Jordan Kavallaris| SOC Analyst | 5 March 2026
In February, a Sydney fintech exposed the driver's licences of nearly a quarter of a million Australians, a Victorian chicken processor found itself unable to fill orders after attackers took its systems offline, and a not-for-profit serving aeromedical professionals became the latest ransomware statistic. At the same time, courts and regulators continued to raise the bar: FIIG Securities was fined for years of inadequate cyber hygiene, and mandatory ransomware payment disclosures revealed that 94 Australian organisations have paid ransomware groups since reporting obligations commenced in May 2025.
Beyond Australian shores, the threat landscape reflects geopolitical tensions. Russia deployed data-wiping malware against Poland's power grid, targeted the Winter Olympics and saw one of its key suppliers of offensive cyber tools identified as an Australian national now serving seven years in a US prison. China-linked actors hijacked the update infrastructure of a tool used by millions. And the global cooperative architecture that underpins cyber resilience grew a little weaker, as the United States withdrew from key international cyber organisations, leaving partners across the Pacific to recalibrate.
Mandatory disclosure data shows at least 94 ransomware payments made by Australian organisations since May 2025
At least 94 Australian organisations have admitted to paying ransomware groups in the first eight months of mandatory disclosure. Under the Cyber Security Act 2024, which commenced on 30 May 2025, businesses with an annual turnover of more than $3 million are required to report ransomware payments to the Australian Signals Directorate (ASD) within 72 hours of making a payment. Of the 94 reported payments, 75 came from non-critical infrastructure businesses above the $3 million turnover threshold, with the remaining 19 payments made by entities responsible for critical infrastructure assets. (ITNews)
Australian government advice is that organisations should never pay ransomware groups, reasoning that payments fund future attacks, make Australian businesses a more lucrative target, and provide no guarantee that stolen data will not be sold or leaked. Despite this, the mandatory disclosure data seems to tell a different story and indicates that when organisations are caught in the middle of an active ransomware incident, payment can be the most rational choice available to keep their operations running.
As part of incident response planning, Australian organisations should establish a position on ransomware payments before an incident occurs, determining under what circumstances, if any, they would consider paying, and ensuring that decision is documented and agreed at leadership level. Organisations should also ensure they understand their obligations under the Cyber Security Act 2024 and that if a payment is made, they have 72 hours to report to the ASD.
FIIG Securities penalised for a large-scale data breach and fined $2.5 million.
In our March 2025 cyber update, we reported that the Australian Securities and Investments Commission (ASIC) had initiated legal action against FIIG Securities Limited (FIIG). ASIC alleged that between March 13, 2019 and June 8, 2023, FIIG failed to maintain adequate cybersecurity measures, leaving the door open to a significant cyber intrusion.
Beginning May 19, 2023, attackers accessed FIIG's systems and operated undetected for nearly three weeks, ultimately stealing approximately 385GB of data containing highly sensitive client information. That data was subsequently published on the dark web.
The case concluded in February 2026, when the Federal Court ordered FIIG to pay $2.5 million in pecuniary penalties plus $500,000 towards ASIC's legal costs. The penalty was calibrated deliberately: representing approximately 20% of FIIG's net assets and 8% of its 2025 turnover, the Court found it struck the right balance between meaningful deterrence and recognition of FIIG's full cooperation throughout the proceedings.
The Court identified the following failures at the heart of FIIG's non-compliance:
The conclusion of this case highlights a clear trend that Australian agencies are increasingly willing to bring enforcement actions against private sector organisations for cyber failures. With ASIC having now brought three cybersecurity enforcement actions in just four years, two of those in 2025 alone, regulatory scrutiny of cyber risk management is intensifying and the bar for what constitutes "adequate" cybersecurity is being defined through the courts. (TheLawyerMag)
US withdrawal from international cyber organisations weakens global cooperation....
In January 2026, President Trump issued a memorandum directing the United States to withdraw from 66 international organisations. Among them were three with direct cybersecurity relevance: the Global Forum on Cyber Expertise (GFCE), the Freedom Online Coalition, and the European Centre of Excellence for Countering Hybrid Threats.
A February 2026 article written by Christopher Painter, the world's first cyber diplomat at the US State Department notes that the US helped found these organisations and its withdrawal weakens their ability to function. The GFCE in particular had funded capacity-building programs across the Pacific and ASEAN regions specifically to limit Chinese interference, which is work that will now be significantly reduced.
The US withdrawal from key international cyber organisations, combined with deep cuts to USAID-funded cybersecurity programs, has meaningful implications beyond Washington. Countries that previously relied on US cyber capacity building, particularly across the Pacific and ASEAN, now have fewer Western-aligned options, and some may turn to China or Russia to fill the gap. The cooperative infrastructure that underpins global cyber resilience, including intelligence sharing, coordinated incident response, and common standards, is difficult to replace once disrupted, and the effects are likely to compound over time.
....While Australia & Samoa sign a memorandum of understanding on cyber cooperation.
