Cyber Security: Two Months In Retrospect (Australia) - August And September 2025

The AFR Cyber Summit was our focus in September, but now we are back. We have looked at the big cyber stories from the last 2 months and brought them together for you below. We do the heavy-lifting, so you don't have to...

Cyber Top 10

1. Australian Clinical Labs and the OAIC presented an agreed civil penalty position of $5.8m to the Federal Court arising from a 2022 data breach affecting 223,000 customers. The final judgment is expected shortly. This is likely to be the first civil penalty judgment under Australia's Privacy Act. For more details, read our summary here.
2. The OAIC launched civil penalty proceedings against Optus in relation to the cyber attack that impacted the organisation in September 2022. The OAIC has alleged that Optus failed to manage cybersecurity risk in line with its data holdings and profile. Read more here.
3. Accenture will acquire cybersecurity services firm, CyberCX, being Accenture's largest ever cybersecurity acquisition. The deal remains subject to regulatory approval. Read more here.
4. The UK Government bailed out Jaguar Land Rover with a £1.5B loan after a cyber attack shut down production in late August. This is the first time that a company has received financial assistance from the UK Government following a cyber attack, sending a curious message to threat actors. Read more here.
5. The Australian Signals Directorate was busy. The ASD issued a joint advisory on Chinese state-sponsored actors exploiting edge devices gain persistent access to telecoms, government, transport and military networks, and released new guidance for OT owners and operators, to reduce the risk of a cyber security incident. Abigail Bradshaw of the ASD also commented that Australian companies are neglecting the risk of disruption posed by a major cyber attack, by focusing too heavily on AI adoption and data breach prevention. Read more here.
6. There was a lot of movement in the threat actor space. Ransomware groups ShinyHunters, Scattered Spider and Lapsus$ merged in August, only to 'retire' in September, explaining that they had "done everything they wanted" and wanted enjoy their earnings. Read more here.
7. Teenagers caused a lot of grief. Kids in the UK are hacking their own schools. A British teenager has been charged in the US, accused of involvement in at least 120 'Scattered Spider' hacks. A teenager in the US has been released to their parents after surrendering to face charges over cyberattacks targeting Vegas casinos in 2023. Read more here.
8. Threat actors are not shying away from recruiting support. Corporate employees are being approached directly by threat actors, who promise a cut of a ransom payment in exchange for support. Meanwhile, job ads on the dark web for individuals with 'specialist hacking skills' has doubled in two years. Read more here.
9. The Cyberspace Administration of China introduces a one-hour reporting window for some serious cybersecurity incidents. Read more here.
10. Cyber attacks continued to dominate headlines in August and September – particularly the third-party fallout of the ShinyHunters' ransomware attack on Salesforce. Read more here.

Other sectors impacted included:

• Healthcare and insurance, including US insurance provider United Health, which suffered a breach affecting nearly 193 million people, and Healthcare Services Group.
• Education institutions, such as Columbia University, the University of Western Australia, Belmont Christian College and Loyola College. The attack on Kido Nurseries was particularly egregious, with sensitive information of as many as 8,000 children compromised, some of which has been posted on Radiant's dark web forum.
• Government and public sector, including Norway's Security Service PST, Pennsylvania's Attorney General, the US Federal court filing system, Nevada state offices and utilities provider Greater Western Water. The Russian Central Election Commission was also hit by a cyberattack on its election systems.
• Defence, aerospace and automotives, including aerospace engineering firm Jamco Aerospace, defence contractor L3Harris, Volvo North America and Nissan's Design Studio. Jaguar Land Rover faced multiple cyber incidents, including system shutdowns and production pauses, while BMW was listed by the Everest ransomware group and confirmed a third-party cyber incident involving leaked safety audits. Bridgestone America also reported recovering network connectivity following a cyber attack, while automaker giant Stellantis confirmed a data breach involving customers' personal information.
• Technology and telecommunications, with breaches reported at Cisco, Google's Salesforce, WinRAR, IT services firm Alt Vision, South Korean mobile carrier KT Mobile, HR platform Workday, and mathematic simulation software Matlab. Telecommunications providers iiNet (TPG Telecom), Bouygues Telecom, and Orange Belgium also suffered breaches. Other notable incidents include PagerDuty and ZScaler being exposed by the Salesloft/Drift supply chain hack, Palo Alto Networks disclosing a breach that exposed customer information, and operational technology firm Intellect Systems allegedly being breached by the Akira ransomware group.
• Airlines and transportation, including Air France and KLM, and WestJet. A ransomware attack impacting Collins Aerospace disrupted check-in systems and caused widespread delays and cancellations across European airports.
• Financial services and professional firms, including credit reporting agency TransUnion, Magellan Financial Group, New Zealand accounting firm TAS NZ Bay Limited, and Adelaide's Hanson Barristers' Chambers. FinWise Bank reported an insider breach impacting 689,000 American First Finance customers, while Vietnam's National Credit Information Centre was exposed in a massive cyberattack by the ShinyHunters group.
• Consumer-facing brands and entertainment, including luxury brands Pandora and Chanel, marketing company Mailchimp, the festival Venice Biennale, Japan's largest brewer Asahi, and freight and logistics firm WineWorks. Other incidents include Jeremy Clarkson's pub, The Farmer's Dog, major fashion company Kering Group, luxury department store Harrods, and the Property Business Australia.
• Utilities and infrastructure, with Greater Western Water and operational technology firm Intellect Systems both reporting cyber incidents.

