TL;DR
Nation-state hackers are not coming for your invoice spreadsheet. They are coming for the vendor portal you use, the SaaS tool your team logs into, and the router sitting in your comms cupboard that hasn't seen a firmware update since 2022. Three APT groups active right now, Scattered Lapsus$ Hunters, Volt Typhoon, and Salt Typhoon, have turned supply-chain compromise into their primary playbook. Your small business is not the target. It's the ladder rung. Here's what that means and three things you can do about it this week.
The Threat Landscape SMBs Actually Need to Care About
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Small business owners in Australia hear "APT" and tune out. Nation-state hackers. Spy agencies. That's for banks, Defence, and ASX200 companies. Not for a plumbing business in Geelong or a bookkeeping firm in Parramatta.
That logic was reasonable in 2019. It is dangerous in 2026.
The three most active threat groups right now don't breach your business because they want your data. They breach it because you have a relationship with som
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →Here are the groups running this playbook right now and which one should keep you up at night.
Scattered Lapsus$ Hunters: The Supergroup That Broke Salesforce
In 2025, three of the most destructive cybercrime groups on earth, Scattered Spider, Lapsus$, and ShinyHunters, merged into a single entity calling itself Scattered Lapsus$ Hunters. Their first joint operation compromised an estimated 1.5 billion records from Salesforce customer environments, not by breaching Salesforce itself, but by compromising a third-party integration called Salesloft Drift. OAuth tokens stolen from that integration gave them access to 39 major organisations' Salesforce instances.
The technique matters. Scattered Spider brings expertise in help-desk social engineering, convincing IT support staff to reset MFA for accounts the attackers already control. Lapsus$ brings the insider-recruitment playbook: paying employees for credentials and VPN access. ShinyHunters brings industrial-scale data harvesting and extortion. Combined, they have built an extortion portal on the dark web where victim companies are listed with data samples and ransom deadlines.
For an SMB, the risk is straightforward. If your company uses any SaaS platform with third-party integrations, you inherit the security posture of every vendor in that chain. The Salesloft Drift compromise didn't require anyone to click a phishing link. It required one integration to be vulnerable.
Volt Typhoon: Living Off Your Land
Volt Typhoon is a Chinese state-sponsored group that CISA has confirmed maintains persistent access inside US critical infrastructure networks, including telecommunications, energy, and water utilities. Their signature technique is "living off the land" (LOTL): they use your own Windows tools, PowerShell, WMIC, and native OS binaries to move through networks because those tools don't trigger antivirus alerts.
Volt Typhoon targets network devices that sit below the EDR layer, edge routers, VPN concentrators, and unpatched Cisco appliances. Once inside, they extract Active Directory databases, dump credentials, and establish firmware-level persistence that survives OS reinstalls. CISA's advisory explicitly states that eviction from compromised networks has proven extremely difficult, with some dwell times measured in years.
The SMB angle? If you provide managed services to a larger organisation, your RMM agent, your remote access tool, your VPN concentrator, is the bridge Volt Typhoon uses to cross from your network into your client's. They don't need to breach the target directly. They breach the path of least resistance: you.
Salt Typhoon: The Telecom Heist Goes Global
Salt Typhoon, attributed to China's Ministry of State Security, spent 2025 and early 2026 expanding from US telecom carriers into carriers across the UK, Australia, and Canada. Their playbook targets Cisco IOS XE edge devices, implants custom firmware backdoors, and harvests call-detail records and signalling metadata by abusing lawful-intercept interfaces built into carrier equipment. Once embedded in a telecom provider's infrastructure, their presence is invisible to endpoint detection tools because it operates at the network-device firmware layer.
For an SMB, the direct threat is limited unless you run carrier-grade network infrastructure. The indirect threat is not: every business phone call, every SMS-based MFA code, every VoIP conversation routed through a compromised carrier is potentially exposed. The ACSC has issued no public statement confirming Australian carrier compromise as of May 2026, but Salt Typhoon's methodical geographic expansion pattern means Australian network operators should assume targeting is active.
Three Detections You Can Set Up This Week
Most SMBs don't have a SOC. Most don't have a SIEM. Here are three things you can implement with tools you already have or can get free.
