‘The weakest link’: Hackers going after hybrid workers

The Australian Signals Directorate has issued a clear warning to employers: state-sponsored cyber crime actors are going after those who are working remotely and flexibly.

Report findings

Yesterday (Tuesday, 14 October), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has released its sixth Annual Cyber Threat Report (ACTR), which showed that, in the last financial year, state-sponsored cyber actors were a “serious and growing threat” as they targeted networks operated by Australian governments, critical infrastructure and businesses for state goals.

These actors, the report noted, “have also compromised home devices connected to the internet, such as home routers, to create botnets that support further targeting around the globe”.

Among them is Advanced Persistent Threat (APT) 40, a Chinese state-sponsored group, which ASD said “regularly conducts malicious activities against Australian and regional networks that possess information of value” to the People’s Republic of China.

Moreover, the report detailed, malicious cyber actors use vulnerabilities in “edge devices” (critical network components, positioned at the network’s periphery) that connect a private network, such as one’s home or work, with a public, untrusted network like the internet.

“The most common edge devices used include home and enterprise routers, firewalls and virtual private network (VPN) products,” the report said.

According to Jason Symons (lead partner of the cyber risk and insurance team at national law firm Mills Oakley) and Mitchell Riley-Meijer (the firm’s cyber security and incident response manager in its cyber risk and insurance team), this year’s report emphasises the risk to remote working arrangements “more so than previous publications”.

Specifically, the pair said, it calls out that state-sponsored actors are adapting their techniques to exploit vulnerabilities in remote work environments, including targeting home networks, personal devices, and cloud-based collaboration tools used by WFH employees.

“It’s not new commentary from cyber security agencies and professionals that employers must recognise that remote working arrangements expand the attack surface. This has been consistently called out since the COVID-19 pandemic and has been a central focus point for well-developed organisational cyber security uplift strategies,” they said.

“However, its direct reference in the 2024–2025 report seems to indicate that this uplift focus has not landed broadly across the small-to-medium business community, and threat actors are increasingly seeing opportunity to successfully exploit this vulnerability.”

What threat actors are doing

In conversation with HR Leader, employment law partner at BigLaw firm Christa Lenard said that ASD’s report highlights that state-sponsored actors are “targeting the weakest link in hybrid work” – that is, home networks, personal devices and identity access and urges businesses to operate with an “assume compromise” mindset.

This means, she said, “more of a focus on prioritising protection for these assets with strong access controls, encryption, monitoring, and incident response systems”.

“This changes HR’s role from awareness-only to co-owning controls that limit access, track activity, and identify breaches,” she said.

Atmos partner and head of first response in Australia, Reece Corbett-Wilkins, added that rather than trying to hack their way into a company’s network using a VPN or a virtual server from overseas, threat actors have found a way to compromise vulnerable routers at home.

“This evasion technique allows them to mount an attack from an IP address from within Australia, rather than from overseas. It means that for defenders who are looking out for anomalous logins from outside Australia, it’s harder to detect unusual behaviour and bypasses automated geo-blocking efforts,” he said.

“They are then stringing together various compromised routers into a botnet chain so that if one router is reset and the malware is removed, they can continue to leverage the remaining compromised routers without losing their way in.”

What employers must do

To minimise the risks, Symons and Riley-Meijer said, organisations should look to practical, scalable, and efficient techniques to minimise the attack surface and harden remote working arrangements.

Lenard said that implementing a governance-led and practical framework for managing these risks is key, which will necessarily include “ensuring strong authentication is properly implemented, regular review of your business’s WFH/BYOD policies, updating and regularly running cyber security training to cover social engineering, MFA bypass scams, QR/voice/SMS lures, and how to report concerns quickly, [and] building these requirements into contracts and vendor onboarding and ensure records of training and audits are kept”.

“For employers, the risk is not just technical, it is both legal and reputational, with data protection and confidentiality breaches, regulatory notification failures, and downstream liability via third-party and BYOD exposure, front and centre,” she said.

“This is why HR must work alongside IT and risk/legal teams to ensure your people understand fully what is required of them when working remotely.”

Corbett-Wilkins noted that ISP and router manufacturers need to embed better security into the device and auto-update vulnerability patches, without a home user needing to do this themselves – something that the federal government is looking at, as part of the 2030 Cyber Security Strategy.

What employers should be more concerned about, he argued, is staff accidentally downloading info-stealer malware at home, “say, through their kid downloading a free game online using their parents’ device”.

“This then steals the user’s login credentials across various applications (personal and work) and can be used to log into systems where compensating controls such as MFA aren’t in place,” he said.

“All employers that allow employees to log in from home (i.e. most companies) should regularly conduct dark web credential monitoring to ensure that their staff’s login credentials haven’t been compromised and therefore pose a risk to their systems. That, and disable ex-employee’s access to their systems. Often, we find attacks occur years after the staff member left but where their access hasn’t been revoked as part of the offboarding process.”

“Finally, simple advice, implement [multifactor authentication] for all core applications to introduce an extra layer of friction for cyber criminals seeking to do harm.”