Ben Watson | SOC Analyst | 4 March 2025
Welcome to Fortian's February cyber environment update!
February was a dramatic month in cybersecurity, with major developments highlighting the risks posed by both Chinese and Russian technology.
The Australian government took decisive action by banning Chinese AI model DeepSeek from government devices, citing security concerns, while also announcing the removal of Russian antivirus firm Kaspersky’s products from its systems. These moves came against the backdrop of escalating cyber threats, with multiple state-sponsored Chinese threat actors targeting the global telecommunications and healthcare sectors, and Russian-backed cyber operations facing international sanctions.
Paradoxically, in late February, the Trump administration downplayed Russia as a cyber threat, which signalled a sharp reversal of its previous threat assessments and will add further complexity to the global security landscape going forward.
Meanwhile, Australia introduced new scam prevention legislation, and domestic cyber incidents—including major data breaches at an IVF provider and a university—further underscored the ongoing cyber risks facing Australian organisations.
Finally, Fortian tracked a rise in ransomware actors using legitimate RMM tools and InfoStealers post-breach, then selling stolen credentials to maximise profits.
The Australian federal government banned Chinese LLM DeepSeek from government devices in early February, with all state governments and some government corporations (such as Australia Post, the ABC and the NBN) quickly following suit. This follows similar bans by the Italian, Taiwanese and South Korean governments.
DeepSeek made international headlines in late January when it was announced, demonstrating similar capabilities to OpenAI's ChatGPT at a fraction of the cost. Security and privacy concerns quickly arose, with a focus on data sharing with Chinese authorities, insufficient AI safeguards and content censorship. In addition, security researchers found one of DeepSeek's databases containing sensitive chat logs and secret keys was left unsecured and completely accessible to the internet. (CNN) (Cyberdaily) (Wiz)
The Chinese government has criticised the Australian Government's decision, saying that the ban risks politicising trade and technology ties between the two countries (Bloomberg)
The news came in a month when three different Chinese threat actors continued to hack organisations across the world.
The Australian government announced Russian antivirus company, Kaspersky's products would be removed from government devices by April 1. The news came six months after the US banned sales of Kaspersky's product in America. Home Affairs secretary Stephanie Foster announced the ban stating Kaspersky products posed "...an unacceptable risk to Australian government, networks and data, arising from threats of foreign interference, espionage and sabotage". (ITnews)
Following on from the Australian Cyber Security Centre's (ACSC) announcement last month that they were targeting Bulletproof Hosting (BPH) providers, the governments of Australia, the US and the UK announced joint sanctions on Russian BPH provider Zservers and five Russian nationals for their role in running Zservers, which was allegedly the platform used to launch the Medibank hack. The sanctions mean it will be a criminal offence for any British, American or Australian citizen to provide assets to Zservers or any of the five Russian individuals or to use or deal with their assets. This includes ransomware payments which, although are not currently illegal in Australia, are reportable, and would be illegal if paid to a sanctioned entity like Zservers. (cyber.gov.au)
ASIO Director-General Mike Burgess, in his February 2025 Annual Threat Assessment, highlighted a key cyber security concern - that authoritarian regimes, such as Russia, are growing more willing to disrupt or destroy critical infrastructure to impede decision-making, damage war-fighting capabilities and sow social discord. Specifically, a key concern arose around cyber enabled sabotage, where Burgess stated that cyber units from at least one nation state routinely try to explore and exploit Australia’s critical infrastructure networks, almost certainly mapping systems so they can lay down malware or maintain access in the future. (ASIO)
Despite the above, paradoxically in late February, the Trump administration signalled a shift in its cyber security stance, downplaying Russia's role as a cyber threat to the United States. This move has raised concerns among cyber security experts and lawmakers, who fear it could leave the nation vulnerable to future cyber attacks. (the Guardian)
Historically, U.S. intelligence agencies have attributed significant cyber attacks to Russian state-sponsored actors. For instance, the 2020 SolarWinds hack, which infiltrated multiple federal agencies, was linked to Russia's Foreign Intelligence Service (SVR).
The administration's current position on Russia contrasts significantly with previous assessments and has sparked heated debate about the potential implications for US national security.
Changing U.S. cybersecurity priorities, such as its reversal onthe cyber threat posed by Russia, are not entirely unexpected and align with broader shifts introduced by the Trump administration.