1. Monitor for new OAuth application grants in Microsoft 365. Scattered Lapsus$ Hunters and APT28 both steal OAuth tokens and register malicious applications that persist even after password resets. In the Azure AD / Entra ID portal, enable alerting for any new application consent grant. If a user grants "Mail.Read" to an app called "SalesforceIntegrationHelper" and nobody in IT approved it, you have an incident. This takes 15 minutes to configure and costs nothing.
2. Block outbound RDP, SSH, and SMB from workstations at the firewall level. Volt Typhoon and Salt Typhoon both use lateral-movement techniques that require outbound connections on ports 3389, 22, and 445. Your workstations have no legitimate reason to initiate RDP connections to the internet. Block those ports outbound. If your firewall can't do it, Windows Firewall can. Group Policy it. This single rule breaks multiple stages of the kill chain.
3. Inventory your edge devices and check for end-of-life firmware. Salt Typhoon specifically targets Cisco IOS XE, Fortinet FortiOS, and Ivanti Connect Secure appliances that are unpatched or end-of-life. Make a list of every device that faces the internet: routers, VPN gateways, NAS devices, IP cameras, building-management controllers. For each one, check the vendor's security advisory page for CVEs disclosed in the last 12 months. If the device is end-of-life and the vendor no longer ships firmware updates, replace it. If it's supported but unpatched, patch it this week. The average time from CVE publication to active exploitation in 2025 was under five days. You don't have a monthly patch cycle. You have a window measured in hours.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →FAQ
Q: I run a 12-person business. Are APT groups really a threat to me?
Directly, no. As a stepping stone to your clients, suppliers, or the SaaS platforms you use, yes. If you have a VPN connection to a client network, a delegated OAuth permission in their Microsoft 365 tenant, or an RMM agent on their servers, your security posture is their security posture. APT groups actively enumerate these relationships.
Q: What's the cheapest way to get started with threat detection?
Enable Microsoft 365 Unified Audit Log if you have Business Premium licensing, it's included. Configure alerting for impossible-travel logins, MFA changes, and new application consent grants. Total cost: $0. Time: under an hour.
Q: Should I buy cyber insurance?
Yes, but know what it covers. Most SMB cyber insurance policies exclude nation-state-attributed incidents unless physical damage occurs. Supply-chain compromise where you are the vector into a larger organisation's network may fall into a grey area. Read your policy. Ask your broker specifically about third-party liability arising from supply-chain compromise.
Conclusion
The 2026 APT landscape is not about attackers who target you. It's about attackers who use you. Scattered Lapsus$ Hunters exploit the trust relationships in your SaaS stack. Volt Typhoon exploits your network devices. Salt Typhoon exploits the carriers your business runs on. None of them wake up thinking about your company. All of them will compromise it if it gets them to their actual target.
Start with the three detections above. They close the most common initial-access and lateral-movement paths these groups rely on. Then map your digital supply chain: every vendor with API access, every client with a VPN tunnel, every SaaS integration with OAuth permissions. You cannot defend what you have not mapped.
If you're not sure where to start, we'll map it with you. Visit consult.lil.business for a free cybersecurity assessment for your Australian small business.
References
- CISA Advisory AA24-038A: Volt Typhoon TTPs and Persistent Access
- Splunk Research: Scattered Lapsus$ Hunters Analytics Story
- Picus Security: Scattered Lapsus$ Hunters — 2025's Most Dangerous Cybercrime Supergroup
- Vectra AI: Salt Typhoon Threat Briefing — TTPs and Detection
- ACSC Essential Eight Maturity Model
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A company that makes hospital equipment had 200,000 computers wiped clean in one attack
- The bad guys used "wiper malware"—like pouring bleach on your homework instead of locking it in a box
- Unlike regular ransomware, this data can't be recovered even if you pay
- The company will take weeks or months to recover
What Is Wiper Malware? (Think About Your Homework)
Imagine two ways someone could mess with your homework:
Ransomware is like a bully locking your homework in a box and saying, "Give me your lunch money and I'll give you the key." You can't read your homework, but it's still there—you just need to get it back.
Wiper malware is like someone pouring bleach on your homework. It's gone forever. No key, no money, no nothing. You have to redo the whole thing from scratch.
