iscover
While financial crime is the most common driver of cyber attacks against Australian entities, espionage is still a key concern of cyber professionals, according to a new report from a local cyber security firm.
There is a phrase among cyber security professionals that speaks to the amount of time it takes to detect a threat on a network – unsurprisingly, it’s called time to detect, or TTD.
This is measured from the very first intrusion on a network up to the point that malicious activity is detected.
Not ejected, mind, merely detected. The time to identify, eject, and remediate the effects of a malicious intrusion is often far longer than the TTD.
What makes this figure interesting – the average minutes it takes to detect a malicious actor – is the incredible difference between criminal actors and those with espionage on their minds. In the former case – such as financially motivated ransomware groups – the time to detect such activity was 23.7 days, on average, according to a recent report from Australian cyber security firm CyberCX.
That may sound like a long time, and for anyone realising a hacker has been sifting through their network for almost four weeks, it probably is. However, when it comes to cyber espionage, such as nation-state-backed actors from countries like China and North Korea, that figure balloons out to a terrifying 403.8 days.
Put another way, on average, by the time a government agency or telco operator, for instance, even notices they’ve been compromised, the hackers have already had access to their network – and any data on it – for more than a year.
Possibly even more alarming is that the time to detection figure has grown by roughly two weeks compared to 2023
The Chinese threat
Hamish Krebs, executive director of digital forensics and incident response at CyberCX – which published its CyberCX 2025 Threat Report last week – said that while CyberCX itself does not explicitly attribute espionage activity to specific actors, “it’s well documented that Australia and New Zealand continue to be a target for cyber intrusions by nation-states or state-linked groups”.
“In July, the ASD and New Zealand’s NCSC – along with a number of partner agencies – released an advisory on APT40 (APT stands for advanced persistent threat), outlining the People’s Republic of China state-sponsored group’s ongoing threat to Australian and New Zealand networks,” Krebs told Defence Connect.
“APT40 has been observed in Australia and throughout our region breaking into computer systems to spy on the Chinese diaspora, critics of the PRC, and citizens of targeted countries.”
In 2024, for instance, the New Zealand government publicly blamed PRC-linked espionage groups for a hack on its Parliament that took place three years earlier, while other Pacific nations have also chimed in on the level of threat posed by Chinese cyber operations.
“Just last week, the government of Samoa called APT40 a ‘serious threat’ to the region, blaming the PRC-backed group for malicious cyber operations against government and critical infrastructure systems across the Pacific,” Krebs said.
“The PRC runs a massive surveillance state and, unfortunately, [has] a very long track record of exporting this in the form of cyber espionage towards other governments, political dissidents or perceived political opponents of the PRC and for commercial gain (stealing intellectual property) aligned to their political objectives. CyberCX frequently sees PRC-aligned threat groups in our hunting and response activities in our region.”
Who’s in the firing line?
Cyber espionage is a particular problem for smaller nations. While not directly attributed to any Chinese actor, CyberCX worked with an un-named developing nation last year to rebuild government systems that a state-backed actor had compromised. The investigation found that six months after the threat actor had gained access to the network, they were able to modify the login process for Outlook in such a way they were able to harvest user credentials going back several years.
The most commonly targeted entities in Australia, however, are organisations managing critical infrastructure.
“To be clear, over the reporting period covered in our CyberCX 2025 Threat Report, CyberCX has responded to what appears to be state-linked espionage attacks against Australian organisations, particularly against critical infrastructure,” Krebs said.
“Most state-sponsored activity is espionage, like what we see from APT40, but we do see activity that could be linked to foreign interference, too.”
Unfortunately, the defence sector is also a prime target.
“The most common types of incidents we see are state-linked espionage and insider threats, although defence organisations are not immune to financially motivated attacks or incident types like business email compromise,” Krebs said.
The attribution problem
One of the things that makes attribution sometimes difficult is that the overlap between state-sponsored activity and financially motivated cyber crime can be significant. Mandiant Consulting – part of the Google Threat Intelligence Group – noted in a recent report that there was considerable overlap between state and financially motivated operations.
Salt Typhoon, infamous for its deep penetration of US telecommunications networks in previous years, has been observed deploying ransomware in what appear to be purely financially motivated crimes. However, this could easily be a cover for other operations.
“Deliberately mixing ransomware activities with espionage intrusions supports the Chinese government’s public efforts to confound attribution by conflating cyber espionage activity and ransomware operations,” Mandiant said in a blog post titled “Cybercrime: A Multifaceted National Security Threat”.
This overlap works in the other direction as well. A hacktivist known as Uteus, who sells initial access to systems they have already compromised, is very likely a contractor with China’s Ministry of State Security and has links with several clusters of state-sponsored cyber activity.
This apparent grey zone within a grey zone not only makes direct attribution difficult but can also mask the scale of the state-sponsored threat landscape, as Krebs pointed out.
“While our report found that espionage accounted for approximately 5 per cent of incidents, the reality is that the time it takes to detect espionage is now over 400 days,” Krebs said.
“Well-resourced, state-linked groups that conduct espionage are proficient at subterfuge and covering their tracks, so it’s possible this number is higher.”
