Cyber warfare is no longer a future risk or a distant geopolitical concern. It is actively shaping the global threat landscape, and Australian and New Zealand organisations are already in its path.

The conflicts in Ukraine and the Middle East have demonstrated that modern warfare is now conducted simultaneously across cyber, physical and intelligence domains. For Australian and New Zealand businesses, government agencies and critical infrastructure operators, the implications are significant and immediate.

ASD’s Annual Cyber Threat Report 2024–25 confirmed that state-sponsored actors are actively targeting Australian networks, not merely for espionage, but to pre-position for disruptive attacks. In the words of the Deputy Prime Minister: this is “not a hypothetical risk, but a real and increasing danger to the essential services we all rely on.” The question is no longer whether cyber warfare will affect Australian organisations. It is whether they are prepared to withstand it.

Cyber Warfare Is Now a Core Component of Modern Conflict

Modern conflict is no longer confined to physical battlefields. Cyber operations are now integrated with physical strikes and intelligence activity to achieve strategic outcomes across multiple simultaneous domains.

Recent conflicts offer stark examples. In the ongoing Israel–Iran conflict, cyber operations have directly enabled kinetic outcomes, not only as a precursor to physical strikes, but as a tool of intelligence gathering and operational blinding. Prior to a targeted strike on Iranian leadership, Israeli cyber actors reportedly compromised Iranian traffic light and surveillance infrastructure to track movement, then disrupted mobile communications near the compound to prevent security services from receiving warnings. The attack that killed senior Iranian military figures demonstrated how seamlessly digital and physical operations can be combined. To better understand these risks, many boards are now seeking strategic cyber governance and briefings.

In Ukraine, the picture is equally instructive. Russia’s sustained multi-year campaign has included attacks on power infrastructure, telecommunications, financial systems and government networks, all coordinated with or immediately preceding ground and missile operations. Rather than breaking Ukrainian resistance, these attacks prompted one of the most significant demonstrations of cyber resilience the world has seen: a nation maintaining operational continuity under sustained digital and physical assault.

Cyber warfare is now a force multiplier, used to blind, isolate and destabilise before and during physical conflict.

The Physical Vulnerability of Digital Systems

One of the most frequently overlooked aspects of cyber warfare is the physical dependency of digital systems. Cloud platforms, AI infrastructure and enterprise applications all rely on data centres, network hardware, and power and communications systems. In an escalating conflict, these physical dependencies become targets in their own right.

For Australian and New Zealand organisations, this raises urgent questions:

• What are the physical dependencies of our digital environment, including cloud providers and undersea cable infrastructure?
• How resilient are our systems to infrastructure disruption, prolonged outages not just brief incidents?
• Can we maintain core operations without normal access to cloud services, external networks or third-party providers?

These are not abstract planning questions. Australia and New Zealand’s geography and reliance on a small number of undersea cable routes creates genuine concentration risk. Disruption to one of these routes, whether through physical sabotage or cyber-enabled attack on routing infrastructure, would have cascading effects across the economy.

Australia and New Zealand Are Already in the Crosshairs

Australia and New Zealand are not isolated from these developments. In November 2025, ASIO Director-General Mike Burgess confirmed that state-linked hackers had actively probed Australia’s critical infrastructure, including telecommunications networks, and specifically named Chinese state-linked groups Volt Typhoon and Salt Typhoon as threat actors operating in Australia consistent with their documented campaigns in the United States and allied nations.

These are not opportunistic criminal operations. Volt Typhoon has been observed maintaining undetected persistent access inside victim networks for up to five years, using “living off the land” techniques, exploiting legitimate system tools rather than malware, to avoid detection while mapping networks and pre-positioning for potential disruption. Salt Typhoon, meanwhile, has been attributed with intrusions across more than 80 countries, with a focus on telecommunications, government and transport infrastructure. The ASD, working with 20 international partners, has publicly attributed Salt Typhoon’s campaign to China’s Ministry of State Security and the People’s Liberation Army.

ASD’s Annual Cyber Threat Report 2024–25 reinforces the scale of the domestic threat:

• Over 1,200 cybersecurity incidents responded to in FY2024–25, an 11% increase year-on-year
• DDoS attacks on Australian organisations surged by over 280%, with critical infrastructure entities targeted at twice the rate of other sectors
• State-sponsored actors targeting all levels of Australian government, critical infrastructure and private industry
• 1 in 10 reported incidents specifically targeted critical infrastructure

Australia ranked as the sixth-most targeted nation by ransomware operators globally in 2024. By early 2025, the Asia-Pacific region was experiencing cyber attacks at a rate 60% above the global average. The MediSecure data breach, which compromised sensitive health data belonging to millions of Australians, illustrated how a single incident in a critical sector can have profound national consequences. Many organisations are now turning to comprehensive risk assessments to identify these latent vulnerabilities.

ASIO’s 2025 Annual Threat Assessment warns that high-impact sabotage of Australia’s critical infrastructure networks is likely to worsen over the next five years.

Why Compliance Is No Longer Sufficient

Many organisations continue to approach cybersecurity through a compliance lens, meeting Essential Eight maturity requirements, satisfying CPS 234 obligations, or demonstrating Privacy Act compliance. These frameworks matter, and organisations that haven’t met them should prioritise doing so. But they were not designed to address the threat profile of a nation-state adversary.