Given the above, it is timely that in February 2026, Australia and Samoa formalised a Memorandum of Understanding on cyber cooperation, backed by a $2 million support package over three years. The MOU covers cooperation on cyber affairs, critical technologies, and critical infrastructure, building on existing collaboration including the establishment of SamoaCERT and other joint initiatives. (Minister for Foreign Affairs – Opening remarks)
In the context of increasing US isolationism, Australia's cyber partnerships carry weight beyond the dollar value of any individual agreement.
Russia attributed to attack on Poland’s power grid.
A cyberattack on Poland's energy infrastructure in December 2025, described by Poland's energy minister as the strongest attack on the country's energy sector in years, has been attributed to the Russian state-sponsored group. The attackers deployed data-wiping malware against two combined heat and power plants and a system managing electricity generated from renewable sources including wind turbines and solar farms. Polish authorities stated the attack was thwarted before causing a blackout, though had it succeeded, it could have cut power to up to 500,000 people. Prime Minister Donald Tusk described the operation as an act of Russian sabotage with a clear objective of causing a blackout.
The attack occurred almost exactly ten years after Russia’s December 2015 deployment of malware against Ukraine's power grid, which left approximately 230,000 people without electricity. The attack comes amid deteriorating Poland-Russia relations, with Poland closing the last Russian consulate on its soil and imposing sanctions on steel companies suspected of helping circumvent international export restrictions.(The Register)
Italy claims cyberattacks of ‘Russian origin’ are attacking the Winter Olympics.
Italy foiled a wave of cyberattacks of Russian origin targeting the 2026 Milan-Cortina Winter Olympics days before the opening ceremony, Foreign Minister Antonio Tajani confirmed on February 4, 2026. Attackers hit Games websites, hotels in Cortina d'Ampezzo, and Italian diplomatic facilities abroad, striking roughly 120 sites in total. The pro-Russian hacktivist group NoName057(16) claimed responsibility, citing retaliation for Italy's support for Ukraine. Italian security services neutralised all attacks without significant disruption.
The incident extends a well-documented pattern of Russian-linked cyber operations against Olympic host nations. Russia's exclusion from competing under its national flag dates to the IOC's 2017 ban of the Russian Olympic Committee over state-sponsored doping, with WADA imposing a four-year ban in 2019 that Russia successfully reduced to two years on appeal. Russian-linked actors have allegedly repeatedly targeted the Games since: breaching WADA and leaking athlete medical records during the 2016 Rio Olympics, deploying false-flag malware at Pyeongchang 2018 designed to implicate North Korean and Chinese actors, conducting reconnaissance ahead of Tokyo 2020, and running influence and disinformation operations targeting Paris 2024. (Unit 42) (The Register)
Australian jailed for seven years for selling offensive cyber exploits to a Russian broker.
Australian Peter Williams, the former general manager of a United States Defence contractor, L3Harris’s cybersecurity branch Trenchant, was sentenced to seven years and three months imprisonment by a US district court. The 39-year-old pled guilty in October last year to selling exploits for zero-day vulnerabilities to a Russian broker.
The broker, identified as Operation Zero, allegedly resells exploits to Russian government and private clients, and the US Department of the Treasury simultaneously imposed sanctions on the company, its owner, and affiliated entities.
Over three years, Williams was found to have sold eight offensive cyber exploits for US$4 million in cryptocurrency. Williams is an ex-Australian Signals Directorate (ASD) staff member who became the general manager of L3Harris Trenchant after the American company bought the Australian cybersecurity specialist Azimuth in 2018. (Department of Justice USA – Media Release)
Suspected state-backed hackers hijack the Notepad++ update infrastructure.
Between June and December 2025, the official hosting infrastructure for a widely used text editor, Notepad++, was compromised by Lotus Blossom, a Chinese state-sponsored espionage group. The attackers breached the shared hosting provider's environment and hijacked update traffic, selectively redirecting requests from targeted users to malicious servers by exploiting insufficient update verification controls in older versions of the utility. Targets spanned government, cloud hosting, energy, financial, manufacturing, and software development sectors across South America, the US, Europe, and Southeast Asia.
The attack was highly targeted, with dynamic fingerprinting of update requests used to serve malicious payloads only to high-value targets while leaving the broader user base unaffected. Remediation was completed by December 2, 2025. Organisations should update to at least Notepad++ version 8.9.1 and review endpoint telemetry for suspicious updater activity across the June to December 2025 window. (Notepad++ Media Release)
Scattered LAPSUS$ Hunters offering financial incentives to recruit women for vishing attacks.
The cybercrime group known as Scattered LAPSUS$ Hunters (SLH), an alliance of Lapsus$, Scattered Spider, and ShinyHunters, has been observed recruiting women for voice phishing campaigns targeting IT help desks. The group was detected via public Telegram posts offering between $500 and $1,000 per call depending on success and hit rate, providing recruits with pre-written scripts. The rationale is to diversify the voice profiles of callers to bypass security training that profiles attackers and increase the success rate of help desk impersonation. The group has a well-documented record of advanced social engineering attacks, including MFA prompt bombing and SIM swapping, and specifically targets IT help desks and call centres to convince staff to reset passwords or install remote monitoring tools that grant remote access. A subset of the group, ShinyHunters, operating as part of the SLH alliance, in 2025 claimed responsibility for the Qantas data breach.
