The Australian Signals Directorate has issued an advisory about increased targeting of critical infrastructure by state-sponsored actors. If you’re thinking “that’s about power plants and hospitals, not me,” you might want to reconsider.

Modern infrastructure depends on extensive supply chains. And attackers know it.

What the Advisory Actually Says

The ASD, in coordination with Five Eyes intelligence partners, has observed sophisticated actors conducting reconnaissance and in some cases gaining access to systems supporting critical infrastructure. The sectors highlighted include:

• Energy and utilities
• Water and wastewater
• Healthcare
• Transportation
• Communications

The advisory notes that attackers are increasingly targeting suppliers, managed service providers, and smaller organisations in supply chains as a way to reach higher-value targets.

This is called supply chain compromise, and it’s not theoretical. The 2020 SolarWinds attack demonstrated exactly how effective this approach can be.

Why SMBs Should Care

“But we’re not critical infrastructure,” I hear you say.

Maybe not directly. But consider:

Do you provide IT services to a larger organisation? Your access to their systems makes you a target.

Do you supply goods or services to healthcare, energy, or government? Your systems might be a stepping stone.

Do you hold data that could be useful? Customer lists, technical specifications, network information about clients.

Are you connected to larger networks? Even as a small supplier, your compromised account could be used to send convincing phishing emails to bigger targets.

The advisory specifically warns about attacks targeting managed service providers and software suppliers - businesses that have legitimate access to many client networks.

The Tactics Being Used

The advisory describes several techniques:

Living off the land: Attackers use legitimate system tools (PowerShell, WMI, built-in admin tools) rather than malware. This makes detection harder because there’s no obvious malicious software.

Credential theft and reuse: Gaining access to one system, harvesting credentials, and using them to access others. This is why password reuse and lack of MFA are so dangerous.

Exploiting known vulnerabilities: Many attacks succeed by exploiting security holes that have patches available. The gap between patch release and patch application is a window of opportunity.

Long dwell times: These actors are patient. They might maintain access for months, quietly gathering information, before taking any action that might trigger detection.

What This Means for Your Security

If you’re in or connected to critical infrastructure supply chains, this advisory should prompt some specific actions:

Review your client relationships. Which of your clients are in critical infrastructure sectors? What access do you have to their systems? What data do you hold about them?

Assume you’re a target. If you have access that could be valuable to an attacker, they’re probably interested. Security by obscurity - “they won’t bother with us” - is not a strategy.

Implement detection capabilities. Basic endpoint protection might not catch living-off-the-land techniques. Consider endpoint detection and response (EDR) solutions that look for suspicious behaviour, not just known malware.

Review privileged access. Who in your organisation has admin access? Are admin credentials stored securely? Is MFA enforced on all admin accounts?

Check your logging. Would you know if someone was in your network for weeks? Are you keeping logs long enough to investigate? Are you actually reviewing them?

Communicate with clients. If you provide services to critical infrastructure, proactive communication about your security measures builds trust. Some may start requiring attestations or audits.

Specific Technical Recommendations

The advisory includes detailed technical indicators and recommendations. For SMBs, the actionable items include:

Harden remote access: VPNs, remote desktop, and similar services must have MFA. Review who has access and whether they still need it.

Segment networks: If you’re compromised, can the attacker reach everything? Network segmentation limits lateral movement.

Monitor authentication logs: Failed login attempts, logins at unusual times, logins from unexpected locations. These can indicate ongoing attacks.

Keep software updated: Many of the techniques rely on exploiting known vulnerabilities. Patching closes those doors.

Review cloud configurations: Misconfigurations in Azure AD, AWS, or Google Cloud can provide access. Use the security tools these platforms provide.

The Uncomfortable Question

Here’s something the official advisories don’t quite say out loud: if a sophisticated state-sponsored actor really wants to compromise your specific organisation, they probably will. These are well-resourced, patient, and skilled attackers.

But that doesn’t mean defence is pointless. Far from it.

Most attackers - even sophisticated ones - look for easy targets. If you’re harder to compromise than similar organisations, they’ll often move on. And even if they get in, good security practices limit what they can access and how long they can stay undetected.

The goal isn’t to be unhackable. It’s to be difficult enough that you’re not worth the effort, and resilient enough that a breach isn’t catastrophic.

What to Do Right Now

If this advisory has you worried, channel that into action:

1. Identify your critical infrastructure connections. Who do you work with in those sectors?

2. Review your Essential Eight implementation. These controls remain the foundation of good security.

3. Check your detection capabilities. Would you know if someone was in your network?

4. Talk to your IT provider. Are they aware of the advisory? What are they doing in response?

5. Document your security measures. When critical infrastructure clients ask (and they will), you want to have answers ready.

The ASD doesn’t issue advisories like this casually. If they’re warning about increased targeting of supply chains, it’s because they’re seeing it happen.

Don’t wait to take it seriously.