The new report found 47,000 cyber incidents over the past financial year — a 15 per cent increase — with 734 the ACSC responded to being incidents that targeted infrastructure or other private systems of national interest.
Assistant Minister Tehan confirmed that the cyber thieves had access to the IT network of the defence contractor for a long period of time and stole large amounts of the defence supplier's data. ACSC became aware of the incident last November and helped end the attack.
Assistant Minister Tehan said the government was unsure of who launched the attack, but could not rule out a foreign government.
The report takes a special look at defence industry, noting the industry is heavily targeted by state actors.
"Defence contractors and companies involved in the design, manufacture and maintenance of defence capabilities continue to be targeted by state cyber programs," the report said.
"Cyber adversaries often target the networks of defence-affiliated organisations, such as commercial contractors. This targeting seeks to access information that would be difficult to obtain from more secure government networks, or to exploit trusted network relationships to facilitate access to, or targeting of, more secure networks."
ACSC, which is the focal point for the cyber security efforts of the Australian Signals Directorate (ASD), Computer Emergency Response Team Australia, the Defence Intelligence Organisation, the Australian Criminal Intelligence Commission, the Australian Federal Police, and the Australian Security Intelligence Organisation, said the ASD Essential Eight provides a prioritised list of practical actions that organisations can take to make their computers and networks more secure.
The Essential Eight, updated in March to include four more mitigation strategies, is now considered to be the baseline for Australian organisations, according to the report.
The Australian National Audit Office (ANAO) Cybersecurity Follow-up Audit, published in March, found some government agencies, like the Australian Taxation Office and the Department of Immigration and Border Protection, are not considered "cyber resilient".
The ANAO's report failed these agencies on mandatory whitelisting and software patching requirements proposed by the ASD.
The agencies were found to have varying compliance with the ASD’s top four cyber mitigation strategies: whitelisting, application patching, OS patching and the restriction of administration privileges based on user duties.