Cyber Security: A Month In Retrospect (Australia) - July 2025

From hacks to headlines, here is a month of cyber news in retrospect (July 2025):

New Podcast: Cross Examining Tamir Maltz

In this episode, we interview Tamir Maltz, Barrister at 12 Wentworth Selborne Chambers, Sydney. An expert in cyber injunctions, Tamir provides strategic legal advice and robust representation backed by 20 years of experience. He has represented clients across corporate, construction, property and technology sectors.

We talk about the motivation behind the injunction initiative, the pros and cons and how the courts are interpreting these arrangements. We also look at the client benefits and when they are best utilised.

You can listen to the episode here.

Snap nominated for Best Innovation in the Relativity Innovation Awards

Our cyber response capabilities have been strengthened through the development of Snap, an AI-powered RelativityOne solution that harnesses the power of AI for image classification and identity document recognition. Built by our Digital Legal Delivery team, Snap allows our teams to automatically categorise images, generate intelligent summaries, and extract relevant information seamlessly.

Snap has been nominated for Best Innovation in the Relativity Innovation Awards. Community Choice public voting is now open. You can cast your vote for Snap here before 22 August.

2025 Financial Review Cyber Summit | Cyber Risk Survey Report

HSF Kramer is a Platinum Partner of the 2025 Financial Review Cyber Summit, to be held in Sydney on Tuesday 16 September.

Keep an eye out for our Cyber Risk Survey Report, due to be released next month. Now in its third year, the report serves as a key touchstone regarding the attitudes and experiences of legal leaders across corporate Australia as they relate to approaches to cyber security and related risks.

APRA's new prudential standard on operational risk management comes into force – Australian Prudential Regulation Authority – 1 July 2025

APRA's cross-industry Prudential Standard (CPS) 230 is now in force, requiring banks, insurers, and superannuation funds to meet higher standards of operational risk management. CPS 230 requires APRA-regulated entities to be well-prepared to ensure continuity of critical services to the community and respond to business disruptions by:

• identifying important business services and determining the extent to which these services can continue during severe disruptions;
• testing their business continuity planning to identify vulnerabilities to ensure they are positioned to overcome severe disruptions; and
• enhancing third-party risk management by ensuring risks from material service providers are identified and appropriately managed.

Standards Australia adopts world's foremost standard for operational technology – Standards Australia – 10 July 2025

Australia has officially adopted AS IEC 62443 as the national standard for securing operational technology (OT) in critical infrastructure. This reflects Standards Australia's belief that OT systems are the backbone of essential services across sectors including energy, water, transport, medical devices and automation. The move aims to reduce cyber risks, improve resilience and align with local regulations whilst protecting essential services. Standards Australia has noted that it intends to evolve the standards to meet the needs of emerging technologies and smart systems, extending the series to address the standard to address the application to industrial internet of things (IoT) devices.

NSW auditor delays release of leaked cybersecurity report – InnovationAus – 10 July 2025

The Audit Office of NSW has purportedly delayed the release of an audit exposing cybersecurity failings at four of NSW's six local health districts until December 2025, after the draft report was leaked to the Sydney Morning Herald. The audit examining the effectiveness of local health districts in safeguarding patient data found 'systemic non-compliance' with minimum NSW Cyber Security Policy standards. The report highlighted the four local health districts, that their hospitals were without disaster recovery plans and that they were 'ill-prepared to respond' if a cyberattack occurred. In late June 2025, the NSW Auditor-General separately released a report analysing NSW Cyber Security Policy compliance data submitted to Cyber Security New South Wales by NSW state agencies in 2024, which can be read here.

APRA Chair John Lonsdale – Speech to Australian Banking Association Conference 2025 – Australian Prudential Regulation Authority – 24 July 2025

APRA Chair John Lonsdale warned that credential stuffing attacks on superannuation funds in April highlighted that a pressing issue in cyber risk is weaknesses in authentication controls. Speaking at the Australian Banking Association Conference, Lonsdale noted cyber risk remains the top concern for APRA. According to Lonsdale, CPS 234 requires entities to have controls commensurate with the threat environment, meaning that entities must continue to review their controls as the cyber threat environment worsens. Lonsdale also emphasised that entities are increasingly vulnerable due to their increasing reliance on third party service providers. Importantly, Lonsdale also announced APRA's intention to formalise a move from a two-tiered to a three-tiered approach to proportionality in its prudential framework for banking.

