"We discovered nation-state hackers had compromised the network of an Australian critical infrastructure provider," ASIO director general Mike Burgess said, describing an intrusion that, in his words, was intended to allow an attacker to "cripple it at a time of their choosing."
Mike Burgess on sabotage, credentials and a dedicated response
In remarks accompanying ASIO's annual threat assessment, Mike Burgess said the agency found a state-sponsored group had not only gained access to a critical infrastructure provider's network but had also "successfully acquired credentials – login details and passwords – for active users of the networks, including the IT professionals guarding it." Burgess framed the intrusion as preparation for sabotage: attackers were "mapping out the network and maintaining access" rather than deploying immediate destructive code.
He said ASIO "identified, tracked and attributed the hack, and worked with the victim company and our security partners to remediate the compromise – work which is ongoing." To counter the evolving threat, Burgess announced he had "established dedicated teams to counter it," and said the scale of activity "led by one nation-state in particular – is difficult to overstate."
The compromise of an Australian critical infrastructure provider
Burgess described operational tradecraft that goes beyond simple intrusion: gaining legitimate credentials for active users, including IT staff, gives a persistent presence and elevates the potential for destructive action at a chosen time. He emphasised that the attackers "weren’t planting ‘digital dynamite’ as such; they were mapping out the network and maintaining access so they could cripple it at a time of their choosing."
ASIO's public account says remediation is a collaborative effort between the agency, the victim company and "security partners," and that the work is continuing. Burgess also warned that Australia is not alone: "We struggle to find a single country in our region that has not been compromised by this state’s cyber apparatus."
The AUKUS-focused espionage sting and a foreign intelligence service
Burgess gave a separate example of classic human-source espionage targeting information about AUKUS. According to ASIO, "a spy from a foreign intelligence service approached an Australian security clearance holder online, pretending to be from a consulting company." The spy paid the official to write two reports on Australia's relationship with Pacific neighbours and then offered money for inside information on AUKUS.
The Australian official grew suspicious, reported the contact and cooperated with ASIO. Burgess said ASIO "gained valuable insights into the foreign service’s information gaps and tradecraft" and that the official handed the money paid by the spy to ASIO. Officers then borrowed the official’s phone and rang the purported consultant in her home country; when the spy answered, she "got a very unwelcome surprise" and hung up after ASIO demanded she cease targeting Australian citizens and outlined espionage laws. Burgess added that ASIO later informed members of the foreign intelligence service that ran the operation and said, "In case they did not report it up – I’m confirming it now."
Online radicalisation, low-capability attacks, and ASIO's caseload
Burgess also flagged domestic threats from online spaces. He said individuals are increasingly radicalised by strangers online, often in weeks rather than years, sometimes as minors, and frequently within encrypted chat rooms. He warned that radicalised individuals are shifting toward "low-capability attacks with little or no warning," even as groups such as Islamic State and al-Qa'ida and their affiliates grow their capability to conduct and inspire attacks.
On counterterrorism results, Burgess said ASIO has "resolved" 14 "significant-terror related cases" since the December 2025 terror attack at Sydney’s Bondi beach, and 31 "major terrorism plots" since 2014. He said ASIO is "aggressively adopting new tools and techniques – including artificial intelligence – to navigate our security environment."
How technologists, policymakers, and affected enterprises are responding
- Technologists and security teams: will be focused on credential protection and detection of persistent access. Burgess's account stresses credential theft of IT staff and mapping of networks as pre-sabotage tradecraft; remediation in the ASIO case required coordination with the victim company and security partners, and remains ongoing.
- Policymakers and regulators: will have to absorb ASIO’s assertion that a single nation-state has compromised much of the region’s networks, and the agency's public posture — including the Director‑General's stated right to speak publicly about specific espionage matters — may reshape legal and diplomatic levers used in response.
- Affected enterprises and procurement leaders: are the named target in Burgess’s account. Companies running or supporting critical infrastructure will be watching ASIO’s dedicated counter-sabotage teams and may increase cooperation with security partners and national agencies; Burgess also invited Australians to join ASIO, including as offensive hackers, signalling the agency's appetite to expand technical capabilities.
ASIO's public account pairs a cyber intrusion that sought persistent access and credential theft with a counterintelligence success that turned an espionage approach into an intelligence gain. The agency says remediation of the cyber compromise is ongoing, its counter-sabotage teams are newly established, and the scale of nation-state activity in the region is "difficult to overstate." Whether those measures will deter future operations – or reveal how many incidents remain undiscovered – are the practical questions left standing as ASIO pushes to harden defences and broaden its technical reach.
