Threat of ideologically motivated targeting against AUNZ organisations raised temporarily to MODERATE

Published by Cyber Intelligence on 1 July 2025

Key Points

• CyberCX Intelligence has raised the overall threat level of ideologically motivated actors to Australian and New Zealand organisations from LOW to MODERATE.[1]
• We assess that pro-Russia and pro-Iran/anti-Israel ideologically motivated actors will have increased intent to target AUNZ organisations for at least the next three months. This follows:
  • Announcements by the Australian Government on 26 June 2025 to enhance military support to Ukraine, including the redeployment of a RAAF E-7A Wedgetail aircraft to Europe, supported by up to 100 ADF personnel. The Australian Government also announced additional sanctions on Russian individuals and entities.
  • Announcements by the New Zealand Government on 23 June to provide new funding for lethal and non-lethal military assistance to Ukraine, and on 19 June to sanction Russian individuals and entities.
  • An already heightened threat of pro-Iran/anti-Israel ideologically motivated activity to Australian organisations, driven by the Middle East war.
  • A June 2025 pro-Russia DDoS campaign targeting New Zealand has increased the likelihood of follow-up attacks.
• Ideologically motivated attacks against AUNZ organisations are most likely to be low-level disruptive attacks, namely DDoS and website defacement. Despite the limited impact of individual attacks, campaigns involving dozens of attacks can cause reputational harm, generate media coverage and waste the time of network defenders.
• Targeting selection is likely to be opportunistic, but organisations with poorly secured or configured websites are most at risk. Pro-Russia actors have demonstrated a clear intent to target high-profile sectors like government and critical infrastructure.
• CyberCX continues to urge all organisations – from small enterprises to critical infrastructure – to review and test their DDoS protection levels, harden security of websites, and limit the internet exposure of industrial systems and operational technology.

Situation Overview

• This week both Australia and New Zealand have announced additional military and humanitarian support for Ukraine on the sidelines of the 2025 North Atlantic Treaty Organisation (NATO) Summit.
  • On 26 June 2025, the Australian Government announced additional sanctions against Russian entities and individuals. On 25 June 2025, Australia announced increased military assistance to Ukraine and deepened strategic collaboration with NATO. Notably, under the ongoing Operation Kudu, Australia will redeploy a Royal Australian Air Force (RAAF) E-7A Wedgetail aircraft to Europe, supported by up to 100 Australian Defence Force (ADF) personnel.[2]
  • On 23 June 2025, the New Zealand Government announced a new $16 million package of support for Ukraine, including to funds providing lethal and non-lethal military assistance for Ukraine.[3] On 19 June 2025, the New Zealand Government announced new sanctions targeting individuals supporting Russia’s war effort and Russia’s ‘shadow fleet’ used to evade sanctions on Russian oil.[4]
• The AUNZ commitments to Ukraine coincide with two other drivers of heightened threat from ideologically motivated actors.
  • Australia’s support for US limited strikes against Iran’s nuclear enrichment facilities.
  • A June pro-Russia DDoS campaign targeting New Zealand government entities and airports.

Key Assessments

• We assess that the AUNZ Government announcements have temporarily increased the threat to AUNZ organisations from pro-Russia ideologically motivated threat actors for the next three months. The most likely attack type is DDoS.
  • Pro-Russia ideologically motivated actors monitor and respond to Ukraine-related media and in particular announcements of military support.
    • CyberCX Intelligence is aware of discussions within pro-Russia Telegram channels about Australia’s decision to redeploy RAAF E-7A Wedgetail aircraft to Europe in June 2025.
  • AUNZ commitments to Ukraine have previously incited attacks by pro-Russia actors. For example:
    • In late 2024, pro-Russia ideologically motivated actors launched an unprecedently large DDoS attack campaign against Australia, focusing on government and transport sector organisations (see Figure 1). We assess with moderate confidence that the primary driver behind increased targeting was Australia’s announcement of military aid for Ukraine during a period when no other countries had recently announced new aid.
    • On 15 June 2025, a pro-Russia ideologically motivated actor announced an intent to target New Zealand organisations due to New Zealand’s extension of “$6.5 million for weapons and ammunition” to Ukraine. The threat actor subsequently claimed to have temporarily disrupted the websites of eight New Zealand airports and several government organisations.

Figure 1 – Count of claimed ideologically motivated attacks against AUNZ organisations in 2024, by motivation.

• • We note that Australia and New Zealand’s commitments occurred against the backdrop of the 2025 NATO Summit, at which multiple governments condemned Russia’s ongoing war and pledged additional support for Ukraine. Accordingly, pro-Russia ideologically motivated groups are likely to have multiple targeting objectives. However, we assess that these groups often maintain campaigns against multiple jurisdictions at the same time or conduct consecutive campaigns across jurisdictions, which is why we have raised the ideologically motivated threat level in AUNZ for the next three months.
  • Although pro-Russia DDoS targeting against individual organisations is opportunistic based on the existence of security gaps, pro-Russia actors have demonstrated clear intent to target high-profile sectors like government and critical infrastructure (see Figure 2). [5]
  • Individual DDoS and website defacement attacks are unlikely to cause more than temporary disruptions, however, the volume and longevity5 of DDoS campaigns can cause reputational harm to the target organisation, generate media coverage and waste the time of network defenders.
  • CyberCX is tracking increasing DDoS capabilities among threat actors that target AUNZ, particularly pro-Russia threat actors. We assess that highly distributed application layer DDoS attacks drawing on paid proxy infrastructure and paid traffic generation infrastructure represents the highest DDoS threat to AUNZ organisations.