OAIC releases regulatory action priorities for 2025-26 – Office of the Australian Information Commissioner – 29 July 2025

The OAIC has released its regulatory action priorities for 2025-26, targeting sectors that compromise rights and create power imbalances. The OAIC will focus its enforcement action and regulator attention on advertising technology (including pixel tracking), artificial intelligence, excessive collection and retention of personal information, facial recognition technology and other types of biometric scanning, new surveillance technologies, and the rental and property, credit reporting, and data brokerage sectors. The agency will also focus its efforts on access to government information, government use of AI and automated decision-making, and generally strengthening information governance and integrity in the Australian Public Service.

Consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy – Department of Home Affairs – 29 July 2025

The Australian Government has commenced the process of consulting with industry and the broader public ahead of developing Horizon 2 of its 2023 – 2030 Australian Cyber Security Strategy. A Policy Discussion Paper has been released, with submissions due before 29 August 2025. In the meantime, the Department of Home Affairs will be holding two virtual town hall events to provide an opportunity for discussion, focusing on the development of Horizon 2 as well as conceptualising, measuring and analysing the impact of the Strategy. Register for a Town Hall event here.

Exercise Talisman Sabre 2025 opens – Asia Pacific Defence Reporter – 14 July 2025

Australia's largest bilateral military exercise, Exercise Talisman Sabre 2025, commenced with more than 35,000 military personnel from Australia and 18 partner nations conducting operations across Australia, including on Christmas Island. The three-week exercise extended to Papua New Guinea for the first time, featuring integrated training across land, sea, air, space and cyber domains. The exercise showcased new Australian Defence Force capabilities including UH-60M Black Hawk helicopters and the Precision Strike Missile.

Australia confirms establishment of cyber reserves workforce by early 2026 – Department of Defence – 15 July 2025

The Australian Government has announced that a cyber reserve workforce will be introduced by early 2026. The initiative will onboard mid-career specialists under a flexible service model, contributing cyber expertise to protect critical networks. Colonel John Molnar says the workforce will form "a powerful new way for Australians to serve by bringing their skills to the frontline of national cyber defence". The reserves aim to enhance resilience and build sovereign capability and workplace agility in relation to cyber.

Disrupting active exploitation of on-premises SharePoint vulnerabilities – Microsoft – 22 July 2025

The Microsoft Security Response Center (MSRC) published a blog addressing a critical vulnerability impacting Microsoft Office SharePoint products. The intrusions were exploiting an attack sequence that combined remote code injection and network spoofing vulnerabilities. According to Microsoft, the vulnerabilities only affect on-premises SharePoint servers and do not affect SharePoint Online in Microsoft 365. Microsoft released security updates to address these vulnerabilities during the month. Microsoft purportedly observed Chinese nation-state actors exploiting these vulnerabilities targeting internet-facing SharePoint servers, including one to deploy ransomware.

Australia Ranks Fourth Globally for Cyber Threats in Critical Infrastructure – Australian Cyber Security Magazine – 30 July 2025

Australia has retained its position as the fourth most targeted country for cyber attacks on OT and internet of things (IoT) technology. Nozomi Network Labs' report reveals that the manufacturing sector has remained a prime target, followed by the minerals and mining sectors. The most common attack method observed across Australian networks involved the use of default credentials and valid accounts. Australia has also experienced a rise in botnet activity. The report also noted that, in May and June 2025, attacks from Iranian state-affiliated groups increased by 133% globally, with US transportation and manufacturing sectors among primary targets.

ShinyHunters behind Salesforce data theft attacks at major companies – Bleeping Computer – 30 July 2025

The ShinyHunters extortion group has been linked to breaches impacting organisations including Allianz Life, LVMH and Adidas. Primarily using voice phishing, the ShinyHunters group impersonated IT support staff in phone calls to employees, attempting to persuade them to visit Salesforce's connected app setup page and enter a 'connection code' which links to a malicious Data Loader OAuth app. In some cases, the Data Loader component was renamed to "My Ticket Portal" to make it more convincing. Google's Threat Intelligence Group (GTIG) warned in June that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks. The article reports that the attacks have not led to public extortion or data leaks to date.

Scattered Spider – Australian Signals Directorate – 30 July 2025

The Australian Signals Directorate's Australian Cyber Security Centre, together with the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom's National Cyber Security Centre (NCSC-UK) and others, updated a November 2023 joint cybersecurity advisory on the Scattered Spider cybercriminal group in response to recent activity impacting the commercial facilities sectors, subsectors, and other sectors. New tactics, techniques, and procedures associated with Scattered Spider include additional malware and ransomware variants used to exfiltrate data and encrypt the systems of their targets. The advisory recommends maintaining offline backups of data that are stored separately from the source systems and tested regularly, enabling and enforcing phishing-resistant MFA, and implementing application controls to manage and control software execution.