Nation-state actors bring resources, patience and strategic intent that compliance frameworks cannot account for. Volt Typhoon’s willingness to operate undetected inside networks for years, carefully studying the environment and avoiding triggering security alerts, is not a scenario that checkbox compliance addresses. These actors combine cyber, intelligence and physical capabilities to achieve strategic outcomes. Their objectives range from intellectual property theft to societal disruption, and in the event of actual conflict, coordinated physical and cyber disruption of critical services.

The fundamental distinction is this: a compliance-based model focuses on meeting minimum standards. A resilience-based model focuses on surviving real-world attacks. This shift requires moving beyond basic scanning toward intelligence-led penetration testing that simulates real threat actor TTPs.

What Ukraine Teaches Us About Resilience

Ukraine provides one of the most instructive case studies in operational cyber resilience. Despite years of sustained attacks on power grids, government systems, financial infrastructure and communications networks, many of them conducted alongside or ahead of physical strikes, Ukraine has maintained extraordinary operational continuity.

The factors behind this resilience offer a direct template for Australian and New Zealand organisations:

• Distributed and redundant infrastructure that denies single points of failure
• Deliberate migration of critical government systems to cloud infrastructure, including international providers, before and during the conflict
• Strong pre-existing coordination between government agencies and private sector operators
• Rapid incident response and recovery capabilities built through years of adversarial pressure
• Continuous adaptation based on real-world attacker behaviour, not theoretical threat models

The key lesson is unambiguous: cyber resilience is built before a crisis, not during it. When attacks occur, and in the current environment, this is a matter of when, not if, the time for building capability has already passed. For many, the first step is advanced training and crisis leadership preparation.

A Threat-Based Approach to Cyber Security

Addressing cyber warfare risk requires a fundamental shift in how organisations think about security. The starting point is not “what controls do we need to meet compliance?” but rather a threat-based analysis:

• Who are the likely threat actors targeting our organisation, and why?
• What assets, systems or data would they prioritise?
• How would they gain and maintain access? What techniques would they use?
• What would be the operational and reputational impact of a sustained disruption?
• How would our leadership team make decisions under pressure, without normal communications or systems?

This approach aligns security investment with real-world adversary behaviour, the tactics, techniques and procedures (TTPs) that actual threat actors use, rather than theoretical control frameworks.

For organisations operating critical infrastructure or operational technology (OT) environments, this analysis must extend beyond IT systems. Nation-state actors are increasingly targeting OT environments, and the consequences of a successful attack—disruption to power, water, transport or healthcare services—extend far beyond any data breach. Recent intelligence has highlighted active targeting of industrial control systems, reinforcing the need for OT-specific detection and response capability.

Building Resilience: What Organisations Must Do Now

Moving from compliance to resilience requires deliberate investment across several dimensions. Organisations should be asking whether they have addressed all of the following:

Threat intelligence and external monitoring.

Understanding what is happening outside the organisation’s perimeter is critical. This means continuous monitoring of the open web, dark web and external attack surface, detecting leaked credentials, impersonation attempts, phishing infrastructure and internet-exposed assets before adversaries exploit them.

Advanced threat detection and response.

Traditional security monitoring is insufficient against sophisticated adversaries using living-off-the-land techniques. Effective detection requires threat hunting based on real-world attacker TTPs, integration of intelligence with operational response, and the capability to identify and contain active threats rapidly, not after weeks of undetected dwell time. If a breach does occur, having elite technical incident response on standby is essential.

OT and critical infrastructure visibility.

For organisations operating industrial environments, detection capability must extend across operational technology networks, providing visibility into industrial control systems to detect anomalous behaviour and unauthorised access before operational impact occurs. CyBiz specialises in IoT and SCADA system vulnerability assessments to address these specific gaps.

Tested response capability.

An untested incident response plan is not a plan. Organisations should be conducting regular tabletop exercises that simulate realistic attack scenarios, stress-testing decision-making under pressure and identifying gaps before a real incident occurs.

Physical dependency assessment.

Understanding the physical dependencies of your digital environment, including cloud provider infrastructure, network routing and communications systems, is essential groundwork for any serious resilience program.

The Time to Act Is Now

Cyber warfare is no longer a theoretical concern for Australian and New Zealand organisations. State-sponsored actors are actively pre-positioning inside critical networks. DDoS attacks are surging. The last years have shown that ransomware operators treat Australia as a high-value target. And ASIO has warned that the threat to critical infrastructure is likely to intensify.

The organisations that weather what is coming will be those that treated resilience as a business imperative, not a compliance exercise, before the crisis arrived. That means understanding real threats, identifying critical dependencies, testing response capability and investing in early detection and intelligence.

Compliance tells you whether you’ve met the minimum standard. Resilience tells you whether you’ll survive.

CyBiz and Sygnia work with organisations across Australia and New Zealand to build genuine cyber resilience, from threat intelligence and managed detection through to incident response readiness and OT security. If you’d like to discuss how your organisation can move from compliance to resilience, contact our team.