TL;DR
- Government agencies including Australia's ASD ACSC have co-authored advisories warning that geopolitical conflicts directly increase cyber risk for businesses — including those with no connection to the conflict.
- The documented threat pattern is opportunistic: attackers exploit unpatched software, default credentials, and internet-facing systems regardless of the target's industry or location.
- Joint advisories from CISA, FBI, NSA, and ASD ACSC provide specific, actionable mitigations that any business can implement today.
- This is a good time to review your incident response plan, verify your MFA configuration, and audit internet-facing assets.
Why Geopolitical Events Create Cyber Risk for Ordinary Businesses
When military conflicts escalate, government cybersecurity agencies consistently issue advisories warning of increased cyber risk to the private sector. This pattern is well-documented and has occurred during every major geopolitical escalation of the past decade.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
The reason is structural. According to a joint advisory co-authored by the FBI, CISA, NSA, and Australia's ASD ACSC, state-affiliated cyber actors frequently "exploit targets of opportunity based on the use of unpatched or outdated software
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Australia's ASD ACSC has specifically highlighted the persistence of "living off the land" techniques, where attackers blend into normal network activity, making detection harder and delaying response [2]. This technique affects organisations of all sizes.
What Government Advisories Actually Say
Several joint advisories from Five Eyes intelligence agencies directly address this threat. These are publicly available, verifiable documents that provide both context and specific mitigations.
CISA/FBI/NSA/ASD ACSC Joint Fact Sheet (June 2025)
In June 2025, during a previous escalation in the Middle East, CISA and partner agencies including Australia's ASD ACSC released a fact sheet titled "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest." The advisory noted increasing activity from hacktivists and state-affiliated actors, and urged organisations to act immediately [1].
The recommended mitigations were straightforward:
- Identify and disconnect operational technology (OT) and industrial control systems (ICS) from the public internet.
- Protect devices and accounts with strong, unique passwords.
- Apply the latest software patches.
- Implement phishing-resistant multifactor authentication for access to OT networks [1].
CISA Advisory AA24-290A (October 2024)
This joint advisory — co-authored by the FBI, CISA, NSA, CSE (Canada), AFP, and ASD ACSC — documented specific tactics used by state-affiliated actors to compromise critical infrastructure organisations across healthcare, government, energy, IT, and engineering sectors [3].
The documented techniques included:
- Brute force and password spraying against VPN gateways, Citrix, and Microsoft 365 environments.
- MFA fatigue attacks — repeated push notifications to pressure users into approving illegitimate login attempts.
- Credential harvesting for initial access, with that access then being shared with or sold to ransomware operators [3].
This advisory is significant because it was jointly authored by Australian agencies, confirming that the threat landscape extends to Australian organisations.
CISA Advisory AA23-335A (December 2023)
This advisory documented a specific case where IRGC-affiliated actors exploited programmable logic controllers (PLCs) in US water and wastewater systems facilities. The entry vector was default credentials on internet-facing Unitronics Vision Series PLCs [4].
The lesson for businesses: any internet-facing device running default credentials is a target, regardless of the industry or the device's perceived importance.
NSA/ASD ACSC Joint Advisory on Cisco SD-WAN (February 2026)
As recently as February 25, 2026, the NSA and ASD ACSC jointly warned of active exploitation of Cisco SD-WAN systems by threat actor UAT-8616, citing CVE-2026-20127 and CVE-2022-20775 as primary attack vectors [5]. This advisory demonstrates that exploitation campaigns are ongoing and that Australian agencies are actively tracking current threats.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →What Australian Businesses Should Do Now
These recommendations come directly from the government advisories cited above. They are not theoretical — they address the specific techniques that have been documented in real incidents.
1. Review Your Incident Response Plan
If your organisation has an incident response plan, now is the time to review it. Key questions to ask:
- Do you have current contact details for your IT security provider or incident response team?
- Do your staff know the procedure for reporting a suspected compromise?