The recruitment of paid, scripted female callers represents a further professionalisation of these tactics. Help desk staff should be trained to expect well-rehearsed, convincing callers regardless of gender, and identity verification for sensitive requests such as password resets or MFA changes should never rely on voice alone. (The Hacker News)
ShinyHunters breach major organisations for over 24 million records.
Cybercrime group ShinyHunters has claimed the theft of over 10 million records from The Match Group, the parent company behind Tinder, Match.com, OkCupid, and Hinge. A listing on the group's dark web leak site points to AppsFlyer, a marketing analytics provider, as the apparent source of the exposure, with the alleged haul including personal customer data, employee details, and internal corporate material. AppsFlyer denied involvement, stating the breach did not originate from its systems. Match Group confirmed it is investigating a security incident and that some user data was likely accessed, though it stated there is no indication that login credentials, financial information, or private communications were compromised.
ShinyHunters also claimed a second major breach to the US company, Panera Bread, claiming to have stolen over 14 million records that included email addresses, phone numbers, names, physical addresses, and account details. ShinyHunters have stated that they were able to gain access via Microsoft Entra single-sign-on. (Malwarebytes) (The Register)
Over 200,000 driver’s licenses hacked in youX data breach.
Sydney-based vehicle and equipment finance technology platform youX confirmed in February 2026 that a threat actor, identified as FulcrumSec, gained unauthorised access to its systems and extracted 141GB of data from a MongoDB Atlas cluster.
The attacker claimed to have stolen personal and financial data belonging to 444,538 borrowers, including names, phone numbers, email addresses, residential addresses, income details, and government IDs, along with 229,226 driver's licence numbers and 629,597 loan applications drawn from nearly 800 broker organisations that rely on the youX platform.
The attacker publicly criticised youX for failing to remediate a vulnerability that white hat researcher Jeremiah Fowler had identified and disclosed in March 2025, alleging the insecure database remained accessible ten months later. youX obtained a Supreme Court of New South Wales injunction to prevent further dissemination of the data, notified the OAIC and ACSC, and confirmed it has engaged external forensic specialists, though a portion of the stolen data has already appeared on hacking forums. (Insurance Business)
Aeromedical Society of Australasia confirms ransomware incident.
LockBit 5.0, the latest iteration of the once-prolific LockBit ransomware-as-a-service operation, listed the Aeromedical Society of Australasia (ASA) on its dark web leak site on February 11, 2026, threatening to publish stolen data by February 26.
The ASA, a not-for-profit membership organisation serving air medical transport professionals across Australia and New Zealand, confirmed it became aware of the incident and immediately engaged its contracted provider and notified relevant authorities.
The group disclosed neither the volume nor nature of any data stolen, nor any ransom demand, providing only the publication deadline. The ASA's president stated the organisation does not hold personal information on its platforms. (CyberDaily)
Major Australian poultry processor confirms cyber-attack.
An Australian chicken farm and processing plant, Hazeldenes, has revealed it was the victim of a cyber-attack that has caused serious disruptions in its operations. Hazeldenes operates more than 50 sites across Victoria, including farms, hatcheries, and processing facilities. It is estimated to provide more than 85 million kilograms of chicken annually.
Hazeldenes first began responding to the cyber incident on the 19th of February 2026. Several pubs and butchers in the state experienced chicken shortages associated with the disruption, and the company has not yet publicly quantified the extent of the supply chain interruptions. (ABC)
Sydney-based hospitality group confirms Kairos ransomware incident.
The Kairos ransomware group listed Sydney-based hospitality operator Seagrass Boutique Hospitality Group on its dark web leak site on February 12, 2026, targeting the company behind The Meat & Wine Co and Hunter Barrel.
Seagrass confirmed unauthorised access to part of its IT network, stating it had isolated the affected system and engaged external cybersecurity experts. Kairos disclosed neither the volume nor nature of stolen data, providing only a ransom deadline. Active on Russian-language cybercrime forums with no known affiliations to other groups, Kairos has claimed at least 70 victims globally since first appearing in November 2024. (CyberDaily)
Exploitation of Cisco SD-WAN appliances.
A critical zero-day vulnerability in Cisco's SD-WAN network management software, rated with a maximum CVSS score of 10.0, is being actively exploited by a highly sophisticated threat actor that Cisco Talos has tracked conducting attacks since at least 2023.
The ACSC identified and reported the vulnerability, which allows attackers to bypass authentication entirely and insert a rogue component that masquerades as a legitimate part of the network, granting them persistent, privileged access deep within an organisation's infrastructure.
CISA issued an emergency directive to US federal agencies, and the ACSC joined partners from the US, UK, Canada, and New Zealand in urging all affected organisations to patch immediately, hunt for evidence of compromise using the published guidance, and implement available hardening controls. No workarounds exist with patching the only fix. (ACSC Advisory)
Request a consultation with one of our security specialists today or sign up to receive our monthly newsletter via email.
Get in touch Sign up!