HSF Kramer's Cyber Risk Survey Report 2025 launched at the AFR Cyber Summit

HSF Kramer was a Platinum Sponsor at the AFR Cyber Summit on 16 September in Sydney, Australia. Cameron Whittfield presented on a panel alongside Garran Jones of DP World, Anne Templeman-Jones of Paladin Energy, and Michelle Fitzgerald of St Vincent's Health Australia, sharing war stories and learnings from recent cyber incidents.

It coincided with the launch of HSF Kramer's Cyber Risk Survey Report for 2025, now in its 3rd year. The report provides important insights about the evolving risk landscape through the eyes of Australia's legal leaders, including their views on how corporate Australia is rising to (or failing to) meet the cyber challenge. The report also includes best practice observations, and survey results broken down by industry (revealing the impact of security of critical infrastructure legislation on cyber readiness).

You can access the Cyber Risk Survey report here.

Welcome to the HSF Kramer Cyber team, Brooke Crenfeldt!

Brooke joins our growing cyber team as a solicitor with deep experience in incident response, spanning numerous cyber events across Australia and New Zealand, including large-scale ransomware attacks, business email compromises, third-party data breaches, and network intrusions. Brooke's energy and passion for cyber is contagious, and we know she will make a meaningful contribution to our practice. Welcome Brooke!

Join us at the HSF Kramer Regulatory and Class Action Risk Symposium

On 28 October, the HSF Kramer Regulatory & Class Actions Risk Symposium will host industry leaders, including Head of National Security at the Department of Home Affairs, Hamish Hansford, to unpack the intersection of regulatory scrutiny and the growing prevalence of class action litigation. This is a unique opportunity to connect with peers, gain insights, and engage with the thought leaders driving change.

Register your interest here.

Australian Information Commissioner takes civil penalty action against Optus – Office of the Australian Information Commissioner – 8 August 2025

The Australian Information Commissioner (AIC) commenced a civil penalty action against Optus, filing proceedings in the Federal Court following an investigation in relation to the breach made public by Optus on 22 September 2022. The breach allegedly involved unauthorised access to the personal information of millions of current, former and prospective customers. The AIC alleges Optus failed to adequately manage cybersecurity risk in accordance with the nature and volume of data they held, as well as the size and risk profile of Optus.

APRA releases notes on Superannuation Industry Roundtable from July 2025 following cyber incidents – Australian Prudential Regulation Authority – 11 August 2025

In the wake of March and April cyberattacks, APRA convened a Superannuation Industry Roundtable to reinforce expectations around cyber resilience and authentication controls. Lieutenant General Michelle McGuinness emphasised the importance of rapid information sharing and sector-wide collaboration, warning that threat actors often replicate successful attacks across industries. Reflections from impacted funds revealed challenges in member engagement, media management, and outbound communications, with distrust in unknown calls complicating response efforts. The ASD noted updated trends regarding incidents in the financial services sector, including that 30% of vulnerability exploits were due to weaknesses (such as a failure to patch).

