Ben Watson & Alan Grant | SOC Analyst | 4 April 2025
Welcome to Fortian's March 2025 cyber environment update!
March saw new revelations of historical Chinese state-sponsored cyber activities targeting U.S. critical infrastructure. A report revealed new details that the threat actor known as Volt Typhoon had infiltrated the U.S. electricity grid in February 2023, maintaining undetected access for approximately 300 days until November 2023. During this period, they allegedly exfiltrated sensitive data, including geographic information system data detailing the layout of energy systems. (SecurityWeek)
In response to Chinese incursions into U.S. critical infrastructure, including the Salt Typhoon attacks against U.S. telecommunications sector companies, a coalition of Senate Republicans urged the Trump administration to initiate offensive cyber operations against China. They highlighted the persistent nature of Chinese cyber threats and advocated for decisive action to secure America's critical networks. (NextGov)
Further emphasising concerns about China, March saw the release of the U.S. Intelligence Community's 2025 Annual Threat Assessment, which identified China as the most comprehensive and robust cyber threat to the U.S., noting its likely increase in coercive actions towards Taiwan and ambitions to surpass U.S. advancements in artificial intelligence by 2030. (DNI.gov)
Aside from China, the Threat Assessment identified that:
Despite ongoing cyber threats, the Trump administration implemented cuts affecting cybersecurity resources. In March, the Department of Homeland Security terminated the Critical Infrastructure Partnership Advisory Council (CIPAC), a key forum for public-private collaboration on cybersecurity policies and threat intelligence sharing. This raised concerns about weakened information sharing with the private sector and increased vulnerabilities in critical infrastructure. (Axios)
Additionally, the administration dismantled the U.S. Agency for Global Media, which operated Voice of America and Radio Free Asia—organizations established to counter disinformation from adversarial nations. This action has sparked debate over the potential impact on the U.S.'s ability to combat foreign propaganda. (DarkReading)
In the wake of these layoffs, reports emerged of a Chinese network attempting to recruit recently dismissed U.S. federal employees, particularly those with expertise in artificial intelligence. The nature and intent of these recruitment efforts have raised suspicions about potential connections to the Chinese government and its strategic objectives. (Reuters)
It remains to be seen how these changes to U.S. cybersecurity policy and operational capability affect the broader international cybersecurity environment.
Globally, the Medusa ransomware-as-a-service operation continued to pose a major challenge. As of February 2025, Medusa developers and affiliates had impacted over 300 victims across sectors including medical, education, legal, insurance, technology, and manufacturing. The group employs tactics such as encrypting victim data and threatening to release it publicly unless a ransom is paid. Organisations are advised to implement robust cybersecurity measures to defend against such attacks. (CISA)
In other news, Oracle, a U.S. software and technology company suffered a major cyber incident potentially impacting over 140,000 clients. A threat actor reportedly breached one of Oracle's federated SSO login servers at login.us2.oraclecloud.com by exploiting an unpatched vulnerability. They were then able to exfiltrate over 6 million client records. Organisations can check whether they were impacted by visiting exposure.cloudsek.com/oracle.
Federal investigators in the U.S. linked a $150 million cryptocurrency theft to the 2022 LastPass data breach. The attackers reportedly cracked master passwords for the password vaults stolen from LastPass in 2022 and once cracked, used information gathered to access cryptocurrency wallets, particularly targeting users who had stored their seed phrases and private keys in the 'Secure Notes' feature of LastPass. The breach highlights the long-tail impact of credential compromise and underscores the concentration risk of storing highly sensitive information within password managers. (KrebsOnSecurity).
Australia's 2025 Federal Budget revealed no new spending on cybersecurity in 2025. While the budget mentions $60 million that was previously committed to support small business cybersecurity capabilities, no major new initiatives to enhance national cyber resilience were introduced. (CyberDaily)
In his response, while Opposition Leader Peter Dutton criticised the Budget’s lack of emphasis on national security and defence, Dutton only mentioned cyber once – in the context that the Coalition would “encourage new areas of the economy… like… cyber security” (PeterDutton))
Given the above, it would appear that cybersecurity is not a top-tier issue for either party, possibly taking a back seat to other political concerns.
In March, the ACSC advised organisations urgently patch two critical vulnerabilities that have proof of concept (POC) exploit code available. So far there have been no reports of exploitation in the wild, however, the availability of POC code makes the likelihood of these vulnerabilities being targeted by threat actors very high. Fortian recommends Australian organisations review their usage of the vulnerable software and patch urgently if impacted. (cyber,.gov.au)
The Australian Securities and Investments Commission (ASIC) has initiated legal action against FIIG Securities Limited (FIIG), alleging that between March 13, 2019, and June 8, 2023, FIIG failed to implement adequate cybersecurity measures. This purported negligence led to a cyber intrusion beginning on May 19, 2023, during which approximately 385GB of data, including sensitive personal information of FIIG's clients, was stolen and subsequently published on the dark web.
ASIC contends that FIIG's inadequate cybersecurity measures include the lack of appropriately configured and monitored firewalls, failure to update and patch software to address security vulnerabilities, absence of mandatory cybersecurity training for staff, and insufficient allocation of resources to manage cybersecurity risks. These failures purportedly exposed FIIG and its clients to heightened and unreasonable cybersecurity risks, culminating in the May 2023 data breach. (ASIC)
Brydens Lawyers suffered a cyber incident after an unknown threat actor gained unauthorised access to the firm's servers. An unknown party claimed responsibility for the breach online and stated they had exfiltrated 600 gigabytes of data, including case, client and staff data, and would release the data unless a ransom was paid. Brydens Lawyers obtained an injunction after the breach to prevent the further dissemination of the data by other entities. (lawyer's weekly)
The NSW Online Registry website suffered a major data breach. Approximately 9000 sensitive court files, including apprehended violence orders and affidavits were downloaded by an unknown third party. NSW Police confirmed they were investigating and advised any party who believes they may have been impacted to report their case through ReportCyber. (Itnews)
Finally, Sydney Tools exposed over 5000 employee records and 34 million customer orders after one of their Clickhouse databases was left unprotected online. The data included sensitive payroll information and personal identifiable data. News of the data leak emerged on the 26th March, when researchers stated the database was still exposed online. (Daily Security Review)
Australian organisations should undertake the following tactical actions:
Request a consultation with one of our security specialists today.
Get in touch