China’s state-backed hackers have increasingly targeted Australia’s critical infrastructure, and in an audacious breach of a military contractor last year stole sensitive data on advanced weapon systems, according to a report prepared by the country’s top domestic intelligence agency. The assessment, from Australian Security Intelligence Organisation chief Mike Burgess, comes with warnings from allied cyber agencies of a longstanding campaign to surreptitiously gain access to networks that keep the country’s lights on, its water flowing and transport running.
Prepositioning For Espionage And Sabotage
At least two China-linked groups are prepositioning themselves inside the computer networks of targeted organizations, a term security agencies use when hackers gain access and remain available for use at a later date. Western officials have singled out one group, known as Volt Typhoon, which has targeted utilities, transportation and government services by trying to hide in the noise of legitimate network activity through use of stolen credentials and “living off the land” tools such as PowerShell, WMI and built-in administrative tools.
Joint advisories from the U.S. Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI, and allied partners detail Volt Typhoon’s tradecraft: targeting edge devices such as routers and firewalls, taking over small office/home office equipment, and executing minimal malware movement so they won’t get caught. Microsoft and several national cyber authorities have issued warnings that the group’s aim is not snatch-and-grab theft but persistent access that could be used to damage energy, water, maritime and aviation systems during a regional crisis.
What complicates things more for Australia is the fabric of its interdependence among sectors. The power grid depends on telecommunications for control signals, the rail systems with both electric and digital signaling, and water treatment plants are becoming more regularly remotely operated. Short disruptions in one sector can propagate through other industries as well, a dynamic already shown under the pressure of emerging infrastructure attacks from IT to operational technology networks around the world.
Telecom carriers in the crosshairs amid persistent breaches
Burgess also pointed to another China-backed cluster he called Salt Typhoon, which has been focusing on telecommunications carriers to scoop up call records and other network data. The FBI said Salt Typhoon has breached more than 200 phone and internet providers, including some of the largest US-based companies like AT&T, Verizon and Lumen, as well as several cloud and data center firms that support carrier services.
Telecom metadata — who called whom, when and where from — can build up entire social and corporate networks. Such access allows counterintelligence targeting, credential theft and future disruption, security officials say. After reported carrier attacks, North American law enforcement called for wider adoption of end-to-end encrypted messaging and greater use of two-factor authentication to minimize exposure. Canada’s cyber agency has also confirmed carrier breaches attributed to China-based actors.
Risks To Australia’s Critical Infrastructure
Australia’s Security of Critical Infrastructure framework applies to a broad range of sectors, including communications, data and the storage and processing of data, energy, financial services and markets, food and grocery production and distribution, health care services (including hospitals), higher education research facilities, space technology & telecommunications infrastructure; transport; water; and the defense industrial base. Prepositioning in any of these ecosystems also raises the specter of real-world consequences: power outages, water quality disruptions, port slowdowns, weakened emergency response or mass transit meltdowns.
Telecom access is a more specific force multiplier. If an adversary is able to disrupt routing or signal at scale, it can blind operators, slow incident response and complicate the restoration of power, water and logistics. For that reason, Five Eyes member agencies have repeatedly warned about state-sponsored tradecraft targeting carriers and managed service providers and the internet’s core routing infrastructure.
What operators should do now to harden critical systems
Owners of Australian networks should expect stealthy, password-based intrusions and secure their networks in that regard. The Australian Cyber Security Centre and its partners advise hardening identity systems with phishing-resistant multifactor authentication, enforcing least-privileged access and aggressively segmenting networks—particularly between IT and operational technology environments.
Edge devices take precedence: deploy those firmware updates right away, turn off any services you don’t use and watch for funky outbound connections. Because Volt Typhoon-style operations reduce malware, defenders should look for behavior: atypical use of native admin tools, irregular account logons at odd hours, spikes in directory queries, and lateral movement that bypasses normal remote management channels. Endpoint detection and response on both servers and domain controllers, combined with deep visibility into DNS and authentication logs, is essential.
Set the baseline of what is normal control system traffic for industrial operators; deploy unidirectional gateways wherever possible, and ensure they have tested backups with a means to disconnect the equipment quickly if need be.
Incident response obligations under Australia’s critical infrastructure laws and mandatory incident reporting should be operationalized with pre-agreed playbooks and routine joint exercises incorporating telecom contingencies. Companies’ boards should demand red-team assessments that emulate current state-sponsored techniques, not just commodity ransomware scenarios.
Beijing’s Denials And The Strategic Backdrop
Chinese officials consistently deny claims of state-sponsored hacking. Nevertheless, attributions from ASIO’s partners alongside technical reporting from CISA, the NSA, the FBI, the UK’s National Cyber Security Centre and Canada’s Centre for Cyber Security have coalesced on a set of common themes: Beijing-aligned operators are finding accesses to enable collection and consequence too long after that flash point.
“It’s that the capability is already there in networks, and then it becomes an issue of intent,” Burgess said. For Australia, that will mean being able to think about its cyber readiness in terms of national resilience: not just how to prevent intrusions, but also ensuring that the country can absorb them and bounce back when under pressure.
The bottom line for Australia’s critical infrastructure
Australia’s spy chief is signalling that Chinese state-backed actors are not content with merely stealing data — they are positioning to flip switches. Critical infrastructure operators need to act with urgency, moving away from compliance checklists and toward threat-driven resilience, working now on how they would respond when a quiet foothold turns into an orchestrated effort to disrupt the country’s critical functions.