New asset inventory guidance for operational technology (OT) owners and operators – Australian Signals Directorate – 14 August 2025

Australia's national cyber security agency, in collaboration with international partners, has released new guidance to help owners and operators of operational technology (OT) create and maintain asset inventories. The publication provides a structured process for identifying, classifying, and prioritising OT assets based on their function and criticality. This approach enables critical infrastructure organisations to better organise their defences, manage vulnerabilities, and respond to incidents. The guidance supports existing frameworks for modern defensible architecture and OT cyber security principles, aiming to reduce the risk of cyber incidents in essential services.

APRA Corporate Plan 2025-2026 – Australian Prudential Regulation Authority – 21 August 2025

The Australian Prudential Regulation Authority (APRA) has warned that rising geopolitical tensions are likely to increase cyber attacks on Australian financial institutions in its 2025–2026 corporate plan. APRA Chair John Lonsdale cited geopolitical tension as a contributing factor to a worsening risk environment, with operational systems in financial institutions becoming increasingly vulnerable to outages and malicious activity. APRA also flagged emerging risks associated with the use of AI, with targeted supervisory engagements planned to assess the appropriateness of risk management and oversight practices to support responsible use of AI.

ASIC Corporate Plan 2025-2026 – Australian Securities and Investments Commission – 26 August 2025
As part of its 'Strengthen operational digital and data resilience and safety' strategic priority, the Australian Securities and Investments Commission (ASIC) has noted that it intends to focus on geopolitical risks, incident response and internal communications, increasing the engagement and resilience of regulated entities, and cross-agency collaboration. Any enforcement action taken by ASIC will seek to protect investors and consumers, with a focus on business, cyber and operational resilience, technology-enabled scams and misconduct, and poor use of AI.

Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System – Australian Signals Directorate – 28 August 2025

The ASD's advisory specifies that state-sponsored cyber actors linked to the People's Republic of China are targeting global networks, including those in Australia, with a focus on telecommunications, government, transport and military infrastructure. These actors exploit known vulnerabilities in edge backbone (of telecommunications providers) and edge routers to gain persistent access to networks. The advisory, jointly issued by agencies including the US National Security Agency and Cybersecurity and Infrastructure Security Agency, covers indicators of compromise and mitigation strategies, with a particular focus on patching to manage known vulnerabilities and exposures (as listed in the advisory).

A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity – Australian Signals Directorate – 4 September 2025

A new international guidance document, co-authored by the Australian Cyber Security Centre and a coalition of global partners, sets out a unified approach to adopting Software Bill of Materials (SBOM) as a key element in strengthening software supply chain security. An SBOM is described as a comprehensive, machine-readable inventory of all components within a software product, providing organisations with the visibility needed to identify vulnerabilities, manage supply chain risks, and ensure compliance with licensing obligations. The document encourages software producers, purchasers, operators, and national cyber agencies to embed SBOM practices into their operations, with a strong focus on automation and secure-by-design principles.

Why companies are ignoring the 'nightmare' cyber scenario – Australian Financial Review – 16 September 2025

Abigail Bradshaw, Director-General of the ASD, has warned that Australian companies are neglecting the risk of major cyber disruption attacks by focusing too heavily on AI adoption and data breach prevention. Speaking at the Financial Review Cyber Summit, Bradshaw cited the 2024 CrowdStrike software outage, which disabled 8.5 million Microsoft Windows devices globally, as a wake-up call for business continuity planning. She noted that only about 40% of ASX 200 company boards are prioritising disruption scenarios. Home Affairs and Cybersecurity Minister Tony Burke described a malicious outage of essential services as his 'nightmare' scenario, urging organisations to prepare for full-scale outages.

Australian Clinical Labs agrees to $5.8m penalty in relation to 2022 Medlab Pathology hack – Cyber Daily – 29 September 2025

Australian Clinical Labs (ACL) and the Office of the Australian Information Commissioner informed the Federal Court of Australia that they had reached an agreement on a $5.8 million penalty arising from ACL's 2022 data breach involving the personal information of 223,000+ Medlab customers. The penalty, which remains subject to Federal Court approval, would resolve civil penalty proceedings initiated by the AIC in November 2023. The AIC alleged that ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act, failures which allegedly left ACL vulnerable to a cyberattack.

For more details, read HSF Kramer's note here.

