mandiant, and Forescout findings. This is a Five Eyes intelligence assessment, not a vendor claim. Organizations in critical sectors should conduct threat hunts for legitimate tool abuse, review cloud identity configurations, and assume that persistent access may already exist in environments they haven’t actively searched.
Critical Infrastructure: 11% and Growing
11% of incidents ASD responded to involved critical infrastructure — energy, water, healthcare, transportation, telecommunications. Combined with Forescout’s 668% increase in critical infrastructure attacks since 2022, the picture is clear: critical infrastructure is an escalating target across every dataset.
ASD’s 930 proactive notifications to entities about potential malicious activity suggests the agency is seeing threats that organizations themselves have not detected — confirming the detection gap that Mandiant documented (57% of breaches found externally) and the WEF flagged (35% of small organizations have insufficient resilience).
The Intelligence Sharing Model
ASD’s operational numbers reveal an intelligence-sharing ecosystem at scale:
- 1,372,400 indicators of compromise shared with partners
- 6,400 reports distributed to 2,000 organizations
- 930 entities proactively notified of threats
This is what national-level cyber defense looks like in practice — an intelligence agency functioning as a force multiplier for the private sector. The 1.37 million IOCs shared represent a massive contribution to collective defense.
For organizations outside Australia, the parallel resources are CISA (US), NCSC (UK), BSI (Germany), and ANSSI (France). The ASD report is a reminder that these national resources exist and produce actionable intelligence that most organizations aren’t consuming.
What Organizations Should Actually Do
The ASD report points to five priorities:
Invest in cyber security teams — ASD’s core recommendation is that organizations must “prioritize and invest in cyber security skills, resources, and teams.” This aligns with the WEF’s finding that the skills gap widened 8%. There’s no substitute for people.
Consume national intelligence feeds — 1.37 million IOCs are being shared. If you’re not consuming intelligence from your national cyber agency (CISA, NCSC, ASD, BSI, ANSSI), you’re leaving free threat intelligence on the table.
Quantify your risk with government data — Use ASD’s cost-per-incident data ($49,600-$63,600) for risk quantification conversations with your board. Government data carries more weight than vendor estimates in boardroom discussions.
Hunt for pre-positioning — PRC living-off-the-land in critical infrastructure is confirmed by a Five Eyes agency. Conduct threat hunts focused on legitimate tool abuse, anomalous administrative activity, and persistent access in networks that haven’t been actively searched.
Harden email — 33% of top business cybercrimes involve email. Implement DMARC enforcement, deploy phishing-resistant MFA for email accounts, and monitor for forwarding rule changes and impossible travel patterns.
What We’re Watching
High-priority tasking trajectory. 250% increase in a single year. If this pace continues, national cyber agencies may be forced to triage more aggressively — meaning lower-priority threats get less attention precisely when the threat landscape is expanding.
PRC pre-positioning scope. ASD, CISA, and Five Eyes partners all confirm pre-positioning in critical infrastructure. The question is no longer whether it’s happening — it’s how extensive the access already is.
SMB cost escalation. Small business cybercrime costs rising 8% while medium and large business costs decline. The cost burden is shifting to the organizations least equipped to handle it.
National intelligence consumption gap. 1.37 million IOCs shared, 6,400 reports distributed — but how many organizations are actually consuming and operationalizing this intelligence? The supply exists. The demand-side gap is the bottleneck.
The Bottom Line
The Australian Signals Directorate’s Annual Cyber Threat Report carries a weight that vendor reports cannot. This is a Five Eyes intelligence agency — one of the most capable signals intelligence organizations in the world — showing its cards about what it sees across an entire national threat landscape.
36,700 hotline calls. 1,100 incidents. 82 million malicious domains blocked. 365 high-priority taskings — up 250%. PRC pre-positioning confirmed. Small business costs rising while everyone else’s decline.
The report’s most important contribution isn’t any single finding. It’s the convergence. When a national intelligence agency’s data aligns precisely with what CrowdStrike, Mandiant, Forescout, and the WEF are reporting — pre-positioning, living-off-the-land, critical infrastructure targeting, SMB vulnerability — the signal is unambiguous.
The threat landscape isn’t just escalating. It’s escalating fast enough that a Five Eyes agency had to triple its operational tempo to keep pace.
Find all editions: FIR Risk Tuesday
All newsletters and source materials: FIR Risk Intelligence on GitHub