The attack on Stryker Corporation was the bleach kind [1]. A company that makes hospital equipment—like surgical tools and hospital beds—had every single computer, phone, and tablet wiped clean [2]. We're talking 200,000 devices [3]. Imagine if your family's phones, tablets, and computers all went blank at the same time. Now imagine that happening to a whole company with 56,000 employees [4].
Why Didn't They Just Pay to Get Their Data Back?
Here's the scary part: wiper malware attacks don't ask for money. The bad guys aren't trying to get rich—they're trying to break things [5].
In this case, a group called Handala claimed they did it because they were mad about a political conflict happening on the other side of the world [6]. Stryker—a company that helps hospitals—just happened to be a big, important target that would get attention [7].
This is different from most cyberattacks you hear about, where criminals want money. These attackers wanted to cause damage and make headlines [8].
How Long Does It Take to Recover from This?
Think about the last time your computer crashed and you had to restart it. Now imagine every computer at your school had to be completely rebuilt from scratch—that means reinstalling every program, copying every file from backups, and setting everything up again [9].
For Stryker, this will take weeks or months [10]. Thousands of employees can't do their jobs. Factories are stopped. Research is paused. It's like every office in every country closed at once [11].
What Your Parents' Business Can Do to Stay Safe
You can't stop every bad guy, but you can make it much harder for them to cause this much damage. Here's what every business needs:
1. Have Good Backups (Like a Spare Copy of Your Homework)
If your homework gets bleach poured on it, you better have a spare copy. Businesses need backups that are kept separate from their main computers—like keeping a spare house key at a friend's house, not under your doormat [12].
2. Don't Connect Everything to One Network
The reason Stryker lost 200,000 devices at once is that they were all connected through the same system. It's like having all your Christmas lights plugged into one outlet—if one goes bad, they all go out [13]. Smart businesses keep important systems separate so problems can't spread everywhere.
3. Have a Plan for When Things Go Wrong
Your family probably has a plan for what to do if the power goes out. Businesses need the same thing for cyberattacks. What will you do if your computers stop working for a week? Can you still answer phones? Can you take orders on paper? [14]
FAQ
Yes. Any business or person with a computer could be targeted. That's why it's so important to have good backups and security habits, like not clicking on strange links or downloading files from people you don't know [15].
Sometimes attackers target big companies to get attention or make a political point. It's not fair to the people who work there or the hospitals that need the equipment, but that's the world we live in now [16].
In some ways, yes. With ransomware, you might be able to pay to get your files back. With wiper malware, your files are just gone forever. You have to start over completely [17].
If you use a computer for school or at home, follow good security habits: use strong passwords, don't click on weird links, and tell your parents or teacher if something looks wrong. Businesses are just like families—they need everyone to help stay safe [18].
References
[1] International Business Times AU, "What is Stryker Cyberattack? Stryker Corporation Hit by Suspected Iran-Linked Cyberattack," International Business Times Australia, March 11, 2026. [Online]. Available: https://www.ibtimes.com.au/what-stryker-cyberattack-stryker-corporation-hit-suspected-iran-linked-cyberattack-1863111
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] CISA, "Understanding Ransomware," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/stopransomware/understanding-ransomware
[6] International Business Times AU, "What is Stryker Cyberattack?" 2026.
[7] Industrial Cyber, "Cyber retaliation surges after US–Israel strikes on Iran as hacktivists hit governments, defense, critical sectors," Industrial Cyber, March 10, 2026. [Online]. Available: https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/
[8] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/
[9] International Business Times AU, "What is Stryker Cyberattack?" 2026.
[10] Ibid.
[11] Ibid.
[12] Veeam, "2025 Data Protection Report," Veeam, 2025. [Online]. Available: https://www.veeam.com/data-protection-report
[13] CISA, "Network Segmentation," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/news-events/news/understanding-and-addressing-network-segmentation
[14] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
[15] Flashpoint, "Navigating 2026's Converged Threats," 2026.
[16] International Business Times AU, "What is Stryker Cyberattack?" 2026.
[17] CISA, "Understanding Ransomware," 2025.
[18] Flashpoint, "Navigating 2026's Converged Threats," 2026.
Want to make sure your business is ready for anything? Book a free cybersecurity consultation at consult.lil.business—we'll help you protect what you've built.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.