Cyber security: A month in retrospect (Australia) - March 2025

March was bursting with cyber news. We have brought it all together in one place, so you don’t have to.

HSF Webinar: Calm in a Crisis – Plan Ahead to Plan your Response

To close out our CPD program for the (practising) year, HSF’s cyber team hosted a live webinar, in which we discussed the importance of organisations being prepared for major crises (including cyber incidents).

We heard from cross-disciplinary experts, including Nerida Jessup, Jacqueline Wootton, Christine Wong, Carolyn Pugsley, Cameron Whittfield, and Emily Coghlan, who discussed a variety of incidents such as regulatory investigations, dawn raids, whistleblowing, cyber breaches, industrial accidents, and other workplace health and safety issues. We had a terrific turnout, and hope those that joined found it engaging and useful.

Caitlyn Bellis from HSF takes home Australian Cyber Security award

On 6 March, Australia's Lawyers Weekly announced the winners of its annual 30 Under 30 Awards, which recognises young lawyers striving for excellence in their practice area.

Congratulations to Caitlyn Bellis, a highly valued member of the HSF Cyber team, who won the Cyber Security category. Caitlyn has supported several clients with cyber incident response, including large-scale ransomware attacks. She is also a skilled facilitator, having led and developed over 20 cyber simulations including for ASX-listed executive teams and boards.

The full list of winners is available here.

ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures – Australian Securities and Investment Commission – 13 March 2025

The Australian Securities and Investments Commission (ASIC) has commenced action against FIIG Securities Limited (FIIG) for failing to maintain adequate cybersecurity measures from March 2019 to June 2023, which ASIC claims enabled the theft of 385GB of confidential data affecting approximately 18,000 clients. ASIC is seeking civil penalties and compliance orders, emphasising the need for financial services licensees to prioritise cybersecurity. For more details, check out HSF’s note here.

Supplementary Rules under the Cyber Security Act 2024 Registered – Department of Home Affairs – 4 March 2025

Subordinate legislation under the Cyber Security Act 2024 has been enacted through three sets of rules registered on 4 March 2025. The Cyber Security (Security Standards for Smart Devices) Rules 2025 will come into effect 12 months from registration, allowing the industry time to understand their new obligations. The Cyber Security (Ransomware Payment Reporting) Rules 2025 and the Cyber Security (Cyber Incident Review Board) Rules 2025 will commence six months from Royal Assent, on 30 May 2025. HSF guidance materials will be provided shortly to help businesses and industry sectors navigate and comply with these regulations.

Security of Critical Infrastructure Rules – Cyber and Infrastructure Security Centre – 12 March 2025

The Cyber and Infrastructure Security Centre (CISC) has announced that all components of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024, including Schedule 5 regarding the security of critical telecommunications assets, will have taken effect from 4 April 2025. The supporting rules, being the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules and the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules, have now been registered and will also commence on 4 April 2025. A recording of the Town Hall hosted by CISC on 12 March 2025 can be accessed here.

SOCI Compliance – Late Cyber Incident Reports and Insider Threats – Cyber and Infrastructure Security Centre – 4 March 2025

The Security of Critical Infrastructure Act 2018 requires that responsible entities of critical infrastructure assets report incidents that have a significant impact within 12 hours of identification, and incidents with a relevant impact within 72 hours via the Australian Cyber Security Centre (ACSC) portal. In FY24, almost 30% of reports made under this regime were late, with the highest rate of delays arising in the food and water sectors. The CISC has emphasised that enforcement action will only be taken in cases of egregious non-compliance.

Safeguarding Australia's most critical infrastructure – Department of Home Affairs – 24 March 2025

The Government has declared an additional 13 assets as ‘systems of national significance’ under the Security of Critical Infrastructure Act 2018, bringing the total number to over 220 assets across various sectors, including energy, transport, food and grocery, communications, financial services and data storage or processing. These declarations allow the Department of Home Affairs to apply enhanced cyber security obligations in respect of the assets, to better protect Australia's economy and national security. Enhanced cyber security obligations may include developing incident response plans, conducting cyber security exercises, and providing system information to the Australian Signals Directorate (ASD).

Nobody expected it to rain bitcoin, but the federal budget had a big tech-shaped hole – ABC News – 29 March 2025

The 2025 Federal Budget did not allocate any significant new funding to the tech sector, despite recent discussions about the importance of AI, cybersecurity, and other technologies. Key areas such as AI safety, cyber espionage, and quantum technology received only small mentions without any substantial investment by the Government. This has raised concerns about Australia’s capacity to keep pace with global technology advancements and the ongoing threat of cyber incidents.

Privacy watchdog beefed up for enforcement action – InnovationAus – 25 March 2025

The Office of the Australian Information Commissioner (OAIC) received a $14 million boost in the Federal Budget to tackle a backlog of cases and oversee the Digital ID system and document verification scheme. Despite a funding increase, the OAIC will reduce staff numbers following a major restructure. The Budget also allocated $8.7 million over three years to support enforcement activities, focusing on privacy harms related to online personal information and security obligations.