Last month, we reported that the transition from the Biden administration to the Trump administration has been marked by disruption, with cybersecurity policy being no exception. In February, this trend continued, with the Trump administration dismissing over 130 employees from CISA, the agency responsible for safeguarding critical infrastructure and ensuring election security. Notably, these layoffs affected teams dedicated to combating misinformation and foreign interference in U.S. elections.
At the same time, personnel from Elon Musk's Department of Government Efficiency (DOGE) gained access to CISA’s internal networks, sparking debates over the potential risks of granting such access to individuals with limited governmental experience. (Krebs on Security)
Further cuts to U.S. cybersecurity bodies are expected, with reports indicating that the U.S. National Institute for Standards and Technology (NIST)—the agency responsible for maintaining the NIST Cyber Security Framework—is bracing for staff reductions of up to 500 employees. (Wired)
Weakening cybersecurity entities like CISA and NIST could directly expose the U.S. to greater cyber threats and foreign influence. In the longer term, these changes are likely to negatively impact international cybersecurity efforts, given the U.S.'s role as a global cybersecurity leader.
New Scam Prevention Framework Introduced. On 20 February, the Scams Prevention Framework Act 2025 received royal assent. The legislation requires entities such as banks, telecommunication providers and social media companies to proactively detect, disrupt and report scam activity. Entities that fail to meet their obligations under the framework could face fines of up to $50 million.
IVF provider breached leading to theft of over 940GB of data
IVF provider Genea was breached resulting in patient data being disclosed to the dark web. Genea announced that a threat actor gained unauthorised access to their patient management systems which contained personal information like names, addresses, medical history and notes from doctors. A threat actor going by the moniker "Termite" claimed responsibility for the breach on the dark web stating they had exfiltrated 700GB of personal data, spanning six years. In court documents submitted by Genea to gain an injunction against the publication of their stolen data, Genea stated that threat actor had been in their network for over two weeks before exfiltrating 940.7GB of data from Genea's systems. Termite, like many other ransomware actors favours double extortion, encrypting files of victims and stealing victims' data to threaten publication on the dark web. (the Guardian)
University of Notre Dame Australia breached
First announced on 30 January, the University of Notre Dame suffered a cyber incident resulting in disruption to many of the university's online applications including payroll, leave, student enrolments, timetabling, internet and emails. The university also stated the attackers may have gained access to some of its servers. Almost three weeks on from the original report, students and staff were still reporting disruption to communication channels at the university. Threat actor "Fog ransomware" claimed the attack and said they had stolen 62.2GB of data from the University, including contact details of students and employees, student medical documents and non-disclosure agreements. (ABC)
Threat actors turn to RMM tools and InfoStealers to maintain persistence and maximise profit from breaches
In February, Fortian observed an upwards trend in threat actors deploying infostealers and RMM tools after breaching victims' environments to farm credentials and maintain persistence. Threat actors would then sell the stolen access to other malicious actors on the dark web.
This trend was highlighted by a report threat actor 'EncryptHub' breached 618 organisations and socially engineered victims to install legitimate Remote Monitoring and Management (RMM) software like AnyDesk, TeamViewer and ScreenConnect. EncryptHub would then use PowerShell scripts to deploy infostealers to steal data like saved credentials and session cookies. (Bleeping Computer)
News of 244 million new passwords stolen by InfoStealers being shared with the "HaveIBeenPwned" service also showed the prevalence of the use of InfoStealers by threat actors. The passwords were contained in InfoStealer logs and appeared to be retrieved from a Telegram channel called Alien Txtbase which is known for selling credentials stolen from InfoStealers. (the Register)
Finally, threat actors were also observed exploiting existing RMM tools. Advanced persistent threat actor, Storm-2372, was reported using Microsoft Graph to search through Teams and Outlook messages of a victim account for passwords for RMM tools TeamViewer and AnyDesk. Using stolen passwords or legitimate RMM tools means that threat actors are much less likely to set off alarms when accessing a victim's environment and underscore the importance of monitoring sign-in activity and regular reviews of installed RMM tools. (Microsoft)
Given the developments in February regarding both Chinese and Russian technology, Australian organisations should proactively assess their reliance on foreign technology, particularly their usage of AI models, cybersecurity software, and cloud services linked to high-risk jurisdictions. As geopolitical tensions shape the cybersecurity landscape, businesses should adopt a forward-thinking approach to securing their supply chains.
With threat actors increasingly leveraging RMM tools and stolen passwords to gain initial access, organisations should regularly review their device fleets to ensure only sanctioned RMM tools are installed, and any passwords listed in data breaches are rotated.
Request a consultation with one of our security specialists today.
Get in touch