AI-driven cyber attacks surge as APAC risk leaders feel unprepared – Security Brief – 4 August 2025

AI-driven cyber attacks have increased significantly across the Asia-Pacific region, with incident frequency rising 29% over the past year and fraud-related cyber insurance claims spiking 233% according to Aon's 2025 Cyber Risk Report. The research indicates that 98% of risk leaders consider themselves inadequately prepared to manage AI-related threats, despite widespread organisational adoption of AI tools. Positive developments include declining ransom payments and easing cyber insurance rates, prompting businesses to reassess their coverage requirements.

CrowdStrike 2025 Threat Hunting Report – CrowdStrike – 5 August 2025

CrowdStrike's 2025 Threat Hunting Report details evolving cybercriminal tactics designed to circumvent traditional security measures. The analysis highlights a 136% increase in cloud intrusions during the first half of 2025, with attackers exploiting identity vulnerabilities and AI tools to gain system access. The adoption of generative AI by cybercriminal groups, including Famous Chollima, Scattered Spider and Blockade Spider, has enabled sophisticated phishing campaigns, deepfake technology and enhanced malware development. The report recommends proactive security measures including phishing-resistant multi-factor authentication, behavioural analytics and comprehensive incident response planning to maintain defensive advantages against advancing threat actors.

One in Three Australian Ransomware Victims Hit Multiple Times – Australian Cyber Security Magazine – 6 August 2025

Ransomware attacks are increasingly targeting Australian organisations multiple times, with Barracuda's 2025 Ransomware Insights Report finding one-third of local victims experienced repeat attacks within the past year. The research reveals that 67% of repeat victims are managing excessive numbers of security tools, whilst 62% report inadequate integration between these systems, creating vulnerabilities for attackers to exploit. Email remains a primary attack vector, yet fewer than half of Australian organisations have implemented email security measures.

Accenture acquires Aussie cyber security firm CyberCX – Cyber Daily – 15 August 2025

Consulting firm Accenture has announced its acquisition of Australian cybersecurity services provider CyberCX, representing the firm's largest cybersecurity acquisition to date. The transaction aims to enhance Accenture's security capabilities across the Asia-Pacific region, leveraging CyberCX's established relationships with government and critical infrastructure clients. Melbourne-based CyberCX employs approximately 1,400 staff and operates security operations centres across Australia and New Zealand. The acquisition remains subject to regulatory approval, with CyberCX's leadership team expected to join Accenture in senior positions.

DDoS hacktivists pressure Australia to boycott Israel – Cyber Daily – 19 August 2025

Australian government agencies and education institutions have been targeted by Pro-Russian and Pro-Palestinian hacktivists in an attempt to shift global political sentiment. DieNet, a distributed Denial-of-Service (DDoS) threat actor initially claimed attacks on the NSW government job portal and the University of Western Australia on 7 March 2025. The NSW Government's job portal was targeted again on 19 August 2025, to encourage the NSW government to boycott Israel after recent global events. DieNet has promised to 'visit some other Australian government sites soon...'.

Microsoft plans full quantum-resistant cryptography transition by 2033 – iTNews – 22 August 2025

Microsoft has announced plans to transition all its services and products to quantum-resistant cryptography by 2033, two years ahead of the 2035 deadline set by most governments. The company warns that future quantum computers could break current public-key encryption, making early preparation essential. Microsoft's three-phase approach includes integrating post-quantum algorithms into its core cryptographic library, updating infrastructure services, and rolling out quantum-safe measures across platforms such as Windows, Azure, and Microsoft 365. The company is collaborating with global standards bodies to ensure interoperability and urges organisations to begin planning for quantum-safe security now to avoid future risks.

Hacker help wanted: Darknet recruitment posts surge – Cyber Daily – 26 August 2025

Cybercriminal recruitment on the darknet has surged, with hacker job ads on forums like Exploit and RAMP doubling year-on-year since 2023, according to research by ReliaQuest. Demand for English-speaking hackers skilled in social engineering has increased tenfold in 2025, alongside rising interest in cloud security, artificial intelligence, and deepfake expertise. Recent ads seek specialists in techniques such as ClickFix, which tricks victims into running malicious code disguised as CAPTCHA checks. The recruitment process mirrors legitimate hiring, with detailed job descriptions and requirements, reflecting the growing sophistication and professionalisation of the cyber crime ecosystem.

