We brought together the top cyber-related news for April in one place, so you don’t have to. 

Need to know:

  • Medibank was ordered to hand over investigative reports related to the 2022 cyber attack, providing some valuable lessons in terms of legal professional privilege (see our client note here).
  • New rules to operationalise recent cyber law reform and amendments to Australia’s security of critical infrastructure laws took effect, and telecommunications security obligations now sit under the SOCI Act (see our client note here).
  • Local industry superannuation funds, including AustralianSuper, Australian Retirement Trust, Hostplus and REST, suffered from a coordinated cyber fraud early in the month.

Good to know:

  • Several cyber security agencies (including the ASD’s ACSC, the FBI, and the NSA) have issued a joint cybersecurity advisory on the ongoing threat of ‘fast flux’ enabled malicious activities.
  • Oracle finally admitted that the March breach of its Oracle Cloud, leading to the theft of legacy client login credentials.
  • We have released our latest episode of Cross Examining Cyber – a conversation with Mark Rigotti, CEO of the AICD (listen here).

Global headlines:

  • The Trump administration continues to attract headlines, with notable dismissals including top cyber officials Timothy Haugh and Wendy Noble, and national security adviser Mike Waltz, and an investigation into the former head of CISA, Christopher Krebs.
  • Japan passed the Active Cyber Defense Bill.
  • China admitted to being behind Volt Typhoon on of the most prolific cyber threat groups in the world.
  • The US has subpoenaed Chinese telecom giants, China Mobile, China Telecom, and China Unicom, after the companies failed to respond to a formal congressional inquiry regarding their potential ties to China’s military and intelligence firms.
  • The EU opened consultation on the Cybersecurity Act.
  • The UK has provided an outline of the Cyber Security and Resilience Bill and introduced a cyber governance code of practice.

Other industry news:

  • Mandiant and Verizon released their 2025 threat reports.
  • The Australian Cyber Network published its first State of the Industry report for 2024, highlighting the economic growth of Australia’s cyber security sector, while also pinpointing rising threats on the horizon.
  • The Law Council of Australia has pushed for scaling back of data retention obligations in favour of heightened use of the Australian Government Digital Identify System.  
  • Electricity and water operators are being targeted by cyberattacks, according to a study by Semperis.

Cyber incidents making the news:

  • More than 31,000 banking passwords belonging to Australian banking customers have been found being traded on the dark web.
  • Food and groceries attracted attention from threat actors, with both Co-op and Marks & Spencer navigating cyber attacks during April.
  • Incidents impacting Western Sydney University and the University of Sydney emphasised that the tertiary education sector seems to be a key target for threat actors.
  • A hacker got hacked: ransomware gang Everest had its site defaced by unknown threat actors.

Other cyber incidents that made headlines in April included Korean telco SK Telecom, the UK’s Royal Mail, energy company Schneider Electric, IT services firm Hexicor, Moscow Metro, Sydney’s Fullerton Hotel, New Zealand-based hardware chain The ToolShed, the Tasmanian Department of Treasury and Finance , NASCAR, DBS Bank and Bank of China Singapore, creative agency Fancy Films, steel subcontractor Watkins Steel, car rental companies Hertz and Europcar, online message board 4Chan, Extreme Fire Solutions, lottery broker TheLotter, airline products company TMA, NSW-based law firm Bilbie Faraday Harrison, Australian steel provider Galvatech, Italian Medical Group Synlab,  healthcare company DaVita, and Adelaide’s Women's and Children's Hospital.


New Podcast Episode: Cross Examining Mark Rigotti

In this episode of Cross Examining Cyber, we interview Mark Rigotti, Managing Director and CEO of the Australian Institute of Company Directors (AICD). We delve into cyber governance, the AICD's role, board challenges during incidents, risk measurement, and decision-making. Additionally, we explore trust dynamics at the board level and the lawyer's role in cyber security.

You can listen to the episode here.

 

Demystifying Australia's Security of Critical Infrastructure Regime

The Security of Critical Infrastructure Act 2018 has been revised several times, most recently in December 2024. That reform package has now taken effect. The regime is more comprehensive, in recognition of an evolving threat landscape. But it is certainly not simpler to understand or easy comply with.

We have sought to demystify the regime’s complexities. Check our summary here.


Court tells Medibank to hand over cyber attack reports The Australian (subscription only) – 7 April 2025

Medibank has been ordered to hand over investigative reports related to the 2022 cyberattack, which exposed the data of over 10 million customers. Federal Court judge Helen Rofe ruled that the reports, prepared by Deloitte, were not protected by legal professional privilege. The court found that the reports had multiple purposes, including improving cybersecurity and public communication, rather than solely legal advice. Medibank plans to appeal the decision.