- Have you tested the plan in the last 12 months?
If you don't have an incident response plan, the ASD ACSC provides a framework for creating one through its Essential Eight guidance [6].
2. Audit Your MFA Configuration
Not all MFA is equal. The advisories specifically warn about MFA fatigue attacks targeting push-based notifications [3]. Review whether your organisation uses:
- Phishing-resistant MFA (hardware keys, FIDO2) — recommended by all cited advisories.
- Push-based MFA — vulnerable to fatigue attacks. Consider adding number matching or switching to FIDO2.
- SMS-based MFA — better than nothing, but vulnerable to SIM-swapping.
3. Check for Internet-Facing Assets With Default Credentials
This is the single most common entry vector documented across the advisories. Use your asset management tools or a simple network scan to identify:
- Any devices accessible from the internet (routers, IoT, PLCs, NAS devices, cameras).
- Whether those devices are running manufacturer default passwords.
- Whether they are running the latest firmware [1], [4].
4. Patch Known Vulnerabilities
The advisories consistently reference exploitation of known CVEs — not zero-days. This means patching known vulnerabilities closes the most commonly exploited entry points. Prioritise:
- VPN gateways and remote access infrastructure.
- Email systems (Microsoft 365, Exchange).
- Network edge devices (firewalls, SD-WAN controllers) [3], [5].
5. Monitor for Unusual Authentication Activity
The documented TTPs include brute force and password spraying [3]. Review your authentication logs for:
- High volumes of failed login attempts.
- Login attempts from unusual geographic locations.
- Successful logins followed by unusual behaviour (new mail forwarding rules, data exfiltration patterns).
How This Applies to Small and Medium Businesses
SMBs are disproportionately affected during periods of elevated cyber risk. According to the CISA advisories, state-affiliated actors frequently use automated scanning to find vulnerable systems at scale — they don't manually select targets [1]. An unpatched VPN gateway at a 20-person accounting firm is as discoverable as one at a multinational.
The good news: the mitigations are the same regardless of your organisation's size. Strong passwords, current patches, phishing-resistant MFA, and a reviewed incident response plan address the specific techniques documented in these advisories.
Cybersecurity readiness isn't about reacting to headlines — it's about maintaining the fundamentals that protect your business regardless of what's happening geopolitically. Organisations that keep their systems patched, their credentials strong, and their response plans current are well-positioned to weather any escalation.
FAQ
Yes. Australia's ASD ACSC has co-authored multiple joint advisories with Five Eyes partners specifically addressing state-affiliated cyber threats [1], [3], [5]. These advisories apply to Australian organisations across all sectors. The ASD ACSC has also independently warned about covert agents operating within Australia [7].
The documented advisories specifically name healthcare, government, energy, IT, engineering, and water/wastewater sectors [3], [4]. However, the opportunistic nature of the documented attack techniques means that any organisation with internet-facing vulnerabilities is a potential target [1].
Push-based MFA is better than no MFA, but it is vulnerable to MFA fatigue attacks — a technique specifically documented in CISA Advisory AA24-290A [3]. Government advisories recommend phishing-resistant MFA such as FIDO2 hardware keys as the preferred approach.
The Essential Eight is a set of baseline cybersecurity mitigation strategies published by Australia's ASD ACSC. It covers application control, patching, MFA, restricting admin privileges, and other fundamentals. It is the recommended starting framework for Australian organisations building their cybersecurity posture [6].
Report cyber incidents to the ASD ACSC at https://www.cyber.gov.au/report-and-recover/report or by calling 1300 CYBER1 (1300 292 371).