ASIO disrupted 24 'major espionage and foreign interference' operations in three years – ABC News – 31 July 2025

Australian Security Intelligence Organisation's Director-General Mike Burgess has warned that foreign espionage is costing Australia at least $12.5 billion annually, revealing the agency disrupted 24 major operations in the past three years – more than in the previous eight years combined. In a speech delivered at the annual Hawke Lecture at the University of South Australia, Burgess highlighted aggressive targeting of Australians by foreign intelligence services, including China, Russia, and Iran. Burgess criticised complacency among officials and businesses, stressing the need for vigilance. He also raised concerns about espionage targeting AUKUS-related military technology and diaspora communities.

SEC reaches settlement with SolarWinds over Sunburst breach – Bloomberg Law – 2 July 2025

The Securities and Exchange Commission (SEC) reached a settlement in principle with SolarWinds over the company's alleged failure to disclose cybersecurity risks prior to its announcement in 2020 that it had been the target of a cyber attack over a two-year period, applying for joint motion to stay all pending dates in the SEC lawsuit. A judge had previously dismissed most of the SEC's claims in July 2024, including allegations that SolarWinds violated internal accounting control rules.

US Coast Guard cybersecurity rule takes effect for marine transportation – US Coast Guard – 16 July 2025

The US Coast Guard published a final rule on cybersecurity in the Marine Transportation System, introducing cyber security obligations for all US-flagged vessels, Outer Continental Shelf facilities, and facilities subject to the Maritime Transportation Security Act 2002. Requirements include developing and maintaining a Cybersecurity Plan, designating a Cybersecurity Officer and various other requirements. The mandatory cyber incident reporting obligation took effect on 16 July 2025, while the grace period for many other requirements is not scheduled to end until 15 July 2027.

UK to lead crackdown on cyber criminals with ransomware measures – United Kingdom Government – 22 July 2025

In an effort to disrupt the cyber criminal business model and protect critical services, the UK Government has proposed a ban on public sector bodies and operators of critical national infrastructure paying cyber ransom demands. Additionally, businesses not covered by the ban would be required to notify the government of their intent to pay a cyber ransom demand. Upon notification, the government may provide advice and support (including sanctions checking services). This latter information-sharing initiative purportedly received strong public support in recent industry consultations, and is intended to support law enforcement to disrupt cyber activity.

Singapore's cybersecurity paradox: Top firms rated A, yet all breached – CSO Online – 24 July 2025

All of Singapore's top 100 companies by market capitalisation suffered supply chain breaches in the past year, despite 91% earning A-grade cybersecurity ratings according to SecurityScorecard. Only 5% suffered direct breaches, with the technology sector reporting the highest direct breach rate of 40%. The research found all firms in scope had at least one compromised third-party provider in their digital supply chain. Singapore also faces targeted campaigns from China-linked threat group UNC3886, exploiting vulnerabilities in Juniper routers to infiltrate telecommunications and service provider networks through the GobRAT Operational Relay Box network.

Clorox sues Cognizant for $380 million over cyberattack – Cyber Daily – 25 July 2025

Clorox filed a lawsuit against IT services provider Cognizant, alleging the company's helpdesk staff handed over network passwords to cyber criminals during the August 2023 attack, seeking $380 million in damages. The lawsuit includes transcripts of recorded conversations, allegedly illustrating how attackers obtained access by impersonating legitimate employees and requesting password resets without proper identity verification. Cognizant has disputed the allegations, stating Clorox had 'an inept internal cyber security system' and that it was hired only for a narrow scope of help desk services.

CPPA finalises CCPA Regulations on automated decision-making technology, risk assessments and cybersecurity audits – National Law Review – 29 July 2025

The California Privacy Protection Agency (CPPA) finalised the California Consumer Privacy Act (CCPA) regulations on automated decision-making technology, risk assessments and cybersecurity audits following a lengthy rulemaking process. The regulations would impose stricter requirements on the use of automated decision-making technology, require companies to conduct risk assessments when engaged in certain processes (including selling or sharing personal information) and introduce mandatory annual cybersecurity audits. The new regulations will take effect once approved by California's Office of Administrative Law, and include various grace periods.

Palo Alto Networks to buy CyberArk for $25B as identity security takes centre stage – CSO Online – 30 July 2025

Palo Alto Networks has agreed to acquire Israeli identity security company CyberArk for approximately $25 billion, marking the industry's second-largest transaction this year (after Google's acquisition of Wiz for $32 billion). CyberArk generated over $1 billion in revenue in 2024, a 33% year-on-year increase. The deal represents a strategic shift for Palo Alto, which has previously avoided identity management due to deep integration demands. The acquisition signals an industry movement toward comprehensive security platforms over collections of individual security tools.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.