Ben Watson & Allan Grant | SOC Analysts | 2 June 2025

Welcome to Fortian's May 2025 cyber environment summary!

May 2025 saw a wave of significant cybersecurity activity globally and in Australia. Coordinated international operations disrupted major malware networks under Operation Endgame, while Microsoft launched legal action against the operators of Lumma Stealer. Nation-state activity continued to escalate, with Chinese campaigns targeting former U.S. government employees and embedded vulnerabilities in infrastructure systems, and Russian-linked groups focusing on NATO-aligned organisations.

In Australia, ransomware attacks and data breaches affected both private firms and public agencies, including incidents at Ausfec Limited and the Australian Human Rights Commission. The Office of the Australian Information Commissioner reported a record number of notifiable data breaches, underscoring persistent gaps in breach detection.

Globally, Coinbase reported a breach affecting 69,000 customers, and international agencies released new guidance on emerging vulnerabilities in machine learning systems. The Australian Cyber Security Centre issued critical alerts on Ivanti EPMM vulnerabilities and, alongside partners such as the U.S. CISA, called for stronger protections across the AI lifecycle. Meanwhile, a U.S. court order requiring OpenAI to retain historical model outputs raised broader concerns about data governance, privacy obligations, and legal exposure for organisations using generative AI platforms.

International cyber updates

UK Intensifies Cyber Strategy Against Adversarial States

In May 2025, the United Kingdom announced a significant escalation in its cyber defence strategy, with Defence Secretary John Healey revealing plans to intensify offensive cyber operations against adversarial states such as Russia and China. This strategic shift comes in response to a doubling of cyberattacks on the Ministry of Defence over the past two years, reaching 90,000 incidents attributed to state-linked sources. This marks the first time a UK minister has explicitly acknowledged the country's engagement in state-on-state cyberattacks, underscoring a commitment to modernising the armed forces to address the evolving landscape of digital warfare. The Times

This announcement comes several months after the US has reportedly halted offensive cyber operations against Russia.

International Cybercrime Crackdown

In May 2025, coordinated international law enforcement efforts targeted key cybercrime networks, resulting in infrastructure takedowns, legal actions, and marketplace closures.

• Operation Endgame. Authorities from the EU, US, Canada, and other European countries conducted "Operation Endgame," a coordinated international crackdown on malware networks. Over 300 servers were taken down, 650 domains neutralised, and £3.5 million in cryptocurrency was seized. The operation targeted "initial access malware" used to breach systems and deploy ransomware. Twenty individuals were criminally charged, with 18 suspects added to the EU Most Wanted list. Source
• Microsoft Legal Action: Lumma Stealer. Microsoft's Digital Crimes Unit filed legal action against the operators of Lumma Stealer, a malware that infected nearly 400,000 Windows devices globally in just two months. Created by a Russian actor known as "Shamel," Lumma is distributed via Telegram and Russian forums and is used to steal credentials and personal data. Microsoft's objective is to dismantle key tools in the cybercrime ecosystem. Source
• Telegram Shuts Down Chinese Black Markets. Telegram shut down two large Chinese-language black markets, Xinbi Guarantee and Huione Guarantee operating on the Telegram platform, which facilitated over $35 billion in illicit transactions. These marketplaces were reportedly used for scamming, laundering, and trading stolen data. Huione, linked to a Cambodian conglomerate associated with North Korea's Lazarus Group, was later banned from the US financial system. Source
• Qakbot Leader Indicted. US authorities indicted Rustam Rafailevich Gallyamov, the alleged head of the Qakbot malware network, which compromised over 700,000 systems worldwide. Qakbot functioned as a banking trojan and ransomware enabler. The FBI seized $24 million in cryptocurrency linked to the operation. Source

OpenAI's Data Retention Order and AI Data Security Concerns

• A US federal judge has ordered OpenAI to preserve all output data from its models, including temporary or deleted ChatGPT chats, in connection with a copyright lawsuit brought by The New York Times. The order, which OpenAI has sought to challenge, raises concerns about user privacy and legal exposure, particularly regarding historical user interactions that would otherwise be erased. Although the judge clarified that the data would not be made public, the ruling has privacy and data security implications. Source
• On the security front, it increases cyber risk, as OpenAI must now store greater volumes of potentially sensitive data for longer periods. Organisations should be aware that any retained user content may become subject to litigation discovery or government access. For organisations using OpenAI services, this development warrants a review of how sensitive information is handled. Organisations that do not formally use OpenAI products may be affected if staff independently use ChatGPT for work-related tasks. This reinforces the importance of providing staff with guidance on the safe use of generative AI. In this context, the court ruling is not just a vendor issue, but a broader data governance concern that all organisations should address.