Hackers steal data from Salesforce instances in widespread campaign – Cybersecurity Dive – 26 August 2025

Hackers have stolen user credentials from over 700 Salesforce customers in a widespread campaign that exploited compromised OAuth tokens linked to Salesloft's Drift AI chat agent, according to Google Threat Intelligence Group. The attackers, tracked as UNC6395, used automated tools to harvest large amounts of data, including Amazon Web Services and Snowflake credentials between 8 and 18 August 2025. Both Salesforce and Salesloft have revoked affected tokens and removed Drift from the AppExchange marketplace.

Hackers weaponise Anthropic AI for cyber attacks – Cyber Daily – 29 August 2025

Anthropic's latest Threat Intelligence Report reveals that its Claude large-language model is already being pressed into service by cybercriminals. The company uncovered three distinct campaigns: a mass-extortion operation powered by 'Claude Code', a North Korean fraud ring using the tool to fabricate résumés and complete technical assessments for jobs at US Fortune 500 tech firms, and the sale of AI-generated ransomware by an attacker with only rudimentary coding skills.

Aussie super industry to run sector-wide cyber exercise – Cyber Daily – 2 September 2025

Australia's superannuation industry is set to undertake a major sector-wide cyber security exercise, Operation Honey Bee II, led by the Gateway Network Governance Body. The initiative will bring together super funds, administrators, regulators, and government agencies to simulate a significant cyber attack on the $4.1 trillion sector. The exercise aims to strengthen collective cyber resilience, test coordination and communication, and identify security gaps under pressure. The move follows warnings from the Australian Prudential Regulation Authority that current cyber controls are not keeping pace with evolving threats, highlighted by a recent credential stuffing attack affecting thousands of superannuation accounts.

Call for 'human firewall' to guard against AI-powered scams – Australian Financial Review – 15 September 2025

Home Affairs and Cyber Security Minister Tony Burke has called on Australian businesses to build a 'human firewall' to defend against increasingly sophisticated scams powered by AI. Speaking at the Financial Review Cyber Summit, Minister Burke warned that laws and technology alone is insufficient, urging investment in staff training to recognise scams. The Australian Government plans to release new guidance for small to medium businesses.

Fifteen Ransomware Gangs "Retire," Future Unclear – Infosecurity Magazine – 16 September 2025

Ransomware groups Scattered Spider, ShinyHunters, and Lapsus$ have posted farewell messages on BreachForums and Telegram, claiming they had "done everything they wanted" and were retiring to enjoy their earnings. The announcement, made on Breachforums, suggested some members would retire with their accumulated wealth while others would continue to study and improve systems 'in silence.' Despite these claims, cyber security analysts have expressed scepticism, warning that such retirements are often temporary and may simply signal a period of rebranding or regrouping, as seen with previous groups like GandCrab and REvil. Experts caution that copycat groups or splinter factions may quickly fill the void.

Cyber Security TAFE Centre of Excellence opens – ACT Government – 16 September 2025

The Albanese government has launched its 13th TAFE Centre of Excellence at the Canberra Institute of Technology's Woden campus, with a dedicated focus on cyber security training. Opened on 15 September 2025, the centre aims to strengthen Australia's cyber security workforce by providing specialist, practical education to address national threats and industry needs. The centre will support a diverse pipeline of talent, including initiatives for senior secondary and trades students, and will serve as a national hub for TAFE cyber security programs.

Ransomware now targeting backups, warns Google's APAC security chief – Techwire – 23 September 2025

Ransomware groups in Asia Pacific are increasingly targeting backup infrastructure, corrupting or deleting backup data to block recovery and intensify ransom demands, according to Google Cloud's latest Threat Horizons Report. In 2024, ransomware accounted for over 20% of Mandiant's incident response cases, with attackers exploiting weak credentials and misconfigurations, which made up 47% and 29% of cloud incidents, respectively. Daryl Pereira, Google's Asia Pacific Chief Information Security Officer, warns that uneven security across the region leaves organisations exposed, urging adoption of Cloud Isolated Recovery Environments and hybrid-cloud strategies.

