Executive Summary This week has seen a significant escalation in cyber activity targeting Australian critical infrastructure and supply chains. The most alarming development is a confirmed breach of a major Defence contractor, potentially exposing sensitive naval data. Simultaneously, a sophisticated campaign by the "Scattered Lapsus$ Hunters" group is aggressively targeting SaaS platforms, with Qantas and Zendesk users in the crosshairs.

As we approach the holiday season, a new report warns that ransomware operators are leveraging Generative AI to time attacks for weekends and public holidays, specifically targeting periods of reduced staffing in Security Operations Centres (SOCs).

Sector Updates

Government & Defence

• IKAD Engineering Breach: In a concerning development for national security, Australian engineering firm IKAD Engineering has been listed by threat actors claiming to have stolen a "treasure trove" of sensitive data related to the Hunter and Collins class submarine programs. The attackers allege they maintained access to the network for five months, highlighting a critical dwell-time failure in the defence supply chain.
• ASD Annual Threat Report: The Australian Signals Directorate (ASD) released its Annual Cyber Threat Report for 2024-25, emphasising that state-sponsored actors are relentlessly targeting Australian networks to steal intellectual property and pre-position for disruptive effects.

Aviation & Travel

• Qantas Data Dump: Following a breach detected earlier this year, the "Scattered Lapsus$ Hunters" group has followed through on their extortion threats. After the ransom deadline passed this week, the group leaked the personal records of approximately 5 million Qantas customers on the dark web. The dump includes names, emails, frequent flyer numbers, and phone numbers, though no financial or passport data has been found in the leak so far.

SaaS & Technology

• Zendesk Targeted: The same threat group behind the Qantas extortion, Scattered Lapsus$ Hunters, has launched a new campaign targeting users of the customer support platform Zendesk. Intelligence indicates the group is using typosquatted domains (e.g., znedesk.com) and fake Single Sign-On (SSO) portals to harvest credentials and inject malicious tickets into helpdesk queues, attempting to infect support staff with Remote Access Trojans (RATs).

Healthcare

• Local Medical Breaches: Two incidents highlighted the vulnerability of smaller healthcare providers this week. Point Lonsdale Medical Group in Victoria disclosed a cyber attack exposing personal patient information. Similarly, the Sydney Centre for Ear, Nose & Throat (SCENT) warned patients of a compromised email account, risking the leak of sensitive medical correspondence.
• New Healthcare ISAC: On a positive note, the federal government has awarded a grant to CI-ISAC Australia to establish a dedicated information-sharing centre for the healthcare sector, aiming to improve resilience against these very types of attacks.

Vulnerability Watch

• Microsoft WSUS RCE (CVE-2025-59287): A critical Remote Code Execution vulnerability in Windows Server Update Services (WSUS) is being actively exploited in the wild.
  • Severity: Critical (CVSS 9.8).
  • Risk: Unauthenticated attackers can execute arbitrary code with SYSTEM privileges.
  • Action: Ensure the out-of-band security update from October is applied immediately. If patching is not possible, restrict access to WSUS ports (8530/8531) to trusted management hosts only.

Emerging Tactics

• AI-Driven Timing: SecurityBrief Australia reports that ransomware groups are increasingly using GenAI tools to profile organisational staffing rosters. These tools help attackers launch campaigns precisely when security teams are understaffed, such as weekends and the upcoming holiday break.

Recommendation Organisations should urgently review their third-party risk management frameworks, particularly regarding software supply chains (like Zendesk) and defence contractors. Additionally, ensure all WSUS servers are patched or isolated immediately.

Contact us for a quote for penetration testing service or adversary simulation.