Australia’s Cyber Threat Landscape 2025: Key Insights from the ASD Annual Cyber Threat Report

The ASD Annual Cyber Threat Report 2024–25 confirms that Australia’s cyber risk environment has intensified across all sectors. The Australian Cyber Security Centre (ACSC) responded to more than 1,200 cyber security incidents, showing an 11% increase from the previous year. Moreover, it received 84,700 cybercrime reports; as a result, one was lodged approximately every six minutes.

The financial impact has risen sharply. The average cost of a cybercrime report for businesses increased by 50% to $80,850, while large businesses experienced a 219% rise in losses.

For critical infrastructure (CI), Denial-of-Service (DoS/DDoS) attacks increased by 280%, accounting for nearly a third of all incidents. Individuals now face an average $33,000 loss per cyber incident, with identity fraud remaining the top reported crime type.

The ACSC urges Australian organisations to “assume compromise” and focus on protecting their “crown jewels.” It recommends four key strategic actions:

1. Implement best-practice event logging.
2. Replace legacy technology.
3. Choose secure-by-design products and suppliers.
4. Begin planning for post-quantum cryptography.

Key Findings at a Glance

Australia’s Expanding Attack Surface

1. Businesses:
Cybercriminals remain motivated by financial gain. The top three reported threats were:

• Email compromise without financial loss (19%)
• Business email compromise fraud with financial loss (15%)
• Identity fraud (11%)

High-value data holdings and interdependent supply chains continue to make mid-tier and enterprise organisations attractive targets.

2. Critical Infrastructure:
The ACSC reported that 13% of all incidents involved CI, with financial services, transport and logistics, and telecommunications most affected.
In addition, state-sponsored actors increasingly employ “living off the land” techniques, which means they blend into legitimate network traffic until eventually they choose to act.

3. Individuals:
The rise of identity-related fraud highlights the human cost of cybercrime. Australians most frequently reported identity fraud (30%), online shopping fraud (13%), and online banking fraud (10%).

Emerging Threat Dynamics

A. Ransomware and Extortion Economics
Ransomware remains among the most disruptive forms of cybercrime. The ACSC responded to 138 ransomware incidents in 2024–25. Notably, 39% of these were detected by the ACSC itself rather than by the affected organisations.
The government has now introduced a mandatory ransomware reporting regime for businesses with turnover exceeding $3 million and for CI operators. This signals a shift toward national transparency and coordinated defence.

B. Information Stealers and Credential Reuse
The ACSC draws attention to the growing prevalence of information stealer malware that exfiltrates credentials, credit card details, and personal data. These tools enable follow-on attacks and are commonly distributed through phishing campaigns and malware-as-a-service models.

C. AI and Automation Risks
Generative AI brings both innovation and new attack capabilities. The ACSC warns that AI allows threat actors to scale phishing, data analysis, and impersonation activity more efficiently than ever before.

D. State-Sponsored Campaigns
Australia continues to experience targeted espionage and disruption attempts from foreign state actors.

• APT40 (China) is exploiting public-facing vulnerabilities and hijacking home routers for botnets.
• APT28 (Russia) has targeted logistics and technology firms that support aid to Ukraine.

Post-Quantum and “Assume Breach” Mindsets

The ASD links national cyber preparedness to post-quantum resilience, warning that organisations must begin migrating to quantum-safe cryptography before 2030. A cryptographically relevant quantum computer could break today’s encryption, exposing communications and sensitive data.

The ACSC advises organisations to:

• Create an inventory of cryptographic assets.
• Develop a roadmap for PQC adoption.
• Require secure-by-design assurances from vendors.

Building Resilience: Four Strategic Moves for 2025

Strategic Takeaways for Australian Organisations

1. Cybercrime is escalating faster than defence capability. Incidents rose by 11%, and enterprise losses more than tripled.
2. Critical infrastructure is the primary target. 13% of all incidents affected CI, and DDoS activity has almost tripled.
3. AI is amplifying attacker capability. Deepfakes, fraudulent KYC documentation, and AI-generated phishing are now routine.
4. Regulatory expectations are tightening. Mandatory ransomware reporting, Essential Eight maturity, and PQC adoption are becoming standard practice.
5. Visibility remains the foundation of defence. The most severe incidents were identified by the ACSC rather than by the organisations themselves.

CyberPulse Recommendations

• Prioritise telemetry and logging. Without detailed logs, incident response is reactive and incomplete. Consider a Managed Detection and Response Service.
• Accelerate legacy system decommissioning. Integrate this with IT lifecycle management and budgeting.
• Adopt continuous threat intelligence. Participate in ASD’s Cyber Security Partnership Program.
• Reassess incident readiness. Test playbooks quarterly and align them with ACSC reporting channels.
• Begin quantum transition planning immediately. Treat it as a multi-year cryptographic migration program.

About CyberPulse

CyberPulse is a security-first compliance partner helping organisations reduce cyber risk, build resilience and achieve certification with confidence. Founded by former CISOs and security leaders, we align technical depth with real-world context to deliver measurable outcomes across advisory, managed services, compliance and threat defence.

Let’s Talk

Follow us on LinkedIn for practical insights, or contact us to speak with a CyberPulse expert.

Useful Links

• Cybersecurity Companies in Australia: How ASD Guidance Defines Modern Best Practice
• Penetration Testing Cost in Australia (2026 Pricing Guide)
• Incident Response | Guidance from ASD
• ACSC Incident Response Plan – Guidance
• Cybersecurity Priorities for Australian Boards | ASD Guidance (2025–26)
  Top 10 Security Awareness Providers

Related Services

• Managed Detection & Response
• Incident Response Services
• Essential 8 Services

External References

• Australian Signals Directorate, Annual Cyber Threat Report 2024–25, published 2025.