Oracle Still Denies Breach as Researchers Persist – Dark Reading – 29 March 2025

Oracle is facing criticism as it continues to deny an alleged breach of its Oracle Cloud environment despite claims from security researchers. On 21 March, CloudSEK reported that a threat actor known as “rose87168” was attempting to sell 6 million records linked to 140,000 customers, allegedly obtained from Oracle Cloud Infrastructure’s login servers. While Oracle disputes any breach, CloudSEK’s analysis suggested that the threat actor exploited an undisclosed vulnerability in Oracle’s cloud environment to gain access. CloudSEK has since obtained a 10,000-line sample of stolen data from the threat actor, which appears to be associated with more than 1,500 organisations. The conflicting narratives and lack of transparency from Oracle has created uncertainty for Oracle’s customers, who are unsure whether to take urgent security measures or trust the company’s assurances. 

China ‘presents’ top military, cybersecurity threat to US – AFR – 26 March 2025

According to the US intelligence community’s Annual Threat Assessment report, China remains the top military and cyber threat to the United States. The report indicates that China is making steady progress in its military and cyber capabilities, with the potential to compromise US infrastructure through cyber attacks and target assets in space.

FCC launches national security unit to counter state-linked threats to US telecoms – CyberSecurityDive – 13 March 2025

The Chairman of the US Federal Communications Commission (FCC) has announced the launch of a Council on National Security, designed to counter growing cyber threats from foreign adversaries against the US telecommunications sector. The launch of the national security unit follows a series of attacks on US telecom firms which have been attributed to the China-linked threat group, Salt Typhoon. The FCC’s goals will be to reduce the US telecom and technology sectors’ trade and supply chain dependence on foreign adversaries; to mitigate vulnerabilities linked to cyber attacks, espionage and surveillance from foreign adversaries; and to help ensure the US wins the strategic competition with China over critical technologies (including 5G, satellites, quantum computing, IoT and robotics).

North Korea-linked insider threats surged in 2024, according to new report – Cyber Daily – 25 March 2025

In its 2025 Unit 42 Global Incident Response Report, Palo Alto Networks has reported a threefold increase in insider threat cases linked to North Korea during 2024. Insider threats typically involve the exploitation of privileged access and trusted relationships that businesses depend on to operate. The report notes that the campaigns typically target large technology companies that use contract-based technical roles.

Increase in denial-of-service (DoS) attacks against Australian organisations – Australian Signals Directorate – 17 March 2025

The ASD has observed an increase in denial-of-service (DoS) attacks against Australian organisations. These attacks disrupt online services, making it difficult for users to access essential websites. The rise in DoS attacks is partly due to the proliferation of vulnerable Internet of Things (IoT) devices, such as smart TVs and security systems, which can be compromised and used to flood websites with traffic. Organisations are advised to implement mitigations to prepare for and reduce the impact of DoS attacks, while individuals should secure their IoT devices and Wi-Fi routers to prevent contributing to these attacks.

Phishing-as-a-Service attacks rise in early 2025 report – SecurityBrief – 20 March 2025

A recent report by Barracuda Networks highlights a significant rise in Phishing-as-a-Service (PhaaS) attacks in early 2025. Over one million phishing attempts were blocked, with Tycoon 2FA, EvilProxy, and Sneaky 2FA being the most utilised platforms. These attacks are increasingly targeting cloud-based platforms like Microsoft 365. Barracuda Networks has emphasised the need for advanced, multi-layered defence strategies and strong security cultures to combat these sophisticated threats. The report details the evolving capabilities of these PhaaS platforms, making detection more challenging.

Gartner Identifies the Top Cybersecurity Trends for 2025 – Gartner – 3 March 2025

Gartner has identified the top cybersecurity trends for 2025, influenced heavily by the GenAI evolution, digital decentralisation, supply chain interdependencies, regulatory changes, and an evolving threat landscape. Gartner specifically highlighted six key trends: the shift in data security programs to protect unstructured data due to GenAI; the need for robust machine identity and access management; the focus on tactical AI implementations; the optimisation of cybersecurity technology; the value of security behaviour and culture programs; and addressing cybersecurity burnout.

23andMe’s DNA data is going up for sale. Here’s why companies might want – CNN  – 30 March 2025

23andMe’s filing for bankruptcy in the US has raised privacy concerns for its more than 15 million customers, from whom the business has collected DNA from saliva samples. Struggling to convert one-time customers into reliable subscribers, the company has not been profitable since going public in 2021. California’s Attorney-General has issued guidelines for users on how to delete their genetic data from 23andMe, and revoke access for third-party research studies.

