Weekly Threat Briefing: Australia's Cyber Landscape (2–8 February 2026)

Executive Summary

The first week of February 2026 has seen a distinct escalation in targeted campaigns against Australian critical infrastructure and services. This week’s intelligence highlights a sophisticated pivot by threat actors towards human-led attacks on identity systems (SSO) and a resurgence of high-impact ransomware claims in the healthcare sector. Furthermore, critical vulnerabilities in widely used SaaS and collaboration tools demand immediate attention from security teams across the region.

Here is your deep dive into the threats impacting Australian organisations over the last 7 days.

Sector Spotlight

Healthcare: Ransomware Resurgence

The Australian healthcare sector remains in the crosshairs. On 5 February 2026, the Epworth HealthCare group was named as a victim by the emerging 0APT ransomware gang. The group claims to have exfiltrated 920GB of sensitive data, including surgical records and billing details. While Epworth has stated there is currently "no verified evidence" of the breach, this incident underscores the psychological pressure tactics increasingly used by adversaries to force negotiations. This follows closely on the heels of the MediSecure fallout, reinforcing the need for robust data segregation in medical environments.

Government & Education: Data Privacy Fallout

Public sector transparency is being tested this week. Fairfield City Council (NSW) formally published a data breach notification on 5 February 2026 regarding a cyber incident that occurred in late 2025. The investigation confirmed that unauthorised access led to the exposure of staff and resident information.

Simultaneously, the Victorian Department of Education is managing the aftermath of a major breach confirmed in January 2026, which impacted 1,700 schools. The sheer scale of these incidents highlights the "long-tail" effect of breaches in the public sector, where notification and remediation often lag behind the initial compromise.

SaaS & Cloud: Identity Under Siege

A new threat alliance dubbed "SLSH" (linking tactics from Scattered Spider, LAPSUS$, and ShinyHunters) has been observed targeting high-value enterprises, including Australian FinTechs. Their modus operandi involves human-led voice phishing (vishing) to bypass Multi-Factor Authentication (MFA) on Okta SSO instances. Unlike automated bots, these attackers speak fluent English and socially engineer helpdesk staff to reset credentials, granting them administrative access to cloud environments.

FinTech & AI: The "Agentic" Threat

On 4 February 2026, the Australian Securities and Investments Commission (ASIC) released its outlook for the year, explicitly flagging "Agentic AI" as a key risk. While not a traditional exploit, the unmonitored deployment of autonomous AI agents in FinTech is creating new attack surfaces—specifically, the risk of AI agents being manipulated to authorise fraudulent transactions or leak proprietary financial models.

Critical Vulnerabilities Explored

Security teams should prioritise the following vulnerabilities disclosed or actively exploited this week:

  • Microsoft Office & 365 (CVE-2026-21509): A critical vulnerability is being actively exploited in the wild. This flaw allows attackers to bypass Object Linking and Embedding (OLE) security protections. If a user opens a crafted Office file, the attacker can execute arbitrary code. Patch immediately.
  • Cisco Meeting Management (CVE-2026-20098): Disclosed on 4 February 2026, this high-severity flaw allows an authenticated, remote attacker to upload arbitrary files and elevate privileges to root. This is particularly dangerous for organisations relying on on-premise collaboration hardware.
  • Notepad++ Supply Chain Attack: It was confirmed this week that a state-sponsored actor compromised the update infrastructure of the open-source editor Notepad++. Users who updated between June and December 2025 may have received a malicious binary. Security teams must verify the hash integrity of all developer tools installed in their environments.

Emerging Tactics: "Living off the Identity"

The shift from "Living off the Land" to "Living off the Identity" is the defining trend of early 2026. The SLSH campaign demonstrates that technical controls (like standard MFA) are insufficient against determined human adversaries.

  • Recommendation: Australian organisations should enforce FIDO2 hardware keys for privileged accounts and implement "number matching" for MFA to reduce fatigue attacks.

Conclusion

As we move further into 2026, the barrier between "technical" and "social" attacks is dissolving. Whether it is a ransomware group coercing a hospital or a vishing crew tricking a FinTech helpdesk, the human element remains the most critical vulnerability.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote