APT Activity in Australia: 2025 Threat Landscape Analysis

Published: October 24, 2025 | Author: Threat Intelligence | Pentester | Category: Cybersecurity Intelligence

🎯 Executive Summary

This analysis is intended for cybersecurity defenders, IT leaders, and policy stakeholders in Australia to understand emerging threats and implement proactive defenses. All data is sourced from official government advisories and open-source threat intelligence.

The year 2025 has witnessed an unprecedented escalation in cyber threats targeting Australian networks, with Advanced Persistent Threat (APT) groups demonstrating relentless focus on critical infrastructure, government agencies, and key economic sectors. This comprehensive analysis reveals the sophisticated tactics employed by nation-state actors and the devastating impact of ransomware operations across Australia.

+111%

Critical Infrastructure Attacks

71

Ransomware Attacks Claimed

95%

Healthcare Attack Success Rate.

$292K

Avg Cost (Large Business)

⚠️ Critical Alert: The Australian Signals Directorate (ASD) reported a 111% increase in notifications of malicious activity to critical infrastructure entities in FY2024-25, with healthcare experiencing a 95% success rate for cyberattacks.

🗺️ Australia's 2025 Cyber Threat Landscape

The cyber threat landscape in Australia for 2025 represents a complex ecosystem of state-sponsored actors, financially motivated cybercriminals, and a wide range of targeted sectors. Nation-state actors from China, Russia, and North Korea are at the forefront, employing sophisticated attack vectors to compromise Australian networks.

Figure 1: Visual representation of the APT threat landscape in Australia for 2025, detailing primary actors, targets, attack vectors, and impact metrics.

Key Threat Actors:

• China: APT40, Salt Typhoon (MSS-affiliated groups targeting telecommunications and critical infrastructure)
• Russia: Cyber sanctions imposed in February 2025 for attacks on Australian networks
• North Korea: Kimsuky (APT43) targeting financial institutions and cryptocurrency

🎭 Key APT Groups Targeting Australia

APT40: China's Maritime Espionage Specialist

🔴 APT40 Profile

Also Known As: Kryptonite Panda, Gingham Typhoon, Leviathan, Bronze Mohawk

Attribution: People's Republic of China (PRC) Ministry of State Security (MSS)

Primary Focus: Australian government and critical infrastructure networks

Key Characteristic: Rapid exploitation of vulnerabilities within hours of proof-of-concept publication

APT40 represents one of the most sophisticated state-sponsored threat actors targeting Australia. Operating on behalf of the Chinese Ministry of State Security, this group has demonstrated exceptional capabilities in maritime-related espionage and critical infrastructure targeting.

Figure 2: Step-by-step breakdown of the typical attack chain employed by APT40, from initial reconnaissance to data exfiltration and command and control.

🔍 APT40 Tactics:

• Rapid Vulnerability Exploitation: Exploits newly disclosed vulnerabilities within hours
• Living-Off-the-Land (LOTL): Uses legitimate system tools instead of custom malware
• Compromised SOHO Devices: Utilizes botnets of compromised routers to blend with legitimate traffic
• Credential Theft: Obtains legitimate user credentials for lateral movement

Salt Typhoon: Telecommunications Infrastructure Campaign

🔴 Salt Typhoon Profile

Also Known As: OPERATOR PANDA, RedMike, UNC5807, GhostEmperor

Attribution: Chinese state-sponsored (linked to Sichuan Juxinhe, Beijing Huanyu Tianqiong, Sichuan Zhixin Ruijie)

Primary Focus: Global telecommunications providers including Australia

Strategic Goal: Espionage, follow-on targeting, and pre-positioning for disruptive attacks

Salt Typhoon has been identified as the primary threat actor behind a broad and significant cyber espionage campaign targeting major global telecommunications providers. The group's focus on telecommunications infrastructure represents a strategic priority for Chinese intelligence services, enabling access to vast amounts of sensitive communications data.

Figure 3: Overview of the Salt Typhoon campaign targeting telecommunications sector, including linked Chinese entities, infrastructure targets, and strategic objectives.

📡 Telecommunications Threat: By compromising telecommunications infrastructure, Salt Typhoon can conduct espionage, target telecom customers, and pre-position for potential disruptive attacks against critical communications infrastructure during crisis or conflict.

💀 The Ransomware Epidemic

Beyond state-sponsored espionage, Australia has been contending with a rampant ransomware ecosystem. Financially motivated cybercriminals have inflicted significant damage, with 71 ransomware attacks claimed against Australian organizations in 2025 alone.

Top 5 Most Active Ransomware Groups

Figure 4: The five most active ransomware groups targeting Australia in 2025, based on claimed attacks.

The ransomware landscape is dominated by sophisticated criminal organizations that have perfected their operations into efficient, profit-driven enterprises. Akira, INC Ransom, and Qilin lead the pack with 8 attacks each, followed by Lynx (7 attacks) and Dragonforce (6 attacks).

Sectors Under Siege

Figure 5: Distribution of ransomware attacks across the top 10 targeted sectors in Australia for 2025.

🏥 Healthcare Crisis: Professional Services (15 attacks) and Healthcare (13 attacks) are the most heavily targeted sectors. The healthcare sector faces a particularly dire situation with a 95% attack success rate and ransomware incidents that have doubled compared to the previous year.

Notable 2025 Ransomware Incidents

• E-prescription Service Breach (July 2025): Suspected ransomware attack exfiltrated approximately 6.5TB of data affecting 12.9 million Australian customers, including personal and health information from March 2019 to November 2023.
• Political Party Breach (June 2025): Unauthorized server access resulted in potential exfiltration of email correspondence, banking details, and employment history.
• Akira - OT & ICS Provider: Stole 10GB of corporate data including employee passports, driver's licenses, medical records, and financial documents.
• Dragonforce - Engineering Firm: Leaked over 100GB of data including technical drawings and employee medical reports.