The Trump Administration Accidentally Texted Me Its War Plans – The Atlantic – 24 March 2025

The Trump Administration accidentally added Jeffrey Goldberg, editor in chief of The Atlantic, to a Signal group chat, which revealed an upcoming planned attack on Houthi rebels in Yemen. The group chat, named “Houthi PC small group”, contained detailed information about weapons, targets, and timing for the strikes. Goldberg doubted the authenticity of the messages, but realised they were genuine when the bombing commenced on 15 March. The incident has raised concerns about the Trump Administration’s handling of national security information, and the use of encrypted messaging for official communications.

Alphabet To Acquire Cybersecurity Firm Wiz In All Cash, $32 Billion Deal. Google Stock Falls. – Investors.com – 18 March 2025

Alphabet, Google's parent company, has agreed to acquire the cybersecurity firm Wiz for US$32 billion in an all-cash deal. The transaction will be Alphabet’s largest acquisition to date. This acquisition aims to significantly bolster Google's cloud security offerings by integrating Wiz's advanced cybersecurity solutions. The deal, expected to close in 2026, is subject to regulatory approval. 

Hong Kong passes cybersecurity law covering ‘critical infrastructure’ – Hong Kong Free Press – 20 March 2025

Hong Kong has passed a cybersecurity law to protect key infrastructure systems from cyber attacks, imposing fines of up to HK$5 million for non-compliance. The law covers sectors such as energy, IT, banking and financial services, transport, communications and broadcasting and healthcare. Amongst other things, the law contemplates government access to systems where operators fail to respond to incidents. One of the key provisions is the empowerment of the government to seek a court warrant to connect to a computer system or install programs onto critical infrastructure if operators are unwilling or unable to respond to cybersecurity incidents. Despite criticisms, the Hong Kong Government has defended the legislation, stating that similar laws exist in other jurisdictions.

Hegseth orders suspension of Pentagon’s offensive cyberoperations against Russia – APNews – 4 March 2025

US Defence Secretary, Pete Hegseth, has paused US Cyber Command's offensive cyberoperations against Russia, despite national security experts urging for expanded capabilities. This decision does not affect cyberoperations by other agencies like the Central Intelligence Agency and the Cybersecurity and Infrastructure Security Agency (CISA). The Trump Administration has also rolled back other digital threat countermeasures, raising concerns about US vulnerability to cyber threats from foreign adversaries like Russia and China.

Trump administration ends FTC’s ransomware data breach case against MGM Resorts – TheRecord – 10 March 2025

The Trump Administration has ended the US Federal Trade Commission (FTC) case against MGM Resorts International regarding a ransomware attack that occurred in 2023, which involved a compromise of personal information. The FTC had sought information on MGM's compliance with various regulations, which MGM resisted. As we reported in February, MGM has already agreed to pay US$45 million to settle related class action lawsuits.

US charges Chinese hackers who targeted dissidents – BBC – 6 March 2025

US prosecutors have charged 12 Chinese nationals for their involvement in a state-sponsored scheme that targeted US-based dissidents and sold their data to the Chinese Government. The incident involved US Government agencies, including the US Treasury. China has not officially responded to the charges but has consistently denied other accusations of state-based espionage in the past.

CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware – Cybersecurity & Infrastructure Security Agency – 12 March 2025

CISA, the Federal Bureau of Investigation and Multi-State Information Sharing and Analysis Center have issued a cybersecurity advisory on Medusa ransomware. Medusa, a ransomware-as-a-service variant, had affected over 300 critical infrastructure victims as of December 2024. The advisory details tactics, techniques and procedures, indicators of compromise, and detection methods. CISA urges reviewing the advisory and implementing mitigations to reduce Medusa ransomware's impact.

Apple’s UK encryption legal challenge heard behind closed doors – The Guardian – 15 March 2025

Apple is currently engaged in a legal battle with the UK Government over an order which threatens to weaken the encryption of the company’s iCloud service. The order, issued under the UK’s Investigatory Powers Act, demands that Apple introduce a capability to decrypt specific users’ iCloud data upon request. The dispute is being held behind closed doors at the Investigatory Powers Tribunal. US lawmakers are calling for a transparent hearing. Apple has argued that overriding encryption mechanisms as described by the order is impossible given that its Advanced Data Protection service provides end-to-end encryption for users’ data stored remotely in its servers.

UK cybersecurity agency warns over risk of quantum hackers – The Guardian – 20 March 2025

The UK's National Cyber Security Centre (NCSC) has urged large organisations, operators of critical national infrastructure and companies with bespoke IT systems to introduce post-quantum cryptography to guard against quantum hackers by 2035. The NCSC recommends that organisations identify services needing upgrades by 2028, complete major overhauls by 2031, and fully migrate to new encryption systems by 2035.

Dual Russian And Israeli National Extradited To The United States For His Role In The LockBit Ransomware Conspiracy – US Attorney’s Office: District of New Jersey – 13 March 2025

Dual Russian and Israeli national, Rostislav Panev, has been extradited to the US in connection with his involvement in the LockBit ransomware group. Panev allegedly acted as a developer of the LockBit ransomware group from approximately 2019 to February 2024, during which time LockBit became one of the most active ransomware groups in the world.