Ben Watson & Allan Grant | SOC Analysts | 2 July 2025

Welcome to Fortian's June 2025 cyber environment summary!

June 2025 was marked by U.S. airstrikes on Iranian nuclear sites, which triggered retaliatory cyber activity and warnings from security agencies, while China-linked threat actors were implicated in coordinated espionage campaigns targeting critical infrastructure in Canada, the Czech Republic, and the U.S.

In parallel, the U.S. administration reversed cybersecurity mandates via Executive Order 14306, sparking concern about a weakening of federal cyber standards.

Closer to home, Australia saw a string of ransomware attacks, insider threats, and the Australian Cyber Security Centre (ACSC) issued multiple advisories on vulnerabilities, phishing campaigns, and ransomware operations.

Iran, Israel and U.S. conflict

On 21 June 2025, the US launched "Operation Midnight Hammer" a major airstrike on Iranian nuclear sites. In the aftermath, cyber activity linked to Iranian and pro-Palestinian threat actors increased significantly. Reported incidents included:

• Widespread denial of service and hacking attacks by hacktivist groups targeting Israeli infrastructure (CyberPress)
• Hacking and denial of service attacks against U.S. banks, defense contractors and oil industry companies. (abc news)
• A threat by an Iran-linked group, previously responsible for hacking President Trump's 2024 campaign, to release emails allegedly stolen from his associates. (Axios)

As part of the conflict, Israeli affiliated groups also launched cyber-attacks against Iranian infrastructure and organisations. (Wired)

The U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) issued separate advisories warning of ongoing cyber threats from pro-Iranian actors and hacktivists. These threats were directed in particular at Defence Industrial Base (DIB) organisations, especially those with links to Israeli research and defence sectors. (DHS advisory, CISA advisory)

Separately, in the past, the Australian Signals Directorate (ASD) has co-authored a joint advisory in 2024 with U.S. agencies highlighting Iranian state-sponsored cyber operations. These actors were observed using advanced techniques to compromise critical infrastructure, including brute-force methods such as password spraying and multi-factor authentication (MFA) push bombing to gain initial access. (ASD advisory)

The Australian government has expressed support for the U.S. airstrikes on Iranian nuclear facilities. In the wake of these events, U.S. authorities have warned of an elevated threat environment. Australian organisations, particularly those with Israeli affiliations should remain vigilant, as they may be at increased risk of retaliatory cyber activity by Iranian or affiliated threat actors.

Other nation-state related cyber activity

In June, the U.S, Czech Republic and Canada reported Chinese state-sponsored cyberattacks targeting national critical infrastructure:

• Czech Republic: Authorities accused China-linked threat actor APT31 of attempting to infiltrate the Ministry of Foreign Affairs' unclassified network, describing the campaign as a targeted cyber-espionage effort that began in 2022. The investigation revealed impacts to national critical infrastructure, including access to unclassified government systems. (The Record)
• Canada: The Canadian government attributed an attack on a telecommunications provider to Chinese threat group 'Salt Typhoon', the same actor previously linked to breaches of U.S. telecom companies. The attackers exploited a Cisco vulnerability to modify three network devices and covertly harvest system logs. (BleepingComputer)
• U.S. In July, satellite communications company Viasat was also identified as a victim of China's Salt Typhoon cyber-espionage group. The attackers exploited vulnerabilities to breach Viasat's network, which provides satellite broadband services to governments worldwide, as well as to aviation, military, energy, maritime, and enterprise customers. The breach raised concerns about the security of critical communications infrastructure. (PCMag)

China responded with its own accusations, alleging that 20 Taiwanese hackers conducted attacks against Chinese military, aerospace, energy, and government systems. Authorities in Guangzhou issued public bounties for information leading to their arrest. Taiwan strongly denied the claims, calling them politically motivated and accusing China of being the true aggressor in cyberspace. (Reuters)

US Cyber Executive Order

In June 2025, U.S. President Trump issued Executive Order (EO) 14306, amending prior cybersecurity directives issued under Biden and Obama (EO 14144 (2025) and EO 13694 (2015) respectively). This order amends the US's approach to cyber security, including by:

• Expanding the list of adversarial nations: The executive order explicitly identifies Russia, Iran, and North Korea alongside China as significant cyber threats to the United States. Previous executive orders named only China as a cyber threat.
• Modifying software security requirements: It removes mandates for software vendors to provide secure development attestations and for the Cybersecurity and Infrastructure Security Agency (CISA) to validate them, indicating a reduction in federal oversight.
• Altering identity management protocols: The order rescinds previous requirements for federal agencies to implement phishing-resistant authentication methods, potentially reducing security requirements for federal identity solutions.
• Reducing the scope of sanctions. The executive order changes the rules so that sanctions can now only be applied to foreign individuals or groups. The original order (EO 13694) allowed sanctions against anyone, including U.S. citizens, if they were involved in serious cyberattacks from outside the U.S. This change means that American citizens can no longer be penalised under this specific order, which narrows its reach.