References
[1] CISA, FBI, DC3, NSA, "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest," CISA, Jun. 30, 2025. [Online]. Available: https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment
[2] FinancialContent, "Cyber Risk Is Now Brand Risk: What Australian Leaders Need to Know," FinancialContent/BusinessNewsWire, Feb. 26, 2026. [Online]. Available: https://markets.financialcontent.com/stocks/article/businesnewswire-2026-2-26-cyber-ri[API-KEY-REDACTED]
[3] FBI, CISA, NSA, CSE, AFP, ASD ACSC, "Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations," CISA Advisory AA24-290A, Oct. 16, 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
[4] CISA, FBI, NSA, EPA, INCD, "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities," CISA Advisory AA23-335A, Dec. 1, 2023. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
[5] NSA, ASD ACSC, CISA, "Cybersecurity Alert and Hunt Guide on Cisco SD-WAN Exploitation," NSA, Feb. 25, 2026. [Online]. Available: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4416296/
[6] ASD ACSC, "Essential Eight Maturity Model," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
[7] Daily Mail Australia, "Aussies warned about Iranian covert agents operating in Australia," Daily Mail, Feb. 25, 2026. [Online]. Available: https://www.dailymail.co.uk/news/article-15586223/Iran-spies-Australia.html
[8] FBI, IC3, "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest — Full Fact Sheet," IC3/FBI, Jun. 30, 2025. [Online]. Available: https://www.ic3.gov/CSA/2025/250630.pdf
Need help reviewing your organisation's cyber readiness? Talk to lilMONSTER — we help Australian businesses build security that works.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- When countries have conflicts, hackers connected to those countries sometimes try to break into businesses — even ones that have nothing to do with the conflict.
- They don't pick targets carefully. They scan the internet for easy-to-break-into systems — like doors left unlocked.
- Government security agencies publish free guides telling businesses exactly what to check. Most of the fixes are simple.
- The best protection is the basics: strong passwords, software updates, and knowing who to call if something goes wrong.
Why Would Anyone Hack My Business Over a War?
Think of it like this: imagine there's a big storm coming. The storm isn't aimed at your house specifically, but if you left your windows open, rain's getting in.
That's how this works. When there's a conflict between countries, some hackers connected to those countries run automated programs that scan millions of computers looking for easy targets. They're not picking your business on purpose — they're looking for anyone who left a "window open." That might be an old password that was never changed, software that wasn't updated, or a device connected to the internet that shouldn't be [1].
What Do They Actually Do?
Government security agencies have documented exactly what these attackers do [3]:
- Try lots of passwords really fast — like someone trying every combination on a lock. This works when passwords are simple or common.
- Send you tons of "approve this login" notifications — hoping you'll get annoyed and tap "yes" just to make it stop.
- Look for devices with factory-default passwords — things like routers, cameras, or industrial equipment where nobody ever changed the password from "admin/admin" [4].
What Should You Do?
The Australian Signals Directorate (ASD) — the government agency responsible for cybersecurity — has published straightforward guidance called the Essential Eight [6]. Here's the simplified version:
- Update your software. When your computer says "update available," do it. Those updates fix the exact holes hackers look for.
- Use strong, unique passwords. A password manager makes this easy.
- Turn on two-factor authentication. The kind where you use a physical key or type in a code is better than the kind that sends push notifications to your phone [3].
- Check what's connected to the internet. If you have devices like routers, cameras, or NAS drives accessible from outside your network, make sure they're updated and don't use default passwords [4].
- Know who to call. If something looks wrong, do you know who to contact? Write that number down before you need it.
Where to Get Help
- Report incidents: https://www.cyber.gov.au/report-and-recover/report or call 1300 CYBER1
- Essential Eight guide: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] CISA, FBI, DC3, NSA, "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest," CISA, Jun. 30, 2025. [Online]. Available: https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment
[3] FBI, CISA, NSA, CSE, AFP, ASD ACSC, "Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations," CISA Advisory AA24-290A, Oct. 16, 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
[4] CISA, FBI, NSA, EPA, INCD, "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors," CISA Advisory AA23-335A, Dec. 1, 2023. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
[6] ASD ACSC, "Essential Eight Maturity Model," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
Want someone to check your business's digital locks? Talk to lilMONSTER — we make security simple.
