Cyber implications of Australia’s expulsion of Iranian Ambassador following IRGC sabotage activity in Australia

Published by Cyber Intelligence on 28 August 2025

On 26 August 2025, the Australian Government attributed two arson attacks against Australia’s Jewish community to the Iranian Revolutionary Guard Corps (IRGC). The IRGC maintains a highly capable offensive cyber capability, which CyberCX Intelligence has previously assessed poses an ELEVATED threat to Australian critical infrastructure organisations. While the already ELEVATED threat has not materially increased overnight, organisations that already include Iranian cyber threat actors in their external threat profile should adopt an “alert but not alarmed” posture, and ensure they are prepared for common Iranian nation-state cyber tactics. CyberCX is closely monitoring developments following Australia’s announcement and will update this Intelligence Update if our assessments change.

Key Points

• The Iranian nation-state cyber threat to Australian critical infrastructure and individuals of interest to Iran remains ELEVATED. However, we do not assess the cyber threat from Iranian nation-state actors to Australian organisations has materially increased following Australia’s expulsion of Iran’s ambassador.
  • We judge the government, defence industry, financial services, media, energy and water utilities sectors face a heightened threat from Iranian espionage and disruptive cyber operations. Individuals with a high-profile, including Jewish community members and Iranian dissidents, also face heightened threat.
• Additionally, CyberCX continues to assess that all Australian organisations currently face a heightened threat from ideologically motivated cyber threat actors, including pro-Iran/anti-Israel actors. In June 2025, we raised our threat level for this activity from LOW to MODERATE.
  • Some pro-Iran ideologically motivated actors have a demonstrated ability to disrupt operational technology (OT).
  • The IRGC is known to use ideologically motivated groups to obfuscate involvement in disruptive activity, including DDoS, website defacements, and OT targeting attacks.
• Australia’s attribution of arson attacks on Australian soil to the IRGC highlights the already heightened threat to all organisations from sabotage, both physical and cyber. Over the last 18 months, nation-state actors, notably Iran, Russia and China, have continued to normalise sabotage and pre-positioning against critical infrastructure and other civilian organisations.
• The Australian Government’s confirmation of the nexus between the IRGC and criminal proxies demonstrates a trend CyberCX Intelligence has been reporting for several years: the blurring of lines between nation-state, cybercriminal, and insider threats.
  • Nation-state threat actors’ use of proxies and relationships with non-state groups makes it harder for organisations to detect and respond to threats.

Background

• On 26 August 2025, the Australian Prime Minister declassified Australian Security Intelligence Organisation (ASIO) assessments that the Iranian government, via the IRGC, coordinated at least two attacks against the Australian Jewish community.
  • ASIO assessed that IRGC operations in Australia were intended to “create fear, stoke division and erode social cohesion”.
• In response to the IRGC operations, the Prime Minister announced the suspension of Australia’s embassy in Tehran, the expulsion of the Iranian Ambassador to Australia and the listing of the IRGC as a terrorist organisation.
• The Iranian Foreign Ministry rejected ASIO’s assessment, describing it as an Israeli government policy to divert public opinion away from Gaza and the Israel-Hamas war. Iran further claimed it has the right to take reciprocal action against Australia. The Iranian Foreign Minister also posted on X.com, claiming that “Iran is paying the price for the Australian people’s support for Palestine.”

The Iranian nation-state threat is already elevated

• The Australian government’s diplomatic actions against Iran, including its decision to list the IRGC as a terrorist entity, are precedented, and unlikely to materially increase the threat of Iranian nation-state targeting against Australia.
  • In the global context, Australia’s diplomatic actions mirror recent decisions by several Western countries to designate the IRGC as a terrorist organisation, including Canada (2024), Sweden (2023) and US (2019). The US and Canada have also ended diplomatic relations with Iran. The European Union Parliament (2025) and French National Assembly (2025) have both passed resolutions calling for the IRGC to be designated a terrorist organisation, however, an executive decision has not yet been actioned.
  • Since the outbreak of the Israel-Hamas war, several Western intelligence services have publicly named Iran as a serious threat, highlighting the global reach of IRGC operations.
• We judge the Iranian nation-state cyber threat to Australia remains elevated, regardless of Australia-Iran bilateral relations. CyberCX Intelligence is aware of sustained Iranian nation-state activity involving cyber-enabled foreign interference, sabotage and espionage targeting critical infrastructure and persons of interest globally. We assess that:
  • It is almost certain (>95%) that Iranian nation-state actors will continue to conduct cyber-enabled espionage and foreign interference to monitor and intimidate persons of interest, including members of Iranian diaspora communities, opponents of the regime, journalists and politicians in Western countries, including Australia.
  • It is almost certain (>95%) that Iranian nation-state threat actors will conduct cyber-enabled espionage against Western governments and critical infrastructure, including in Australia, with the transport, media, and defence industry organisations most at risk.
  • There is a real chance (40 – 55%) that Iranian nation-state actors will target Western technology and critical infrastructure entities with disruptive or destructive cyber attacks. It is plausible that Australian organisations could indirectly face spillover impacts, or directly be targeted.