The executive order marks a shift in U.S. cybersecurity policy, rolling back Biden-era requirements for secure software development and phishing-resistant identity controls. While it increases focus on foreign cyber threats, industry analysis indicates the overall direction potentially weakens U.S. federal cybersecurity standards, raising concerns that efficiency is being prioritised over resilience. (Wilmerhale, forbes.com, Securityweek, Wiley)

WhatsApp banned for US House of Representatives

The U.S. House of Representatives banned WhatsApp from all government-issued devices due to cybersecurity concerns. A memo from the Chief Administrative Officer cited WhatsApp as a "high risk" due to:

• A lack of transparency in how it protects user data
• The absence of encryption for stored messages
• Potential security vulnerabilities associated with its use

House staff are now required to remove WhatsApp from all official devices, including mobile phones, desktops, and web browsers. Approved alternatives include Microsoft Teams, Signal, Apple's iMessage and FaceTime, and Amazon's Wickr.

Predictably, Meta, WhatsApp's parent company, disagreed with the decision, emphasising that WhatsApp messages are end-to-end encrypted by default, offering a high level of security.

This action aligns with the House's broader efforts to mitigate cybersecurity risks, following previous bans on apps like TikTok and restrictions on certain AI tools. (Guardian)

The WhatsApp ban comes in the wake of "Signal-gate", which involved leaked Signal messages from congressional staff which has heightened scrutiny of messaging apps and triggered a broader push to reassess the security posture of all communications platforms used in government.

Australian Cyber Incidents

June saw ongoing cyber incidents across Australia, with ransomware groups and insider threats affecting financial services, education, engineering, and IT sectors. Attackers exfiltrated large volumes of sensitive data and used double-extortion tactics, while one high-profile arrest highlighted the ongoing risks posed by insider threats.

• NSW-based financial services firm Skeggs Goldstien confirmed a ransomware attack by the Qilin gang, which claims to have exfiltrated 500GB of client and tax data. The group published samples and threatened to leak the full dataset by 24 June. Qilin is a known ransomware group that is believed to be operating out of Eastern Europe and has previously targeted several Australian organisations. (Cyber Daily)
• A former Western Sydney University student was charged with 21 offences for hacking university systems over several years, initially to avoid parking fees. She allegedly escalated to changing grades, stealing over 100GB of data, and demanding $40,000 in cryptocurrency. Incidents like this highlight the importance of managing insider risk. The arrest follows several previous cyber incidents at Western Sydney University, including a 2022 breach where attackers accessed staff payroll data. (Guardian)
• Western Australian engineering firm Pressure Dynamics was targeted by DragonForce, which stole and leaked 106.84GB of sensitive documents and medical records. The group, linked to LockBit, listed the breach as its 187th victim. (West Australian)
• Sydney-based managed services provider Vertel was hit by the Space Bears group, which claims to have stolen databases and financial documents. A public leak was threatened by the end of June. (Cyber Daily)

ACSC Advisories

In June 2025, the Australian Cyber Security Centre (ACSC) released three advisories addressing critical infrastructure vulnerabilities, ransomware threats, and phishing scams impersonating the ACSC itself.

• Critical Citrix NetScaler Vulnerabilities. The ACSC issued an alert on two critical vulnerabilities (CVE-2025-5777 and CVE-2025-5349) affecting Citrix NetScaler ADC and Gateway products. These flaws are caused by improper input validation and access control and could enable unauthorised access and data exfiltration. The vulnerabilities affect multiple product versions, including those no longer supported, prompting Citrix to advise immediate patching to the latest supported builds. Exploitation of these vulnerabilities could compromise the security of networks relying on these appliances. (ACSC)
• Scammers impersonating the ACSC. The ACSC issued a warning about a campaign in which scammers impersonate the ACSC to trick individuals into downloading malicious software or disclosing sensitive information. These emails and phone calls use official-looking branding and create a false sense of urgency, sometimes falsely claiming government endorsement of antivirus tools or cryptocurrency platforms. (ACSC)
• Play ransomware group advisory. The ACSC, alongside international cybersecurity partners, released a joint advisory under the #StopRansomware initiative, detailing updated intelligence on the Play ransomware group. The alert outlines the group's known methods, such as exploiting public-facing applications and using remote access tools for lateral movement. It provides indicators of compromise (IOCs) and practical mitigation advice, including access control, segmentation, and enhanced logging. The advisory is part of broader efforts to combat ransomware through coordinated global information sharing. (ACSC)

Takeaways for Australian organisations

Australian organisations should consider undertaking the following actions:

• Heightened vigilance, driven by geopolitical events. The U.S. airstrikes on Iranian nuclear facilities have triggered a surge in retaliatory cyber activity from Iran-linked threat actors. While the primary targets are U.S. and Israeli defence and infrastructure, Australian organisations, particularly those with links to Israeli or U.S. sectors, may face increased risk and should adopt heightened vigilance.
• Patch vulnerable systems. Australian organisations should assess whether they are affected by the Citrix vulnerabilities highlighted in the ACSC's critical advisory on NetScaler ADC and Gateway products. If so, immediate patching is strongly recommended. The advisory reinforces the broader message that known flaws in internet-facing systems remain one of the most common pathways to compromise.
• Strengthen ransomware mitigations. June saw multiple ransomware incidents across Australia, with Qilin, DragonForce, and Space Bears targeting financial, engineering, and IT providers. These groups used double-extortion tactics and threatened public leaks, which heighten the importance of strong incident response plans, secure data backups and multi-factor authentication.