NSW gov third party-linked cyber incidents quadruple in two years – iTNews – 18 September 2025

Cyber incidents linked to third-party systems used by the NSW Government have more than quadrupled in two years, with seventeen incidents recorded in the 2023–24 financial year compared to just four in 2021–22, according to figures obtained under the Government Information Public Access Act. The rise follows the adoption of a structured incident reporting framework by Cyber Security NSW in 2021. The Department of Customer Service emphasised the importance of embedding cyber security requirements in contracts and conducting vendor risk assessments. The NSW government has pledged $87.7 million over four years to strengthen cyber security, including measures to address third-party risks.

Asean to align laws on AI, cybercrime and cross-border disputes – New Straits Times – 4 August 2025

The Association of Southeast Countries (ASEAN) are set to align their artificial intelligence, cybercrime and cross-border commercial disputes laws, forming a unified framework for the rapidly evolving cyber landscape. A joint statement declaring the upcoming commitment will be signed at the ASEAN Law Forum in Kuala Lumpur. The agreement will cover a range of transnational legal themes, including international arbitration, insolvency, online safety, cybercrime, AI in the legal practice and business and human rights in the context of technology law.

Allianz Life faces 2 lawsuits following third-party cyber attack – Cyber Daily – 6 August 2025

In the wake of the Allianz Life's announcement of a cyber attack in August, a consumer class action has been launched against the company, seeking compensation and improvements in security. The class action was listed in the US District Court for the District of Minnesota. A second class action was launched soon after. Allianz Life revealed that the attack involved the exfiltration of customer names, addresses, birth dates and social security numbers.

Norway spy chief blames Russian hackers for dam sabotage in April – Reuters – 14 August 2025

Norway's counterintelligence agency has officially attributed an April 2025 cyberattack on a dam in Bremanger, Western Norway, to Russian hackers. The attackers briefly took control of the dam, opening a flood gate and releasing 500 litres of water per second for four hours before authorities intervened. No injuries were reported, but the incident raised concerns about the vulnerability of Norway's hydropower infrastructure, which supplies most of the country's electricity. Beate Gangaas, Head of the Police Security Service, warned that such operations aim to create fear and chaos. The Russian embassy in Oslo dismissed the allegations as politically motivated.

North Korea-linked hackers target embassies in Seoul in new espionage campaign – The Record – 20 August 2025

A North Korea-linked hacking group, believed to be Kimsuky (also known as Advanced Persistent Threat 43 or APT43), has conducted a months-long espionage campaign targeting at least 19 embassies and foreign ministries in South Korea, according to cybersecurity firm Trellix. The attackers posed as diplomats, sending emails with malicious attachments disguised as diplomatic correspondence, which deployed the XenoRAT remote access trojan. The campaign's activity patterns suggest possible links to China, as operations aligned with Chinese working hours and holidays. The malware enabled full system control and exfiltrated data via platforms like GitHub, Dropbox, and Google Drive, highlighting the group's evolving tactics.

Elderly woman conned by romance scammer posing as stranded astronaut – Sky News – 3 September 2025

An 80-year-old woman in Japan has fallen victim to a romance scam after being convinced by an online fraudster, posing as a stranded astronaut, to send approximately one million yen. The scam began on social media in July, with the perpetrator claiming to be in space and in urgent need of money to buy oxygen after his spaceship came under attack. Police in Hokkaido, where the woman lives alone, have confirmed the incident and warned the public to be wary of requests for money from online acquaintances promising companionship.

Kids in the UK are hacking their own schools for dares and notoriety – Tech Crunch – 11 September 2025

The United Kingdom's Information Commissioner's Office (ICO) has revealed that students were responsible for 57% of personal data breaches in schools, with many incidents driven by dares, notoriety, money and rivalries. Analysis of 215 data breach reports found that nearly a third of breaches occurred when students guessed weak passwords or found login details unsecured, with only a small number involving more advanced hacking techniques. The ICO warned that such behaviour could set children on a path towards cybercrime.

China's internet watchdog mandates 1-hour reporting for serious cybersecurity incidents – South China Morning Post – 15 September 2025

The Cyberspace Administration of China (CAC) has introduced new rules requiring network operators to report 'particularly serious' and 'serious' cybersecurity incidents to the relevant regulator and the public security authorities within one hour. Network operators that are not central or state authorities must report incidents within 2 hours. The measures are set to take effect from 1 November 2025.