Chinese Cyber Operations

• Chinese Intelligence Operation Targets Laid-Off US Government Employees. A Chinese intelligence operation was uncovered aimed at recruiting recently laid-off US federal employees. The campaign used a network of fake consulting firms all linked via a Chinese-owned server, a shared SSL certificate and a Chinese email provider (chengmail.com). A legitimate Chinese company, Smiao Intelligence, appears to be coordinating the broader effort. Fake job advertisements, such as one posted on Craigslist pointing to a Singapore-based firm, were used to lure targets. This reflects a recurring strategy by Chinese intelligence services to exploit workforce instability for infiltration purposes. Source: FDD
• Unauthorised Communication Devices Found in Chinese Solar Inverters. US officials have discovered unauthorised communication components, including cellular radios, embedded in Chinese-manufactured solar inverters, which are used to convert solar energy for grid use. These components were undocumented and raised concerns about possible surveillance or remote manipulation of energy infrastructure. The finding comes amid growing international caution regarding Chinese-made technology, following bans on DeepSeek's AI products and TP-Link routers by the US and Australia. The potential for compromised hardware in energy systems has prompted calls for tighter supply chain scrutiny and may lead to broader restrictions. Source: Reuters
• Chinese Threat Actors Exploit Vulnerability in Trimble Cityworks Software. A Chinese-affiliated threat actor, UAT-6382, exploited a zero-day vulnerability (CVE-2025-0994) in Trimble's Cityworks platform, which is widely used by local governments and infrastructure providers in the US. The flaw enabled remote code execution and allowed attackers to deploy tools such as Cobalt Strike and VShell for persistence, reconnaissance and data exfiltration. Although the vulnerability has been patched, the attack highlights the increasing focus of Chinese cyber actors on public sector software and the critical importance of timely patch management in safeguarding government networks. Source: Field Effect

Russian and North Korean Cyber Operations

• Russian State-Sponsored Cyber Campaigns Against Ukraine Supporters. In May 2025, Australia, the United Kingdom, United States, France and Germany issued a joint advisory highlighting an ongoing Russian state-sponsored cyber campaign targeting organisations that have provided active support to Ukraine. The campaign, attributed to Russia's military intelligence services, focuses on defence, logistics, IT, air traffic and maritime sectors across NATO-aligned countries. Authorities warned that these operations are designed to disrupt aid delivery and critical infrastructure, urging organisations to adopt stronger cyber defences. Source: CISA
• North Korean Espionage Activity Supporting Russia. The North Korean state-sponsored group Konni (also known as TA406) has been observed targeting Ukrainian government agencies as part of broader intelligence-gathering activities that may support Russian military interests. Konni's campaigns involve phishing emails impersonating think tanks and referencing political or military developments to lure recipients. Victims are redirected to MEGA-hosted downloads containing a .CHM file, which executes PowerShell commands designed to collect reconnaissance data and establish persistence. North Korea's cyber involvement aligns with its broader military support for Russia, which reportedly began in late 2024. Source: Bleeping Computer

International Cybersecurity Incidents

• Exposure of 184 Million Login Credentials. In late May, a cybersecurity researcher, Jeremiah Fowler, uncovered an unprotected online database containing over 184 million unique login credentials linked to services such as Google, Apple, Microsoft, Facebook, and various financial and government platforms. The data, believed to have been harvested through infostealer malware, included usernames, passwords, and sensitive personal information. The database lacked encryption and password protection, making it easily accessible to cybercriminals. Following Fowler's discovery, the hosting provider took the database offline, but the owner remains unidentified. Source
• LexisNexis Data Breach Affects Over 364,000 Individuals. LexisNexis Risk Solutions, a prominent data broker, disclosed a data breach impacting more than 364,000 individuals. The breach involved unauthorised access to personal information, including names, addresses, and Social Security numbers. The company is collaborating with law enforcement and has initiated measures to notify affected individuals and mitigate potential risks. TechCrunch
• Facebook Faces Alleged Breach of 1.2 Billion Accounts. A hacker operating under the alias ByteBreaker claimed to have scraped data from 1.2 billion Facebook accounts, including names, user IDs, email addresses, phone numbers, birthdates, and location details. The data is reportedly being offered for sale on the dark web. Cybersecurity researchers are investigating the legitimacy of the claim, and Facebook has yet to confirm the breach. Daily Mail

Australian Cybersecurity Developments

Australian Government Developments

• In May 2025, the Victorian Government announced a $100 million investment to enhance cybersecurity across public sector agencies, as part of the 2025-26 state budget. Approximately one-third of this funding is allocated over three years to the 'Cyber Safe Victoria 2026+' initiative, aimed at identifying threats, protecting against attacks, and responding to incidents within public sector organisations. The Department of Health will receive $20.2 million in 2025-26 for the 'Safer Digital Healthcare Program', which includes next-generation antivirus protections and network infrastructure upgrades to support services like pathology and patient management systems. Fire Rescue Victoria is set to receive $17.1 million over three years to strengthen its cybersecurity measures, following a significant cyberattack in 2022 that disrupted its IT systems. These investments align with the state's broader digital strategy to bolster the resilience and security of government services. iTnews

