Cyber Threats 2022: A Year in Retrospect - An Australian dispatch

As the complexity of the global cyber threat environment continues to evolve, Australia remains an attractive target for threat actors of all ilk. In particular, espionage, ransomware and attacks on critical infrastructure continue to present significant threats to Australian organisations and institutions.

PwC’s Cyber Threats 2022: A Year in Retrospect report (the report), produced annually by PwC’s Global Threat Intelligence (GTI) team, provides key insights into the motivations and methods of cyber threat actors globally, both state and non-state sponsored. It reiterates that, as cyber threats become more dynamic and persistent, the attack vectors used by threat actors continue to grow in sophistication. Their motivations, however, remain unchanged - they want information, money and disruption.

Our Global Year in Retrospect

Get the latest global insights on threat actors, trends, tools and motivations throughout the cyber threat landscape.

Cyber Threat Updates

Protect your business from cyber threats with the latest trends and insights.

Espionage and foreign interference

As the report highlights, state-sponsored cyber espionage was a key threat to Australian institutions and organisations in 2022. In particular, the report explores sophisticated phishing campaigns focused on last year’s federal election, which were aimed at gaining access to targets’ systems. This observations aligns with statements made by Australia’s Director-General of Security Mike Burgess, who in his 2023 Annual Threat Assessment said: “Australia is facing an unprecedented challenge from espionage and foreign interference and I’m not convinced we, as a nation, fully appreciate the damage it inflicts on Australia’s security, democracy, sovereignty, economy and social fabric”.

In 2022, PwC and Proofpoint analysed the espionage-motivated ScanBox campaign, a web reconnaissance and exploitation framework unique to regional threat actors, which had  a specific focus on Australian government and media entities and companies and countries with equities in the South China Sea. The GTI team attributed the cyber spy attacks to advanced persistent threat (APT) actor Red Ladon, which transposed verbatim headlines about Australia’s May 2022 election from a UK-based news organisation onto a Red Ladon-controlled website impersonating an Australian media outlet. The threat actor would frequently pose as an employee of the fictional media publication, Australian Morning News, providing a URL to the malicious domain and soliciting targets to view its website, ultimately enabling victim-system exploitation.  

In 2022, APTs like Red Ladon continued to conform to previously observed targeting patterns, despite continued international efforts to economically isolate the jurisdictions from which they operate. However, some threat actors made significant advancements in their operations. 


In 2022, there were 2,462 total global victims posted to ransomware leak sites tracked by the GTI team, slightly fewer compared to the 2,471 posted in 2021 but almost double the 1,330 posted in 2020. Domestically, the top targets were professional services organisations, healthcare and construction. The report observes this may represent a ‘high water mark’ for ransomware activity, with 2022 presenting a challenging year for the ransomware ecosystem. This was largely the result of the Russian war in Ukraine, which saw a splintering of ransomware groups on ideological grounds as well as Russian army conscription reducing the number of active ransomware criminals. Other causal factors included law enforcement actions against ransomware threat actors and cryptocurrency volatility. 

But while the environment was tougher, ransomware criminals were more brazen in their attempts to extort victims and recruit insiders, a trend predicted to continue as ransomware groups continue to compete for resources and respond to increased cyber organisational defences. Further, this has driven the growing professionalisation of ransomware, with several groups beefing up their Ransomware-as-a-Service (RaaS) programmes in 2022, indicating the oversaturated threat landscape has prompted threat actors to diversify to outmanoeuvre competitors. 

As organisations continue to become more cyber savvy, exploiting systems has become more difficult for cyber criminals. In turn, demand has risen for multi-factor authentication (MFA) bypass capabilities like MFA fatigue tactics, modified credential stealers and enhanced Phishing-as-a-Service (PHaaS) offerings. This is a trend likely to continue.

Critical Infrastructure

While threat actors have targeted telecommunications providers for a number of years, the report’s 2022 insights are sobering. The GTI team observed an increased focus on telecommunications exploitation by several threat actors, with supply chain targets and high technology compromises in the frame. As noted in the report, the implications of telecommunications intrusions cannot be overstated: these activities undermine secure communications crossing countries, businesses and governments and threaten diplomatic, societal and business norms around the world.

Critical infrastructure concerns were heightened by Russia’s invasion of Ukraine, with many fearing major spillover of cyber activity outside of the conflict zone, as seen with NotPetya in 2017. However, this did not materialise, with Russia-based threat actors focusing disruption operations on the immediate conflict zone, with few exceptions impacting entities outside of Ukraine.

For critical infrastructure operators, it is important to note that more threat actors are targeting cloud environments, likely in response to organisations increasingly integrating technology, preying on vulnerabilities or misconfigurations to unlock troves of data. Furthermore, the report anticipates that in 2023, the threat landscape will be dominated by the targeting of identity and privileged access capabilities, as a broad range of threat actors continue to evolve and employ tactics, techniques and procedures to bypass security mechanisms and compromise supply chains. More prolific espionage motivated threat actors will increasingly target supply chains as well as identify and leverage zero-days for access operations.

How we can help

PwC offers a range of services for clients wanting to increase their security resilience to ensure that the security challenges of 2022 don’t become business problems now, or in the future. These include:

Ransomware Readiness Assessments

To protect trust, and your business, you must first be resilient. The Ransomware Readiness Assessment, created here in Australia by our Cybersecurity and Digital Trust team, provides practical recommendations and actions to remediate technical weaknesses – strengthening resistance to ransomware across the value chain of process, people, operations, suppliers and technology.

Threat Assessments and Risk Assessments

Conduct yearly threat assessments that seek to understand your specific threat landscape, and ensure it links in with your ongoing risk processes.

Crisis Simulations

Conduct board and executive level crisis simulations that test your organisation’s response to cyber attacks. It’s better to identify a weakness in your defences when you have time to fix it.

Defence in Depth

Implement a defence-in-depth approach to security, layering your security tooling to ensure coverage across the board – and not just on the perimeter.

Vulnerability Management

Implement a vulnerability management program with your organisation, ensuring timely patching and response to new vulnerabilities and 0-days.

Intelligence-led Penetration Testing

To make sure your defences are adequate to protect the crown jewels, conduct intelligence-led pen-testing against critical business systems to identify ways of strengthening cybersecurity defences.

Purple Teaming

Rapid iterative red teaming works hand-in-hand with blue teams to increase defensive coverage.

Threat Intelligence

Make faster security decisions in the fight against cyber threats with our threat intelligence service offerings. Stay informed at all times - to quickly identify new, emerging threats and understand how they can impact your organisation. We provide your security teams with clearer action plans and contextual information to evade imminent cyber attacks and prepare your defences for a broad range of potential attacks including hacktivism, espionage, nation-state threats and cyber crime.

Contact us

Robert Di Pietro

Robert Di Pietro

Cybersecurity & Digital Trust Leader, PwC Australia

Jason Smart

Jason Smart

Director, Threat Intelligence APAC, PwC Australia

Tel: +61 0406 088 747