Ben Watson & Alan Grant | SOC Analysts | 1 September 2025        

Welcome to Fortian's August 2025 cyber environment update!

August was another busy month, with both state-backed hackers and cybercriminal groups making headlines. China remained at the centre of global concern, with ongoing campaigns against telecoms, hosting providers, and diplomatic networks, while a significant joint advisory from 23 international cyber agencies warned of long-term, systemic Chinese espionage.

In Australia, the OAIC launched legal action against Optus for its handling of the 2022 breach, ASIO reported that cyber espionage cost the economy $3 billion in the past year, and local organisations including iiNet, Scotch College, and the University of Western Australia were hit by cyber incidents.

Ongoing Chinese Cyber Espionage

August 2025 highlighted the growing scale and sophistication of state-backed cyber activity, with China at the centre of much of the global concern. Telecommunications and hosting providers remain prime targets, while new campaigns have extended into diplomatic and government networks.

Governments across the world responded with a rare joint advisory, warning that Chinese espionage efforts are not isolated incidents but part of a systemic and long-term strategy. At the same time, uncertainty over attribution in incidents involving both China and North Korea shows how blurred and complex the state cyber landscape has become.

These developments underscore a shifting environment in which espionage, disruption, and strategic geo-political competition increasingly play out through cyber operations.

Salt Typhoon continues attacks, breaching Dutch telecommunications companies

Chinese state-sponsored threat actor Salt Typhoon, responsible for breaching major telecommunications companies in the United States, continued its attacks in August, compromising routers and network devices at Dutch telecommunications companies, with the Dutch Military Intelligence and Security Service (AIVD) reporting that while the Netherlands has not been as heavily targeted as the US, Salt Typhoon had targeted smaller ISP and hosting providers in the Netherlands. (Defensie.nl)

While in the US, the FBI has revealed the scale of Salt Typhoon’s attacks, confirming in August that Salt Typhoon had hacked at least 200 American companies and has broken into companies in over 80 countries. (Yahoo)

International advisory on Chinese cyber espionage released

In late August, a lengthy international advisory, titled “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System” jointly released by 23 separate agencies across multiple countries (including the NSA, CISA, FBI, ASD, and their counterparts across the Five Eyes and European partners), advises that Chinese state-backed cyber actors have been steadily infiltrating critical global infrastructure including telecommunications, transportation, lodging, government, and military networks.  These actors are targeting backbone and edge routers, often modifying firmware or settings to maintain persistent, long-term access then leveraging trusted network interconnections to spread deeper into other systems.

This espionage campaign overlaps with industry-tracked groups such as Salt Typhoon and Operation Panda but is referred to more generically in the advisory to focus on behaviours rather than labels.

In the advisory, organisations are advised that they should treat the threat from Chinese state-sponsored actors as both immediate and systemic. These campaigns focus on exploiting routers and network infrastructure to establish long-term persistence, which means defenders need to go beyond patching and adopt a proactive, intelligence-driven security posture.  

The advisory includes Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs), along with detailed best practice recommendations on how to mitigate identified threats.  The advisory stresses that defending against Chinese state-sponsored activity requires a mix of technical hardening, proactive monitoring, and strong response planning.  Organisations cannot rely on patching alone; they need to verify device integrity, actively hunt for intrusions, and prepare for the possibility of network infrastructure compromise. We strongly recommend that security professionals in affected industries carefully review and apply the detailed guidance contained in the advisory.

China compromises taiwanese web-hosting provider

A Chinese-linked hacking group known as UAT-7237 has broken into a major web hosting provider in Taiwan. This type of company runs the servers that power many different websites, which makes it an attractive target: by breaching one provider, attackers can gain a foothold into multiple organisations downstream.

UAT-7237 has been active since at least 2022 and is connected to other Beijing-backed groups like Volt Typhoon and Flax Typhoon. The group is known for quietly stealing usernames and passwords, installing remote access tools, and then moving slowly across networks to avoid detection. Unlike some related groups that spray websites with obvious malware, UAT-7237 tends to take a more selective, careful approach—favouring direct remote access that lets them blend in with normal traffic.

The attack shows two important patterns. First, China-linked groups continue to focus heavily on Taiwan’s digital infrastructure as part of broader geopolitical pressure. Second, they are increasingly blending off-the-shelf hacking tools with their own methods, making these intrusions harder to spot and stop. (TheRegister)

DPRK, or China (or both) suspected in South Korean embassy attacks

Between March and July 2025, European embassies in Seoul were targeted with highly tailored spear-phishing emails impersonating trusted diplomatic contacts. Investigators tied the activity to North Korea’s Kimsuky group, but intriguingly noted evidence pointing to operations either originating from or facilitated through China. The campaign involved the delivery of emails specifically crafted to look like they were from high-ranking European officials.  The emails featured password-protected attachments designed with diplomatic themes like gas inspections or ambassadorial meetings that, when opened, delivered malware that communicated via otherwise credible platforms like GitHub and Dropbox. This approach allowed attackers to blend malicious activity into normal network traffic and evade detection (darkreading).  