The case highlights the ongoing challenges faced in the context of organisations seeking to establish that legal professional privilege applies to reports created in the wash-up of a material cyber incident.

Our key takeaways for clients are available here.

The full judgment is available here.

 

ASIC warns of threat from “hydra-like” scammers after obtaining court orders to shut down 95 companies ASIC – 7 April 2025

The Australian Securities and Investments Commission (ASIC) has successfully applied to wind-up 95 companies linked to online investment and romance baiting scams, known as 'pig butchering' scams. The Federal Court found that these companies were incorporated with false information and lacked proper management. Many were associated with websites and apps facilitating scam activities. ASIC Deputy Chair Sarah Court warned that scammers use increasingly complex techniques, including setting up sham companies and professional-looking websites. ASIC is taking down over 130 scam websites weekly and urges consumers to remain vigilant against these persistent threats.


What we know so far about the Australian superannuation fund cyber attacks ABC News – 4 April 2025

Multiple large superannuation funds, including Hostplus, Rest, AustralianSuper, and Australian Retirement Trust, have been targeted in cyber fraud, resulting in some members losing thousands of dollars in retirement savings. The breaches, discovered in early April, were caused by stolen passwords used to access accounts. Cybersecurity experts highlighted significant security weaknesses in the sector, noting the lack of multi-factor authentication as a key vulnerability. The attacks involved "credential stuffing", where stolen credentials from other breaches were used to gain access. While some funds are insured against fraud, members are urged to check their accounts and update their passwords. The industry is being called upon to implement stronger security measures to prevent future incidents.

 

Fast Flux: A national security threat Australian Signals Directorate – 4 April 2025

The Australian Signals Directorate’s Australian Cyber Security Centre, together with the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation and others, issued a joint cybersecurity advisory warning organisations, Internet Service Providers, and Cloud Service Providers about the ongoing threat of fast flux. Fast flux is a technique used by cybercriminals and nation-state actors to evade detection by rapidly changing DNS records, creating resilient and highly available command and control infrastructure. The advisory recommends developing accurate, reliable, and timely detection analytics and blocking capabilities, and adopting a multi-layered approach combining DNS analysis, network monitoring, and threat intelligence to mitigate this threat.

 

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks Security Magazine – 25 April 2025

Verizon Business released its 2025 Data Breach Investigations Report, which assessed more than 22,000 security events. The leading initial attack vectors continued to be credential abuse (22%) and vulnerability exploitation (20%). Third-party involvement in breaches doubled to 30%. Human error continues to play a major role in breaches. Median ransom payments decreased, but ransomware presence grew by 37%. Small organizations are disproportionately affected by ransomware. Exploitation of vulnerabilities as an initial access vector increased by 34%. The report can be accessed and downloaded here.

 

Mandiant report finds rise in financially motivated cyber attacks Security Brief Australia – 24 April 2025

The Mandiant M-Trends 2025 Report analyses over 450,000 hours of incident response engagements globally, providing insights into an evolving cyber threat landscape. Key findings from the report include (1) there has been an increase in financially motivated attacks; (2) direct exploits as the most common initial infection vector (following by stolen credentials and phishing); (3) financial organisations as the most commonly targeted sector (followed by business services); (4) more than half of breaches are identified by external sources; and (5) there has been a rise in the use of infostealer malware and targeting of cloud environments. The report can be accessed and downloaded here.

 

State of the Industry 2024 Australian Cyber Network – 16 April 2025

The Australian Cyber Network's inaugural State of the Industry 2024 report reveals a rapidly growing cyber security sector contributing $9.99 billion to the economy and employing over 137,000 professionals. However, the sector remains under-resourced, with 69% of businesses impacted by ransomware attacks. The report highlights the need for urgent action and national leadership to address rising cyber threats. It also notes an increase in female participation in the workforce, now at 25%. The report also calls for greater transparency and shared responsibility in cyber security to build national resilience.

 

Law Council push for Digital ID to replace data obligations InnovationAus – 2 April 2025

The Law Council of Australia recommends data retention obligations for businesses be replaced with the government's Digital Identity System or other privacy-preserving methods. This suggestion was made in their submission to the Commonwealth review of data retention requirements, which aims to simplify and minimise these obligations. Other organisations, including the Governance Institute and the Australian Information Industry Association, support this move to reduce the over-retention of sensitive personal data and reduce cybersecurity exposure.