US government charges British teenager accused of at least 120 'Scattered Spider' hacks – Tech Crunch – 18 September 2025

The US Department of Justice has charged a British teenager with involvement in at least 120 cyber attacks, including breaches of the US Courts system and the extortion of dozens of American companies. Jubair, arrested in East London alongside Owen Flowers, 18, is accused of being part of the Scattered Spider hacking group, known for using social engineering to infiltrate organisations and demand ransoms. Prosecutors allege Jubair's activities resulted in over $115 million in ransom payments, with a cryptocurrency wallet containing $36 million seized by the Federal Bureau of Investigation.

Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike –The Hacker News – 24 September 2025

Chinese state-sponsored hacking group RedNovember, also known as TAG-100 and tracked by Microsoft as Storm-2077, has been targeting government and private sector organisations worldwide, including in Australia and the Pacific, according to a new report from Recorded Future. Between June 2024 and July 2025, RedNovember exploited vulnerabilities in perimeter devices from vendors such as Check Point, Cisco and Palo Alto Networks to breach high-profile targets, including defence contractors and government agencies. The group uses open-source tools like Pantegana and Spark Remote Access Trojan, as well as Cobalt Strike, to maintain persistence and complicate attribution.

Co-op says it lost $107 million after Scattered Spider attack – Bleeping Computer – 25 September 2025

The Co-operative Group in the United Kingdom reported a £80 million loss in operating profit for the first half of 2025, linked to an April cyber attack attributed to Scattered Spider affiliates. The incident resulted in £20 million in one-off costs and £60 million in lost sales, with overall revenue dropping by £206 million. Hackers stole the personal data of all 6.5 million members, forcing Co-op to rebuild its Windows domain controllers and further extend system unavailability. Despite the financial impact, the group maintains strong liquidity and expects an additional £20 million in losses as recovery continues into the second half of the year.

Teen suspected of Vegas casino cyberattack released to parents – Bleeping Computer – 25 September 2025

A 17-year-old suspected member of the Scattered Spider hacking group, linked to the 2023 cyber attacks on Las Vegas casinos, has been released into his parents' custody under strict conditions, following a family court ruling. The attacks, which targeted MGM Resorts and Caesars Entertainment, involved sophisticated intrusions and the deployment of BlackCat/ALPHV ransomware, resulting in over $100 million in damages for MGM and a $15 million ransom payment by Caesars. Prosecutors allege the teen still controls $1.8 million in Bitcoin and are seeking to have him tried as an adult on charges including extortion and unlawful computer acts.

Ransomware gang sought BBC reporter's help in hacking media giant – Bleeping Computer – 29 September 2025

A BBC cybersecurity correspondent, Joe Tidy, revealed that the Medusa ransomware gang attempted to recruit him as an insider to help breach the broadcaster's network in exchange for a share of any ransom paid. The gang, contacting Tidy via Signal in July, initially offered 15% of the ransom, later increasing the offer to 25%, and promised anonymity. Medusa, known for double-extortion tactics and over 300 attacks on critical infrastructure in the US, seemingly sought to use Tidy's access to steal data and demand a ransom in the tens of millions.

UK government bails out Jaguar Land Rover with £1.5B loan after hack disrupts vehicle production for weeks – Tech Crunch – 29 September 2025

The United Kingdom government has guaranteed a £1.5 billion loan to Jaguar Land Rover (JLR) after a cyber attack forced the carmaker to halt production for weeks, threatening the viability of its supply chain and the jobs of around 120,000 people. The attack led to significant operational disruption and an estimated £50 million in losses for JLR. Notably, JLR did not have cyber insurance at the time of the incident. The bailout, the first of its kind in the UK following a cyberattack, has sparked debate about the potential for encouraging future attacks.

Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware – The Hacker News – 30 September 2025

Phantom Taurus, a newly identified China-linked nation-state hacking group, has been targeting government and telecommunications organisations across Africa, the Middle East, and Asia, according to Palo Alto Networks' Unit 42. The group's primary focus is espionage, with operations often coinciding with major geopolitical events and targeting ministries of foreign affairs, embassies, and military operations. Phantom Taurus employs a custom malware suite called NET-STAR, designed to infiltrate Internet Information Services web servers and evade detection. The group has exploited known vulnerabilities in Microsoft Exchange and IIS servers, demonstrating advanced persistence and evasion techniques.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.