As is often the case with state sponsored attacks, there is uncertainty over attribution. Researchers note it could reflect direct collaboration between China and North Korea, a Chinese-led operation disguised as North Korean activity, or a North Korean campaign simply routed through Chinese infrastructure which is a reminder that state-backed cyber operations are complex, layered, and designed to obscure responsibility.

Microsoft Restricts Chinese Firms From Cyber Vulnerability Program After SharePoint Hacks

Microsoft has restricted Chinese companies’ access to its Microsoft Active Protections Program (MAPP), which shares early warnings and proof-of-concept (PoC) code for vulnerabilities with security vendors. The decision follows a wave of hacking attacks on Microsoft SharePoint servers in July 2025. Some cybersecurity experts suspect that insider misuse of MAPP information by a Chinese member could have leaked details, allowing attackers to exploit vulnerabilities before defenders could react.

As a result, Microsoft has stopped providing PoC code to several Chinese firms, while still sharing general vulnerability information. Beijing denies involvement, but Microsoft says it continuously reviews and removes partners that breach their contracts (which forbid offensive cyber activity). (Reuters)

 

Other International News

ShinyHunters use social engineering to steal Salesforce data

ShinyHunters, a well-established cyber-extortion group, reportedly in collaboration with Scattered Spider (the group reportedly behind last month’s Qantas breach), has recently launched a wave of attacks focused on exploiting Salesforce or CRM environments. By using phishing, vishing, and malicious OAuth applications, the group has been able to trick employees into granting access to sensitive customer data. This campaign has already affected multiple high-profile organisations across different sectors, demonstrating how attackers are increasingly shifting their attention to widely used cloud platforms as a way of maximising impact. Notable (alleged) Shinyhunters targets compromised in August include:

• ‍Pandora. Danish jewellery chain Pandora confirmed that attackers accessed customer names, birthdates, and email addresses through unauthorised Salesforce activity. No financial data or passwords were exposed, and the company has since reinforced its security controls.‍
• Workday. Workday, a large HR and financial software provider, confirmed in August that that attackers infiltrated one of its third-party CRM systems, likely part of Salesforce infrastructure, through a social engineering campaign. Posing as internal HR or IT staff via phone calls and texts, the attackers tricked employees into granting access to the system, ultimately compromising business contact information such as names, email addresses, and phone numbers. (cybersecuritydive.com)  ‍
• Google. In early August, Google confirmed that ShinyHunters breached one of its corporate Salesforce databases, targeting contact details and notes of small and medium-sized businesses. The campaign relied on voice phishing and malicious “Data Loader” techniques not platform flaws and Google has urged customers to enforce stronger controls and regularly monitor Salesforce access. (techworm.net)
• ‍Air France and KLM also disclosed a breach, likely linked to Shinyhunters via a third-party customer service platform linked to Salesforce, exposing customer names, contact details, loyalty program numbers, and recent transaction data. While no financial or passport data was compromised, the airlines cut off attacker access, enhanced protections, and reported the incident to regulators. (bleepingcomputer)

Salesforce has emphasised that its platform itself remains secure, stressing that these breaches stemmed from stolen credentials and social engineering rather than flaws in the service, and has urged customers to enforce multifactor authentication and carefully manage connected app permissions.

Australian cyber policy and legal developments

OAIC sues Optus for failures leading to 2022 cyber-attack

The Office of the Australian Information Commissioner (OAIC) announced it had filed legal proceedings against Optus for alleged mishandling of customers' data. The filings claim that for the three years leading up to the breach, Optus interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss. The OAIC alleges Optus failed to manage cybersecurity in accordance with its size and threat profile. Should Optus be found guilty, the telecommunications operator could be fined in the trillions of dollars, with each breach of the Privacy act penalizable up to $2.22 million. Optus stated they would respond to the filing in due time. Optus is also the defendant in a lawsuit filed by the Australian Communications and Media Authority (ACMA) last year alleging Optus failed to protect confidential details in its database. (abc)

ASIO report confirms multiple defence industry companies targeted by foreign espionage