🏗️ Critical Infrastructure Under Attack

Australia's critical infrastructure has become a primary target for both state-sponsored actors and cybercriminals. The dramatic increase in threats to this sector poses significant risks to national security, economic stability, and public safety.

Figure 6: Significant percentage increases in various cyber threat metrics in Australia for FY2024-25.

Alarming Statistics FY2024-25:

• +111% increase in critical infrastructure notifications (190+ incidents)
• +83% increase in all entity notifications (1,700+ incidents)
• +280% increase in DDoS attacks
• +50% increase in average cybercrime cost ($80,850)
• +219% increase in large business costs ($292,700)

Healthcare: The Vulnerable Sector

Figure 7: Comparison of cyberattack success rates between healthcare sector and average across all sectors in Australia for FY2024-25.

The healthcare sector has proven to be particularly vulnerable, with a 95% success rate for attacks compared to 52% across all sectors. This disparity highlights the urgent need for enhanced cybersecurity measures in healthcare organizations, which are often under-resourced and ill-prepared to defend against sophisticated threats.

⚠️ Strategic Implications: According to Deputy Prime Minister Richard Marles, state-sponsored actors are targeting critical infrastructure not just for espionage, but for pre-positioning for potential disruptive attacks in the event of crisis or conflict. This represents a significant threat to Australia's national security.

📅 Timeline of Major Events (2024-2025)

Figure 8: Timeline of major APT and cyber threat events affecting Australia from July 2024 to October 2025.

The timeline above illustrates the escalating nature of cyber threats over the past year, with significant incidents occurring with increasing frequency. From the APT40 advisory in July 2024 to the October 2025 ASD Annual Report revealing a 111% increase in critical infrastructure attacks, the trend is unmistakably upward.

🛡️ Recommendations and Mitigation Strategies

To effectively counter the sophisticated threats detailed in this analysis, Australian organizations must adopt a proactive, intelligence-driven approach to cybersecurity. The following recommendations provide a framework for enhancing organizational resilience:

Strategic Defense Recommendations:

1. Enhance Threat Intelligence Capabilities: Actively monitor threat intelligence feeds from the ACSC and reputable sources. Use this intelligence to proactively hunt for threats within your networks.
2. Prioritize Vulnerability Management: Implement robust and timely patch management processes. Given APT groups' speed in exploiting vulnerabilities, prioritize patching of edge devices and public-facing applications.
3. Implement Network Segmentation: Isolate critical assets and restrict access between different network segments to limit lateral movement of attackers.
4. Strengthen Identity and Access Management: Enforce multi-factor authentication (MFA) across all systems. Regularly review user access rights and implement least privilege policies.
5. Develop and Test Incident Response Plans: Maintain comprehensive incident response plans and regularly test them through tabletop exercises and simulations.
6. Focus on Employee Training: Educate employees about phishing techniques and social engineering tactics. A well-informed workforce is a critical defense layer.
7. Secure Your Supply Chain: Assess the security posture of suppliers and partners. Supply chain attacks are increasingly common and can bypass traditional defenses.

💡 Key Takeaway: The APT threat landscape in 2025 is more dangerous and complex than ever. Organizations must move beyond reactive security measures and adopt a proactive, intelligence-driven approach that anticipates and neutralizes threats before they can cause damage.

🎓 Conclusion

The cyber threat landscape facing Australia in 2025 represents an unprecedented challenge to national security, economic stability, and public safety. The convergence of sophisticated state-sponsored espionage campaigns and relentless ransomware operations has created a perfect storm of cyber risk.

Chinese APT groups, particularly APT40 and Salt Typhoon, have demonstrated exceptional capabilities and persistence in targeting Australian critical infrastructure and telecommunications networks. The strategic implications of these operations extend beyond simple data theft—they represent pre-positioning for potential disruptive attacks that could have devastating consequences in times of crisis or conflict.

Simultaneously, the ransomware epidemic continues to wreak havoc across Australian organizations, with the healthcare sector bearing a disproportionate burden. The 95% success rate for healthcare attacks is a stark reminder of the vulnerability of critical services that Australians depend on daily.

Moving forward, Australian organizations must recognize that cybersecurity is not merely an IT issue—it is a fundamental business risk that requires board-level attention, adequate resourcing, and a culture of continuous improvement. The threats are real, sophisticated, and persistent. Only through vigilance, collaboration, and a commitment to excellence in cybersecurity can Australia hope to defend against the advanced persistent threats of 2025 and beyond.

📚 References

1. Australian Cyber Security Centre. (2025, October 14). Annual Cyber Threat Report 2024-2025. Retrieved from https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
2. Australian Cyber Security Centre. (2025, August 28). Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. Retrieved from https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/countering-chinese-state-sponsored-actors-compromise-of-networks-worldwide-to-feed-global-espionage-system
3. Cyble. (2025, September 26). Top Ransomware Groups Targeting Australia & NZ In 2025. Retrieved from https://cyble.com/blog/ransomware-groups-targets-australia-and-new-zealand/
4. iTWire. (2025, October 17). Attacks on Australia's critical infrastructure double. Retrieved from https://itwire.com/business-it-news/security/attacks-on-australia's-critical-infrastructure-double.html

📧 Stay Informed

Published by Fun of Cybersecurity — an independent educational resource for authorized cybersecurity professionals. Content is for defensive awareness only.

This analysis was prepared based on open-source intelligence from official government reports and leading cybersecurity firms. For the latest threat intelligence and security updates, follow the Australian Cyber Security Centre (ACSC) and subscribe to threat intelligence feeds.