Figure 2 – Target sector of pro-Russia ideologically motivated attacks against AUNZ from Q4 ’23 to Q2 ’25.

• We further assess that threat to Australian organisations from pro-Iran/anti-Israel ideologically motivated actors remains elevated. This assessment is driven by Australia’s support for limited US strikes against Iran’s nuclear enrichment capabilities in June, and remains unchanged, despite a June ceasefire.
  • We judge the most likely attack type for pro-Iran/anti-Israel actors is website defacement, followed by DDoS, followed by hack and leak. The most likely targets are small to medium enterprises with poorly secured or misconfigured websites.
  • Since January 2024, CyberCX has observed 50 pro-Iran/anti-Israel actors claim 268 attacks against AUNZ organisations, due to AUNZ’s perceived support for Israel. Targeting has been diverse, with small to medium businesses most affected.
    • Victims have ranged from financial advisors, marketing companies, recruitment websites, hardware stores, pool shops, taxi companies, and disability and aged care service providers.
    • While impacts are generally low-level, victims have suffered harms such as reputational damage, disrupted online bookings, and in some cases, leaked customer data.
• We further assess that the recent pro-Russia DDoS campaign against New Zealand conducted by a pro-Russia actor has increased the likelihood that New Zealand government and critical infrastructure organisations will be retargetedin the next three months.
  • The threat actor has invested in reconnaissance to identify the domains of the government organisations and airports they claimed to have targeted.
  • The threat actor has strong affiliations with other ideologically motivated threat actors, including the notorious pro-Russia actors NoName057(16) and Cyber Army of Russia Reborn.
  • While the threat actor responsible for the latest New Zealand campaign primarily conducts DDoS attacks against organisations perceived to support Ukraine, it also has anti-Israel and anti-NATO sentiments.
• We further assess that a simultaneous increase in the intent of both pro-Russia and pro-Iran/anti-Israel actors to target AUNZ has a compounding effect that increases overall threat.
  • Over the last 12 months, we have observed increased alignment and cooperation between pro-Russia and pro-Iran/anti-Israel ideologically motivated actors. We are aware of several notable campaigns where dozens of actors with differing sentiments jointly targeted organisations in Israel, Europe, North America and AUNZ.
  • We are also aware that publicity caused by a successful ideologically motivated campaigns can cause other actors to also pivot to the same region or target set.
  • This compounding effect has contributed to our decision to raise the AUNZ region’s overall threat level for ideologically motivated actors.
• While we assess DDoS and defacement of public-facing websites is the most likely attack type that ideologically motivated actors will use against AUNZ organisations, ideologically motivated attacks against operational technology (OT) and industrial control systems (ICS) are plausible but unlikely.
  • Both pro-Russia and pro-Iran actors have conducted these attacks in the last 12 months.
  • In January 2025, a pro-Russia ideologically motivated group compromised a Danish water utility’s OT assets and manipulated water pipe pressure. The attack resulted in 450 households being briefly without water, and 50 households being without water for several hours due to a pressure increase which burst a pipe.
  • From November 2023, Iranian nation-state cyber actors disguised as an ideologically motivated group calling itself CyberAv3ngers compromised and defaced Israeli-made OT used in organisations globally. Victim organisations spanned the water, energy, manufacturing, transport and healthcare sectors globally including in Australia.

Recommendations

• CyberCX Intelligence continues to recommend that all Australian and New Zealand organisations – regardless of their sector or size – review and test their DDoS protection levels and the security of public-facing assets including websites.
  • Despite the increased prevalence of DDoS and website defacement attacks, and growingawareness of the ideologically motivated threat, organisations (including large, mature critical infrastructure organisations) continue to fall victim to these attack types because they do not have basic controls in place.
• We also urge organisations to render these assets inaccessible from the internet which will significantly reduce the attack surface available to ideologically motivated threat actors.
• We recommend that organisations ensure that the operational and reputational impacts of DDoS and website defacement are included in their’ existing incident response, business continuity and crisis communications plans.

Additional Information

For additional information, including specifics about the response within your IT environment or to organise a threat hunt for your environment, please contact [email protected] or your usual CyberCX contact.

[1] This is a national-level aggregate threat. The specific threat rating for certain sector or organisations may differ.
[2] Australia deepens collaboration with NATO and takes further action to hold Russia to account
[3] New Zealand announces further aid for Ukraine
[4] New Russia sanctions target enablers of war, including Russia’s ‘shadow flee
[5] Pro-Russia campaigns targeting AUNZ have sometimes spanned weeks and involved over 50+ claimed individual DDoS attacks.