Chinese state-sponsored groups are targeting Australians working from home, using their devices to unleash spyware on corporate systems, a disturbing new report revealed on Tuesday. The Australian Signals Directorate (ASD) confronted 1200 cyber security incidents over the past year, with Beijing-backed hackers driving an 11 per cent spike in attacks.
State-Backed Hackers Exploit Home Networks
State-backed cyber actors from the People’s Republic of China are routinely hunting Australian government networks for cyber espionage purposes, the ASD’s Annual Cyber Threat Report stated. The notorious APT 40 group has been regularly conducting malicious activities against networks that possess defence-related information of value to Beijing. What makes this threat particularly alarming is how these malicious cyber actors are exploiting home routers and other home devices connected to the internet.
Defence Minister Richard Marles warned the nation faces “an increasingly challenging threat landscape” where cyber-enabled espionage and cyber crime are not a hypothetical risk, but a “real and increasing danger” to the essential services we all rely on. The state-sponsored cyber actors have compromised home office equipment to create botnets that support further targeting around the globe, unleashing a wave of attacks that flow through seemingly innocent devices.
Living Off the Land Tactics Evade Detection
The Chinese state-sponsored groups are using a sophisticated technique called “living off the land” or LOTL to evade detection by blending in with normal system activities and network activities. These hackers continue to use built-in network administration tools to carry out their objectives, deciding when to steal information or cause harm to an organisation’s network at a time of their own choosing. This approach enables them to operate unseen within compromised systems for extended periods.
Defending against LOTL is particularly difficult because it requires network defenders to think like the malicious actor, studying abnormalities in behaviours occurring on systems rather than through traditional means such as intrusion detection systems. The Australian government and several international partners acted decisively to detail the tradecraft of APT 40 to assist organisations to detect and prevent their malicious activities, the report stated.
Business Costs Explode Across All Sectors
The financial impact of these cyber attacks has exploded across every major business and sector in Australia. Small business owners now face an average self-reported cost of $56,600 per cyber crime incident, up 14 per cent from the previous year. For medium-sized businesses, the costs jumped a staggering 55 per cent to $97,200, while large businesses saw their losses skyrocket 219 per cent to $202,700 in 2024-25.
Big business lost hundreds of thousands on average to cybercrime over the past year, with the threat showing no signs of slowing down. The ASD stated that businesses should operate with a mindset of “assume compromise” and prioritise the assets or “crown jewels” that need the most protection. This shift in thinking reflects the reality that targeting has become so sophisticated that prevention alone is no longer enough.
Healthcare Sector Faces Doubled Attacks
The healthcare sector has emerged as a prime target for malicious cyber actors, with ransomware incidents in the health care and social assistance sector doubled in 2024-25. Shockingly, these attacks were successful in 95 per cent of all incidents that the ASD responded to in this sector. The victims included facilities that hold sensitive patient data and provide essential services to communities across Australia.
These crippling attacks on healthcare represent a security threat that goes beyond financial loss, potentially compromising patient care and critical infrastructure networks. The malicious cyber actors are hunting for valuable information and demanding ransom payments from organisations that can least afford disruption to their operations.
Government Networks Suffer Extensive Breaches
The federal government, government shared services, and regulated critical infrastructure categories experienced “extensive compromise” on two occasions over the year, the report revealed. State-sponsored cyber actors are seeking strategic insights into Australia’s national policies and decision-making processes, making government networks particularly attractive targets. The Australian Cyber Security Centre and AFP are investigating these incidents alongside cyber security experts.
Just days after the report was released, criminal hackers from criminal enterprises dropped stolen data from Qantas onto the dark web following a cyber hit on the airline giant’s operations in Manila in July. The stolen information included names, phone numbers, addresses, emails, birthdays, gender, frequent flyer numbers, status tiers, and points balances, though no credit card details, personal financial information, or passport details were accessed in the breach.
Wide-Ranging Threat From Multiple Actors
The attacks flow from a range of state-based actors and criminal enterprises, creating a complex threat landscape that continues to evolve. The state-sponsored cyber actors are working to unleash disruptive attacks and conduct data breach operations that can compromise entire networks. The botnet infrastructure they’ve built through compromised home routers and internet-connected devices enables them to target organisations with unprecedented scale and sophistication.
The ASD makes clear that malicious actors have been working unseen to targeting remote work setups, exploiting the shift to work from home arrangements that became widespread during recent years. This new frontier in cyber espionage means that your home office could be the entry point for attacks on your employer’s corporate systems, turning everyday employees into unwitting participants in cyber-enabled espionage operations achieved by Beijing-backed groups.