According to an ASIO / Australian Institute of Criminology Cost of Espionage report, cyber-enabled espionage is a visible and damaging espionage vector affecting Australia, with China, Russia, and Iran named as key offenders. These states employ tactics ranging from malware intrusions and IP theft to insider recruitment and reconnaissance of critical infrastructure, often blending human and technical methods to evade detection. The report highlights that the most heavily targeted sectors are those of strategic national value including government, defence and AUKUS programs, critical minerals, rare earths, green technologies, and universities conducting sensitive research. Collectively, state sponsored cyber-espionage activity in 2023–24 caused about $3 billion in economic damage (comprised of cyber espionage incidents affecting Australian businesses, universities and cyber-related IP theft). Total espionage related costs were estimated at $12.5 billion. (Report)

 

Australian and New Zealand Incidents

DDoS hacktivists attempt to pressure Australia to boycott Israel

In August 2025, hacktivist group DieNet allegedly launched DDoS attacks against Australian targets, including the NSW government job portal and the University of Western Australia, to pressure the government into boycotting Israel over the Gaza conflict. The sites were reportedly taken offline for about an hour, with the group framing the attacks as a political warning aimed at government institutions rather than civilians. DieNet has signalled plans for further disruption, highlighting how geopolitical tensions are increasingly spilling into cyberspace and being used as leverage against national policies.  (Cyberdaily)

TPG subsidiary breached impacting around 280,000 customers

TPG has confirmed a cyber attack on its subsidiary iiNet, exposing the data of around 280,000 customers. Attackers gained access by replaying stolen employee credentials (credential stuffing) against iiNet. This is the same attack method that was used in earlier attacks against TPG and Telecom Tangerine. The attacker was able to access iiNet’s order management system and extract email addresses, landline numbers, usernames, addresses, and about 1,700 modem setup passwords. No banking or ID documents were compromised. TPG apologised and stated it is contacting affected customers. (SBS)

Scotch College breach causes outage

Melbourne high school Scotch College suffered a breach forcing system administrators to shut down all servers and disable all accounts. The school engaged external cybersecurity experts and the ACSC to investigate the breach. It is unclear currently whether sensitive information was accessed however the school stated they would contact individuals if their information was found to be impacted. (TheAge)

University of Western Australia suffers cyberattack

A system holding password data at the University of Western Australia was compromised. The university's IT team responded by forcing a campus-wide lockout and a mandatory password reset for all staff and students. The university stated that it did not believe any other sensitive information had been accessed in the breach but that it was still investigating. (Teiss)

Hanson Chambers

Adelaide’s Hanson Chambers, which has eight barristers and one associate member, was targeted by Lynx ransomware. Hackers claimed to have exfiltrated client correspondence, Supreme Court documents, and financial records which were exposed on a darknet site. (Lawyers Weekly)

ACSC, CSIA advisories

As set out above, multiple international partners, in conjunction with the ACSC published a report titled “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System”

• Since at least 2021, APT actors linked to several China-based entities including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. have conducted malicious cyber operations worldwide. These companies supply cyber products and services to China’s intelligence agencies, including the People’s Liberation Army and Ministry of State Security. Their activities have compromised foreign telecommunications, ISPs, and the lodging and transportation sectors, enabling Chinese intelligence to monitor and track global communications and movements.
• Multiple agencies have identified overlapping threat intelligence, indicators of compromise (IOCs), and mitigation strategies related to Chinese state-sponsored cyber operations. Notable threat group names associated with this activity include Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, though naming conventions vary across cybersecurity vendors. Technical analysis (using MITRE ATT&CK v17) shows these advanced persistent threat (APT) actors have achieved global initial access since 2021 by exploiting widely known vulnerabilities in network edge devices from vendors such as Ivanti, Palo Alto Networks, Cisco, and others.

The ACSC published an advisory warning of multiple vulnerabilities impacting Netscaler ADC and Netscaler Gateway products. The vulnerabilities were:

• CVE-2025-7775, a critical severity memory overflow vulnerability that when exploited could result in remote code execution or denial of service.
• CVE-2025-7776, a high severity memory overflow vulnerability that when that when exploited could result in unpredictable or erroneous behaviour or denial of service.
• CVE-2025-8424, a high severity improper access control vulnerability on the NetScaler Management Interface. (ACSC)(NSA)

 

Takeaways for Australian Organisations

The key actions from August’s developments are clear, and organisations should focus on three priorities:

• Read and act on the joint international advisory, particularly if you operate in sectors like telecoms, transport, defence, or government where network infrastructure is being actively targeted by China.
• Prepare for ongoing accountability and enforcement. Regulators are (again) showing they will hold organisations to account for cyber-related failures, with the OAIC’s case against Optus a sign of tougher consequences ahead.
• Secure Salesforce and CRM environments against ShinyHunters / Scattered Spider style attacks, by enforcing multifactor authentication, restricting connected apps, and strengthening staff awareness of phishing and vishing threats, amongst other controls.

 

‍