 

Semperis Study Reveals 62% of Water and Electricity operators targeted by cyberattacks in the past year Australian Cyber Security Magazine – 10 April 2025

A new study by Semperis reveals that 62% of water and electricity operators in the US and UK were targeted by cyberattacks in the past year, with 80% facing multiple attacks. Nearly 60% of these attacks were by nation-state groups, causing significant data corruption or destruction. The study highlights the vulnerability of Australia's critical infrastructure, with similar threats reported. Similar incidents in Australia, such as attacks on EnergyAustralia and AGL in 2022, and CS Energy in 2021, underscore the need for improved resilience.


Japan Passes Active Cyber Defense Bill Tripwire – 1 April 2025

Japan has passed the Active Cyber Defense Bill, empowering its military and law enforcement agencies to take pre-emptive action against cyber threats. This legislation was prompted by criticisms of Japan's digital defences and escalating cyber-espionage activities, particularly from China. The bill includes both passive defence measures and controversial active measures, such as allowing law enforcement to disrupt enemy servers during cyber attacks without explicit oversight.

 

China admits to being behind Volt Typhoon cyber activities targeting US Cyber Daily – 14 April 2025

China has purportedly admitted that hackers backed by the People's Republic of China are behind the cyber activities attributed to the Volt Typhoon group, which has targeted critical infrastructure in the US and its Pacific territories. The admission came during a closed-door meeting at a Geneva summit in December 2024 between outgoing Biden administration officials and Chinese representatives. According to the Wall Street Journal, the comments were “indirect and somewhat ambiguous” however US officials is portraying the meaning as plain. Volt Typhoon has focussed on transport hubs and water utilities, prepositioning for potential future conflicts, particularly concerning Taiwan.

 

U.S. Subpoenas Chinese Telecom Giants Over National Security Risks and Data Privacy Concerns Cyber Insider  – 25 April 2025

The House Select Committee on the Chinese Communist Party has subpoenaed China Mobile, China Telecom, and China Unicom for failing to respond to inquiries about their ties to Chinese military and intelligence agencies. The subpoenas, demanding compliance by 7 May 2025, are part of a bipartisan investigation into whether these firms continue to operate digital infrastructure in the US despite federal bans. Concerns include potential cyber espionage and the disruption of US critical infrastructure. The investigation follows reports of Chinese state-sponsored hackers infiltrating US telecom networks. The Chinese embassy criticised the move, while the telecom firms have not responded. Non-compliance may lead to further legal action.

 

Inside the UK Government's Cyber Security & Resilience Bill Cyber Magazine – 1 April 2025

The UK Government has outlined a scope and ambition for the Cyber Security and Resilience Bill, aimed at securing technology, innovation and critical infrastructure. The bill will expand the remit of existing regulations to protect more digital services and supply chains, ensuring critical infrastructure and digital services are secure. It additionally introduces new measures to safeguard data centres and IT providers, and mandates stronger cyber defences for hospitals and energy suppliers. The bill also enhances reporting requirements to build a comprehensive picture of cyber threats and puts regulators on a stronger footing to enforce essential cyber safety measures.

 

China's Personal Information Protection Compliance Audit: Nature And Strategy Mondaq – 2
April 2025

The Cyberspace Administration of China issued the Rules on Compliance Audit for Personal Information Protection (PIPCA Rules) to implement compliance audit requirements under the Personal Information Protection Law and the Regulation on Network Data Security Administration. Effective 1 May 2025, the PIPCA Rules mandate regular audits for data processors handling personal information of over 10 million individuals or those with high-risk processing activities. The Rules also outline the qualifications for professional institutions conducting these audits and emphasise both legal and technical compliance.

 

China-linked Billbug hackers breached multiple entities in Southeast Asian country The Record – 23 April 2025

A long-running cyber espionage operation linked to China, attributed to the Billbug APT group, breached multiple prominent government and business organisations in a Southeast Asian country from August 2024 to February 2025. Billbug, also known as Lotus Panda, targeted a government ministry, an air traffic control organisation, a telecoms operator, and a construction company. The attacks involved custom-made tools like credential stealers and backdoors, as well as legitimate tools to confuse incident responders. Billbug has a history of targeting Southeast Asian entities, aiming to bolster China's claims over Taiwan and the South China Sea.

