Marty Rickard, OT Specialist at Nozomi Networks 
Australian intelligence agencies have been traditionally tight lipped about potential threats. Public statements are kept to a minimum, only becoming public when it is deemed an absolute necessity.
Yet recently, the Director-General of the Australian Security Intelligence Organisation (ASIO), Mike Burgess, has made multiple public announcements about the very real cyberthreats against Australian critical infrastructure.
While many seem to not notice these warnings, the frequency at which the agency is publicly disclosing cyber threats should make anyone pause.
In July last year, Burgess warned foreign espionage was costing Australia at least $12.5 billion a year, with ASIO disrupting up to 24 significant attempts at espionage and foreign interference operations in recent years.
Then, in November 2025, the spy agency warned of nation-state actors continuously trying to infiltrate Australia’s critical infrastructure networks. Targeted industries include telecommunications, water, healthcare, manufacturing, and energy industries. In fact, healthcare services have recently been identified as the most targeted industry in Australia.
The reality is, Australia is a target. It has its critical infrastructure networks in the crosshairs, so much so that in the second half of last year, Australia was ranked third in the number of security threats per organisation.
The threat actors targeting these industries are often highly sophisticated state-sponsored groups operating on behalf of countries like China, Iran, Russia, and North Korea. Intelligence agencies track these Advanced Persistent Threat (APT) groups under pseudonyms like Volt and Salt Typhoon, both of which are particularly prevalent in Australia.
The ‘persistent’ in APT is key here. ‘Smash and grab’ is not their modus operandi. These groups are covert, lurking undetected within networks for extended periods of time, gathering intelligence, stealing data, and – ultimately – disrupting operations. Unlike threat actors looking to gain financial benefits from a cyberattack, APTs immerse themselves in a network so thoroughly that they can stay undetected for months or more.
A key tool in their arsenal is 'living off the land' techniques – stolen credentials and legitimate admin tools used to hide in plain sight. Combatting these tactics requires integrated visibility, identity hardening, and network segmentation working together across both IT and operational technology (OT) domains to ensure there are no gaps to hide in.
Rather than using IT networks as their initial point of entry, these threat actors often first infiltrate critical networks through operational technology and Internet of Things (IoT) devices.
Most of Australia’s critical infrastructure organisations are dependent on these technologies, which, unfortunately, often run on outdated systems. This makes them an attractive target for threat actors to initially infiltrate and develop a foothold, maintaining persistence, before moving laterally across the wider network.
As Mike Burgess stated last year, “when they have penetrated your networks, they actively and aggressively map your systems, and seek to maintain persistent undetected access that enables them to conduct sabotage at a time and moment of their choosing”.
It is a method that has worked before. In 2024, a large number of American citizens had their data stolen when a threat actor targeted a United States telecommunications company.
In this case, the specific systems that were compromised, alongside the data stolen, have not been publicly disclosed. However, public reporting suggested Volt or Salt Typhoon had targeted the systems used to provide court-approved access to communication systems. These are used for investigations by law enforcement and intelligence agencies. In essence, a huge breach of privacy.
Australian organisations should be under no illusions when it comes to the severity of these nation-state actors and the lengths they are willing to go. The country has been warned its critical infrastructure networks are at their fingertips. This isn’t the first warning, nor will it be the last.
With legislation like the Security of Critical Infrastructure Act (SOCI) mandating critical infrastructure owners harden their defences, I am hopeful Australia will heed ASIO’s warnings before it is too late.
Doing so means critical infrastructure entities can develop better asset inventory across their network, reducing blind spots across OT and IoT environments, and favoured entry points used by APT groups.
It will also see organisations audit privileged access to limit lateral movement and ‘living off the land’ techniques by these cybercriminals.
Crucially, it’s important that Australia’s critical organisations move from reacting to continuous monitoring; cybercriminals are happy to sit idle for months, making point-in-time assessments insufficient. Constant assessment and anomaly detection for specific behaviour is key to defending against threats designed to stay hidden.
A great sign that Australia is heading in the right direction is that cybersecurity investment is increasing, with Australian organisations expected to have spent AU $6.2 billion on information security and risk management in 2025. IT security is critical, but to ensure the security of the nation’s critical infrastructure assets, organisations must not forget operational technology and Internet of Things devices. After all, what use is locking the front door if you’ve left the windows wide open?
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.