Ben Watson | SOC Analyst | 1 February 2025

Welcome to Fortian's January cyber environment update!

This month has seen significant change in the US. The transition from the Biden administration to the Trump administration has brought sweeping changes across multiple policy areas, and cybersecurity has been no exception. Within days of taking office, President Trump quickly moved to reverse or dismantle several initiatives put in place by his predecessor, signalling a possible shift in the U.S. approach to cyber threats and digital security.

Beyond U.S. policy shifts, cybersecurity incidents have continued to escalate globally. In Australia, ransomware attacks on local councils and manufacturing firms highlight the growing vulnerabilities faced by businesses and government entities alike. Meanwhile, new advisories from the Australian Cyber Security Centre (ACSC) warn of emerging threats, from bulletproof hosting services for cybercriminals to insecure operational technology (OT) products being actively targeted by hackers.

The US cybersecurity policy landscape under the Trump administration

The transition from the Biden administration to the Trump administration has been marked by disruption, with cybersecurity policy being no exception. Within days of taking office, President Trump has overturned several initiatives implemented by his predecessor.

• Disbanding the Cyber Safety Review Board. One of the most controversial moves came shortly after Trump assumed office when the U.S. Department of Homeland Security (DHS) disbanded all advisory committees within the agency, including the Cyber Safety Review Board (CSRB). The CSRB had been investigating the "Salt Typhoon" cyberattacks, allegedly conducted by Chinese state-sponsored actors against U.S. telecommunications companies in 2024. Despite mounting evidence of further breaches—three additional telecom providers confirmed they had been compromised—the administration dismantled the board. This decision was made even as the U.S. Treasury imposed sanctions on two Chinese entities for their involvement in the attacks, raising concerns over the administration's commitment to cybersecurity. (securityinfowatch.com)
• TikTok ban (and reversal). A similar policy reversal occurred regarding the controversial ban on TikTok. The Biden administration had implemented a ban on the Chinese-owned social media app, citing national security risks and concerns over data privacy. The ban took effect on January 18, 2025, but was abruptly reversed just two days later when Trump took office. His executive order delayed enforcement for 75 days, allowing time for negotiations on a potential resolution that would keep the app operational while addressing security risks. This move highlights the administration's willingness to renegotiate rather than enforce strict measures against Chinese tech firms. (statesman.com)

Another major cybersecurity initiative now in question is the executive order issued by Biden on January 16, just days before leaving office. This order sought to enhance the nation's cyber defenses by mandating minimum cybersecurity standards for U.S. government technology contractors and strengthening measures against foreign cyber threats, including those posed by emerging technologies like quantum computing. However, with Trump's focus on deregulation and his swift revocation of previous executive orders, the future of these cybersecurity mandates remains uncertain. (apnews.com)

The early days of the Trump administration have demonstrated a clear pattern of dismantling and reversing Biden-era policies. Whether this approach will enhance or weaken U.S. cybersecurity remains to be seen, but the rapid pace of policy shifts has created uncertainty in an era where cyber threats continue to grow in complexity and scale.

Australian cybersecurity incidents

Muswellbrook Shire Council confirms ransomware attack. Muswellbrook Shire Council in NSW suffered a breach allegedly at the hands of ransomware group SafePay. Safepay provided examples of the stolen data on its leak page which reportedly included council correspondence, rate payment details, and personal information related to employees and residents.

This is the third local council breach in under a year after Glenorchy City Council was breached in December last year and Wattle Range Council was breached in August. The breaches highlight a trend of poor security by local councils and emphasise a finding from the NSW Auditor General from March 2024 that local councils lack cyber preparedness. The breaches are concerning as council bodies often collect ratepayer information through third parties like the Valuer-General meaning ratepayers do not have an opportunity to say no to the collection of their data.

Aussie manufacturer Clutch Industries confirms cyber incident

Clutch Industries, an Australian auto parts manufacturer suffered a cyber-attack in January. Ransomware gang Lynx listed the company as a victim on its darknet leak site on 19 January, claiming to have stolen 350GB of data. Online reports suggest the stolen data includes shared user folders, purchasing, stock, engineering, and marketing information but limited personal data. Lynx is a relatively new ransomware group that employs double extortion tactics. Double extortion is where a threat actor both encrypts a victim's data and takes a copy which they threaten to publish if payment is not made. Lynx has been active since only July 2024 but has already targeted over 100 victims.

Australian Cyber Security Centre publications

The ACSC published several interesting articles / advisories in January:

• Bulletproof hosting (BPH) providers. The Australian Cyber Security Centre has issued a warning about Bulletproof Hosting Providers (BPH). BPH providers are key players in the cybercrime ecosystem who lease infrastructure to cybercriminals. Cybercriminals use the leased infrastructure to launch cyberattacks whilst obscuring their identities. BHP providers generally work by leasing IP addresses sourced from legitimate Internet Service Providers (ISPs) or hosting providers to their cybercriminal clients. They also regularly change the IP addresses and other external identifiers such as domain names to make attribution and defence against their sponsored attacks difficult. The ACSC states in their advisory that they are working together with law enforcement, government agencies and the private sector to disrupt BPH providers. Australian organisations should ensure perimeter security tools are configured to block connections from known BPH infrastructure.
• Threat actors targeting insecure OT products. In an advisory published with multiple other cyber security bodies, the ACSC warned that threat actors are indiscriminately targeting companies using Operational Technology (OT) products due to the fact these are often not designed and developed securely. OT products often have weak authentication, unpatched vulnerabilities and limited logging making them prime targets for attacks. The ACSC advises organisations operating OT to consult CISA's Secure by Demand guide when procuring OT products. This information is particularly relevant for critical infrastructure organisations that utilise OT for automation and control systems.

Mobius v Inoteq case on Business Email Compromise (BEC) fraud finds victim responsible for verifying payment details

In January a Western Australian court released a finding on a case involving Business Email Compromise. The court held that even though the payee's email system was hacked and account details changed via email, the organisation paying the invoice was obliged to take active steps to verify that the account changes were legitimate. Because the payer didn't take sufficient steps to verify the account changes, it was liable for the loss. We have summarised the facts of the case and provided a list of recommendations based on the court findings here.

Takeaways for Australian organisations

In terms of takeaways for Australian organisations, three key areas demand attention: Business Email Compromise (BEC) fraud, Operational Technology (OT) security, and ransomware resilience.

1. Strengthen Business Email Compromise (BEC) Defenses. The recent WA court ruling highlights that businesses are responsible for verifying payment details, even when a supplier's email is compromised. Organisations should ensure that their BEC defences are in place, including implementing strict payment verification protocols, enforce multi-factor authentication (MFA), and use out-of-band confirmation for account changes.
2. Secure Operational Technology (OT) from Cyber Threats. The ACSC warning that insecure OT systems are being actively targeted due to weak authentication and unpatched vulnerabilities suggests that Australian organisations using OT review their use of OT systems according to CISA's Secure by Demand guidelines.
3. Enhance Ransomware Resilience. Recent (and ongoing) attacks on Australian councils and manufacturers highlight the ongoing threat of ransomware, particularly double extortion tactics. Organisations should continue to focus on ransomware resilience, including maintain secure backups, use endpoint detection and response (EDR) tools, and ensure third-party suppliers follow strong cybersecurity practices to reduce ransomware risks.