Australians’ stolen usernames and passwords are increasingly being used by cybercriminals to gain access to workplaces, with two in five critical security incidents hitting large companies, governments and academic institutions now coming from compromised accounts or credentials.

China-linked cyber actors are also using Australians’ vulnerable home internet connections and smart devices to create larger networks that conceal their identities when they launch cyberattacks across the world.

The warnings are contained in the latest annual threat report from the Australian Signals Directorate, one of the government’s key intelligence agencies, which received a report every six minutes last year as cybercriminals leveraged new technologies to escalate attacks on Australians.

“The prevalence of artificial intelligence almost certainly enables malicious cyber actors to execute attacks on a larger scale and at a faster rate,” the report says.

“The potential opportunities open to malicious cyber actors continue to grow in line with Australia’s increasing uptake of – and reliance on – internet-connected technology.”

Director-general Abigail Bradshaw said the agency responded to 1200 cybersecurity incidents in the latest financial year – up 11 per cent – and notified critical infrastructure entities about potential malicious activity affecting their networks 190 times, more than double that of the previous year.

“Over the last year, ASD has observed networks are increasingly not just being hacked, but are being breached through compromised or stolen credentials to gain unauthorised access,” Bradshaw said.

“Compromised accounts or credentials accounted for 42 per cent of incidents impacting large organisations, government, academia or supply chains. Australia is increasingly targeted by cybercriminals looking to steal credentials.

“Once access is gained, they mimic legitimate user behaviour to steal sensitive personal or corporate information, install ransomware or malware, and take over accounts.”

The ASD report said cybercriminals were continuing an aggressive campaign of credential theft, where they purchased stolen usernames and passwords from the dark web to access people’s personal email, social media or financial accounts.

This can lead to financial losses, privacy breaches and an increased risk of identity theft. The average person lost $33,000 when they were a victim of cybercrime last year.

But these stolen or compromised credentials are also being used to access corporate systems. The report said cybercriminals were seeking to buy and use stolen credentials associated with corporate accounts to gain initial access to the devices of the person’s employer, their clients and other systems.

Once a cybercriminal has logged on to a corporate account using stolen details, it is much more difficult to determine there has been a compromise. Afterwards, the impact on the company may be ransomware, extortion or theft of intellectual property.

The frequency of ransomware attacks, the number of reported data breaches and average reported financial losses all went up last year. Businesses affected by cybercrime lost $80,850 on average, and large businesses suffered $202,700 on average each incident, which was an increase of more than 200 per cent since last year.

Threats to cybersecurity continue to come from both independent and state-sponsored criminals. The ASD’s focus when it comes to cybercrime is top-tier financially motivated criminals, typically from eastern European and Russian-speaking cyber gangs.

State-sponsored hackers and spies, meanwhile, “continue to pose a serious and growing threat to our nation”.

“They target networks operated by Australian governments, critical infrastructure and businesses for state goals,” the report said.

“State-sponsored cyber actors may also seek to use cyber operations to degrade and disrupt Australia’s critical services and undermine our ability to communicate at a time of strategic advantage.”

One way that state-sponsored cyber organisations, such as a China-linked group known as APT40, have been operating is by targeting home internet devices – such as routers, firewalls or VPN products – to help build a network for them to launch other attacks.

These home devices are attractive to cybercriminals because internet-facing vulnerabilities in them are common and often difficult for people to monitor or configure securely.

Exploiting these devices helps them blend their malicious traffic activity with the legitimate traffic of the device owner, complicating detection and prevention efforts.

The ASD and other agencies found state cyber actors linked to China had compromised thousands of internet-connected devices, including home office routers and smart appliances, to create a network that concealed their identities as they conducted further malicious activities.

In one example, agencies detected a network made up of more than 260,000 devices, including in Australia.

Home Affairs Minister Tony Burke said there were simple steps Australians could take to stay safe online.

“Always install latest software updates, use unique passphrases, enable multifactor authentication wherever it’s available, and if you receive an unexpected cold call, hang up and call back through the official line,” he said.

Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.