Australian Cyber Security Centre Advisories

• In May 2025, the Australian Cyber Security Centre (ACSC) issued a critical alert regarding two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2025-4427 and CVE-2025-4428. When exploited together, these vulnerabilities enable unauthenticated remote code execution, posing a significant threat to affected systems. All versions of Ivanti EPMM up to and including 12.5.0.0 are impacted. The ACSC strongly advises Australian organisations and government entities to assess their networks for the presence of Ivanti EPMM, apply the latest patches available through Ivanti's download portal, and consult Ivanti's advisory for additional remediation guidance. Cyber.gov.au
• The ACSC, along with international partners including the NSA, FBI, and CISA, released new guidance on AI data security. The advisory highlights the need to protect data across the AI lifecycle against threats such as data poisoning, unauthorised access, and model drift. It stresses the importance of validating data integrity, limiting access, and enforcing secure development practices to reduce exposure to malicious interference. Source: cyber.gov.au

Australian Data Breach Report

• OAIC Data Breach Report: July to December 2024. In May 2025, the Office of the Australian Information Commissioner (OAIC) released its latest Notifiable Data Breaches report, covering the period from July to December 2024. The report revealed a record 595 data breach notifications, marking a 15% increase compared to the previous half-year and the highest total since the NDB scheme began. Criminal activity remained the dominant cause of breaches, with phishing attacks leading the charge. The health sector and Australian Government agencies were the most affected industries. Notably, government agencies also recorded the slowest breach identification and notification times, and saw a sharp rise in impersonation-based attacks.

Key statistics from the report:

• 595 breaches reported (up 15%), highest on record under the NDB scheme
• 69% of breaches caused by malicious or criminal attacks
• Phishing was the most common method used
• The health sector accounted for 20% of reported breaches
• Government agencies reported 17% of breaches
• 46% increase in impersonation and social engineering attacks in government
• 74% of government breaches took over 30 days to identify
• 66% of government breaches took more than 30 days to report. Source: OAIC

Australian Security Incidents

• Ausfec Limited Targeted by Ransomware Group "J". In May 2025, Australian food distribution company Ausfec Limited, operating as The Distributors, was targeted by a ransomware group identified as "J." The group claimed responsibility for exfiltrating approximately 204GB of data, including over 120,000 files containing client agreements and financial documents. While no data has been publicly released, file listings reportedly reference operations and customers such as Red Bull and 7-Eleven. The incident underscores the ongoing risks faced by supply chain operators and their partners in the food and retail sectors. CyberDaily
• Australian Human Rights Commission Data Breach. The Australian Human Rights Commission (AHRC) confirmed a data breach involving the inadvertent public exposure of approximately 670 documents submitted via its website between March and May 2025. Around 100 of these documents were accessed online through search engines before the issue was discovered. The exposed materials included sensitive personal information such as names, addresses, contact details, health and education history, religion, and photographs. The breach was not the result of a cyberattack but stemmed from an internal publication error. The AHRC has since disabled its web forms, launched an internal investigation, notified the Office of the Australian Information Commissioner, and is actively working to remove the data from online indexing. iTnews
• Watkins Steel Suffers Akira Ransomware Attack. Brisbane-based steel subcontractor Watkins Steel reported a ransomware attack by the Akira group, a known ransomware-as-a-service operation. The attackers claim to have stolen 17GB of sensitive data, including employee records, client details, financial documents, and project information. Watkins Steel confirmed it has notified staff, informed the Australian Cyber Security Centre, and assured stakeholders that business operations have not been disrupted. This incident reflects the ongoing targeting of mid-sized industrial and construction-sector firms by opportunistic ransomware groups. VPNRanks

Takeaways for Australian Organisations

Australian organisations should undertake the following actions:

• Apply urgent patches to Ivanti Endpoint Manager Mobile (EPMM) to mitigate CVE-2025-4427 and CVE-2025-4428, which together allow unauthenticated remote code execution.
• Monitor ransomware trends closely, as global crackdowns are fragmenting major threat groups and giving rise to new actors. Maintain updated threat intel feeds and active endpoint monitoring.
• Strengthen AI data governance, consistent with Australian government advice, especially where generative AI tools are in use. In light of evolving legal obligations (e.g. OpenAI retention orders), protect sensitive inputs and outputs and define business-wide usage policies relating to the use of AI.