 

Commission opens consultation on revising EU Cybersecurity Act European Commission– 11 April 2025

The European Commission is seeking input to revise the EU Cybersecurity Act to strengthen the EU's resilience against cyber threats. The review will focus on the mandate of the ENISA, the European Cybersecurity Certification Framework, and ICT supply chain security challenges. The aim is to simplify cybersecurity rules, streamline reporting obligations, and foster a business-friendly environment. The consultation period ends on 20 June 2025, with interested parties including cybersecurity authorities, industry and trade associations, researchers, consumer organisations and citizens being invited to give their views here.

 

Taiwan to launch joint cybersecurity center Taipei Times – 15 April 2025

Taiwan will launch a joint cybersecurity centre to enhance its defence against severe cybersecurity threats, including those from Chinese state-backed hackers, AI, quantum computing, ransomware, and intellectual property theft. The centre will focus on four key areas: societal resilience, defence of homeland and critical infrastructures, protecting crucial industries and supply chains, and safe AI use. It will map cybersecurity vulnerabilities, seek to collaborate with government and private entities, and monitor global trends. The initiative similarly aims to implement the Zero Trust principle, advance quantum encoding technologies, broaden international cybersecurity alliances, and boost public vigilance.

 

Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries Office of Public Affairs – 11 April 2025

The US Justice Department has launched the Data Security Program under Executive Order 14117 to prevent ‘countries of concern’ (eg China, Russia and Iran) from accessing US government-related and sensitive personal data. The program establishes export controls to block these adversaries from exploiting data for espionage and other malicious activities. To support compliance, the National Security Division has issued a Compliance Guide, FAQs, and an initial enforcement policy. The program took effect from 8 April 2025 and includes a 90-day grace period.

 

Government punts cyber governance code of practice for UK businesses Computer Weekly – 8 April 2025

The UK Government has launched a cyber governance code of practice for medium and large organisations, backed by the Institute of Directors. Cyber Security Minister Feryal Clark emphasised the importance of safeguarding operations and protecting customers. The code outlines steps for robust cyber security, aiming to support economic growth. It also complements the upcoming Cyber Security and Resilience Bill, which will enhance protection for supply chains and critical services. The code has received industry support and highlights the need for formal cyber strategies and incident response plans.

 

Trump sacks Waltz over Signalgate in first shakeup of presidency Australian Financial Review – 2 May 2025

President Donald Trump has removed the US national security adviser, Mike Waltz, after he accidentally added the editor of The Atlantic to a Signal app thread discussing sensitive military operations in Yemen. Secretary of State, Marco Rubio, will temporarily assume the role of national security adviser. No official has held both portfolios simultaneously since Henry Kissinger under the Nixon and Ford administrations. Mike Waltz has been nominated as ambassador to the United Nations.

 

Trump administration under scrutiny as it puts major round of CISA cuts on the table Cyber Security Dive – 7 April 2025

The Trump administration is facing criticism for planning significant job cuts at the CISA. CISA is expected to slash up to 1,300 jobs through a combination of terminations and other incentives. The cuts follow the recent removal of General Timothy Haugh from US Cyber Command.  Critics argue that these cuts will weaken US cybersecurity amid increasing threats from China and Russia, and the Trump administration has been urged to reconsider the reductions.

 

Trump sackings are ‘dangerously degrading’ US cyber defences InnovationAus – 27 April 2025

President Donald Trump has dismissed top cyber officials, including General Timothy Haugh and Wendy Noble from the NSA and Cyber Command, and has initiated an investigation into former head of CISA, Christopher Krebs. Jen Easterly, Krebs’ successor and now-former CISA head, warns that these actions are weakening US cyber defences and politicising the federal cyber ecosystem, and has criticised silence from industry leadership.

Peter Jones photo

Peter Jones

Partner, Head of TMT, Asia, Singapore

Heather Kelly photo

Heather Kelly

Senior Associate, Melbourne

Merryn Quayle photo

Merryn Quayle

Managing Partner, Melbourne Office, Melbourne

Josh Kain photo

Josh Kain

Foreign Law Clerk (Australia), New York

Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Key contacts

Peter Jones photo

Peter Jones

Partner, Head of TMT, Asia, Singapore

Heather Kelly photo

Heather Kelly

Senior Associate, Melbourne

Merryn Quayle photo

Merryn Quayle

Managing Partner, Melbourne Office, Melbourne

Josh Kain photo

Josh Kain

Foreign Law Clerk (Australia), New York

Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Caitlyn Bellis photo

Caitlyn Bellis

Senior Associate, Sydney

Cameron Whittfield Peter Jones Heather Kelly Magdalena Blanch-de Wilt Christine Wong Merryn Quayle Josh Kain Kaman Tsoi Caitlyn Bellis