The ideologically motivated threat remains moderate

• We judge that a deterioration in Australia-Iran relations is likely (55 – 80%) to temporarily increase the likelihood of pro-Iran ideologically motivated activity against Australia. Pro-Iran actors are known to conducts DDoS, website defacement and OT targeting attacks. In June 2025, we raised our threat level for this activity from LOW to MODERATE. See Threat of ideologically motivated targeting against AUNZ organisations raised temporarily to MODERATE.
• However, we note that pro-Iran actors represent a small proportion of overall ideologically motivated attacks against Australian organisations. A temporary increase in pro-Iran targeting may be offset by a temporary decrease in some pro-Palestine targeting. Key pro-Palestine groups have announced an intent to pause activities against Australia, following Australian Government support to recognise a Palestinian state.

Normalisation of sabotage and foreign interference globally

• Australia’s attribution of IRGC coordinated arson attacks against a synagogue and charity demonstrates a global trend of authoritarian countries normalising sabotage and foreign interference activity.
  • We assess with high confidence that authoritarian countries like Iran, Russia and China have a heightened intent and tolerance for conducting sabotage and foreign interference against Western countries.
  • We judge this increase in activity is directly associated with the Russia-Ukraine war, Middle East conflicts and tensions in the South China Sea. Authoritarian countries have demonstrated the intent to direct their targeting against countries on the periphery of major conflicts. We judge the decision to target Australia is almost certainly (>95%) linked to Australia’s perceived support for Israel in the Israel-Hamas and Israel-Iran conflicts.
  • We judge IRGC operations in Australia were primarily intended to promote a narrative of increasing antisemitism in Australia to intimidate and isolate Australia’s Jewish community.
• CyberCX Intelligence notes cyber is not the only vector that authoritarian countries use to conduct sabotage and foreign interference. Like Iran, both Russia and China have demonstrated the intent to conduct both physical and cyber-enabled attacks.
  • Since the outbreak of the Russia-Ukraine war in 2022, European intelligence services, researchers and non-government organisations (NGO) have tracked an increase in suspected Russian sabotage and foreign interference activity. Between January 2022 and April 2025, the NGO Armed Conflict Location and Event Data (ACLED) observed over 190 incidents including espionage, arson, vandalism and assaults. While ACLED only tracked six cyber attacks during this period, CyberCX Intelligence assesses with high confidence that the actual number of Russian cyber attacks far exceeds this. Between April and May alone in 2025, eight European countries attributed over a dozen cyber attacks to Russia.
  • In May 2023, Australia joined Five Eyes partners in attributing cyber-enabled pre-positioning on critical infrastructure networks to Chinese nation-state actor, Volt Typhoon. The assessed goal of this activity was to enable the disruption of OT functions across multiple critical sectors in the event of a future conflict between China and the US in the Indo-Pacific region.

Blurring lines between nation-states and other threat actors

• During the Prime Minister’s press conference, ASIO disclosed that the IRGC coordinated sabotage in Australia via overseas proxies who tasked Australians to carry out arson attacks. This demonstrates a trend of blurring lines between traditional threat actor types, whereby authoritarian countries are increasingly relying on proxies and employing the services of financially and ideologically motivated actors.
• We judge the use of proxy groups, including organised crime syndicates, ideologically motivated actors and financially motivated cyber extortion groups allows authoritarian countries to achieve effects while obfuscating their involvement to manage escalation risks.
  • Nation-state actors have also increasingly employed tools and services commonly used by other types of actors.
    
    • In 2022, the Russian nation-state actor Cadet Blizzard (Unit 29155 of Russia’s military intelligence) began deploying ransomware against Ukrainian organisations. In the campaign, dubbed WhisperGate, Cadet Blizzard used publicly available tooling and tradecraft commonly used by cyber extortion groups to increase the likelihood of misattribution by network defenders.
  • CyberCX is aware of several ideologically motivated actors that were found to be linked to, or established by, Russian and Iranian nation-state actors.
    • In 2024, Mandiant linked several high-profile pro-Russia hacktivist personas, Cyber Army of Russia, Xaknet and Solntsepek, to the Russian nation-state actor APT44 (aka Sandworm). While these groups have since disbanded, at the time they were responsible for hundreds of DDoS and data leak attacks against critical infrastructure organisations in Europe, AUNZ and North America.
    • In 2024, CISA linked the pro-Iran/Hamas hacktivist persona CyberAv3ngers to the IRGC. CyberAv3ngers gained notoriety for high-profile OT targeting attacks against Western critical infrastructure organisations in late 2023. Because of their high-profile attacks, CyberAv3ngers gained significant influence over the wider pro-Hamas hacktivist ecosystem, allowing it to direct the activity of dozens of actors by signalling their intent to target a specific sector or country.
• We judge the blurred lines between attack types and threat actor types make it harder for organisations to detect and assess threats.

Recommendations

• Organisations that already include Iranian cyber threat actors in their external threat profile should adopt an “alert but not alarmed” posture, and ensure they are prepared for common Iranian nation-state cyber tactics. We recommend organisations:
  • Review recent ACSC and CISA advisories on Iranian nation-state threat activity.
  • Implement temporary heightened monitoring for indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Iranian threat actors.
  • Prioritise the timely application of security patches, particularly for known vulnerabilities exploited by Iranian threat actors.
  • Review and harden security controls for public-facing websites and applications. Including by monitoring internet traffic patterns for early signs of DDoS attacks and deploying a content delivery network (CDN) solution, web application firewalls (WAF) and dynamic CAPTCHA challenges.
  • Advise staff to increase vigilance for common Iranian initial access activity including phishing and multifactor authentication bypass attempts.
  • Ensure the availability of surge capacity for operational and incident response teams.

Additional Information

For additional information, including specifics about the response within your IT environment, please contact [email protected] or your usual CyberCX contact.