CyberSight 360: Cyber trends that will define 2025 and beyond

The cyber risk landscape continues to shift as threat actors tap into emerging technologies, geopolitical tensions heighten, and enforcement action increases.

The cyber threats and trends that will define 2025 and beyond include:

• a shift towards new covert, AI-powered attacks
• an increase in threat hunting
• greater clarity on cyber and privacy regulatory action
• increased measures to counter threats of technology-enabled espionage, foreign interference and sabotage.

1. New methods: a shift towards covert, AI-powered attacks

Cyber criminals are an innovative bunch. They continuously find new and creative ways to launch cyber attacks, making them more difficult to detect and harder to prevent. As AI evolves, cyber criminals are leveraging these tools to streamline their processes and combine them with common forms of cyber attacks (such as phishing and social engineering) to launch increasingly sophisticated attacks that are often able to bypass conventional security measures.

In particular, the growing prevalence of AI has led to a resurgence in the use of steganography in cyber attacks. This involves hiding malicious or sensitive data within what would otherwise appear to be benign files in the form of images, videos and audio.

Cyber criminals have taken advantage of AI to elevate their cyber attacks by crafting more convincing messages to entice users to interact with the content and to automate the process of generating a cover object, and hiding and extracting information through layers of training. As a result, the process of distinguishing a legitimate email from one that has been tampered with has become even more challenging.

In the case of a cyber criminal using an image as a payload (the part of malware that causes harm), a user receives an email that appears legitimate and seemingly harmless; however, once the email is opened, it exploits known vulnerabilities to initiate the download of the image file hosted on a public platform. Concealed within the file is a malicious code that is invisible to the eye. The encoded payload is then extracted and decoded into a fully functional executable file. Once the executable file is activated, malware is deployed, which enables cyber criminals to gain unauthorised access to systems and exfiltrate data. Cyber criminals can also use steganography to hide tools that can communicate with, and control, compromised devices within a network as part of a cyber attack.

This technique allows cyber attacks to evade traditional detection methods, such as antivirus software or scanning technology that typically overlook non-executable files. This presents significant cyber security risks:

• From a user standpoint, the subtlety of the attack and the seemingly innocuous nature of the files attached means that users, and even some security teams, are unlikely to suspect malicious intent. The impact of these types of attacks, however, can be devastating in circumstances where systems are compromised and sensitive data is exfiltrated whilst remaining undetected for a period of time.
• From a forensics standpoint, this technique presents a novel set of challenges as it is becoming increasingly difficult to detect whether information has been exfiltrated through the concealment of information within the code of a file that requires advanced tools to detect.

As such, protecting against the use of steganography is a complex exercise and requires ongoing mitigation tactics, such as:

• advanced Content Disarm and Reconstruction (CDR) technologies to sanitise files at the point of entry. CDR works by deconstructing even non-executable files, by analysing them and dissecting their metadata and content, with a focus on safe elements rather than threats. As CDR only rebuilds from the items that are certain to be safe, it prevents payload execution by neutralising malicious scripts or encoded data embedded within files and stopping them from entering the environment.
• using endpoint protection software that extends beyond static checks, basic signatures and other outdated components, and instead focussing on the use of behavioural engines, which work by monitoring the execution of processes on a system for potentially malicious actions.
• ongoing cyber security training for all employees within organisations (not just security teams) to raise awareness of emerging risks and the importance of exercising caution when interacting with any emails or files from unknown sources.

2. An increase in threat hunting

Threat hunting and the use of cyber threat intelligence (CTI) will increase as organisations increasingly shift from taking a reactive approach, to incorporating a proactive approach to identify unknown and ongoing threats in their network.

Since threats evolve faster than our defences can adapt, and the attack surface is constantly expanding, it is no longer sufficient to rely solely on technology that generates alerts when threats are detected ─ particularly as cyber criminals lodge increasingly sophisticated attacks that can evade traditional detection methods.

Threat hunting and CTI are proactive processes that, together, can help organisations gather insights on the threats they are facing and assess their risks. This allows organisations to prioritise resources and budgets to ensure adequate protections from a more informed standpoint. This proactive strategy involves:

• using threat hunting to actively search for, identify, and isolate advanced threats that evade existing security solutions. In this way, organisations are not simply waiting to receive alerts and they have significantly more visibility of the threats within their systems. Having greater awareness helps organisations to deal with and remove threats before they can be exploited, rather than being on the back foot.
• using CTI as a profile-building exercise to obtain knowledge about the enemy, which allows an organisation to better understand who and what it is dealing with in order to prevent and mitigate cyber threats. This involves understanding who the threat actors are, what their motivations may be, and the techniques they are known to use.

These methods will be an integral part of an organisation's comprehensive cyber security program.

3. Greater clarity on cyber and privacy regulatory action

As Australian regulators increasingly use their powers to conduct investigations and undertake enforcement action in relation to cyber attacks, we will likely see greater clarity on the scope and consequences of cyber and privacy regulatory action.

In the past few years, the Office of the Australian Information Commissioner (OAIC) has shifted its focus to a more risk-based, enforcement and education-focused posture. This has led to an increase in regulatory action against entities, as demonstrated by the OAIC civil penalty proceedings currently on foot.

Similarly, cyber resilience has remained an enforcement priority of the Australian Securities and Investments Commission (ASIC) since its action against RI Advice, in which RI Advice was found to have breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks after experiencing multiple cyber incidents and was ordered to pay $750,000 towards ASIC’s costs. ASIC has warned that it would bring charges against directors who fail to adequately prepare for hacks, with ASIC Commissioner Simone Constant confirming the process was under way, although ASIC declined to name the companies.

Speaking at a 2023 Cyber Summit, ASIC Chairman Joe Longo made this clear: “If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses.”

The Australian Prudential Regulation Authority (APRA) has also, in the last year, written to all regulated entities to provide further insights and guidance on common cyber control weaknesses, as well as emphasising the critical role of data backups in protecting cyber resilience. This is part of APRA’s ongoing commitment to supervising cyber resilience across industry.

The Australian Communications and Media Authority (ACMA) has a memorandum of understanding with the Australian Cyber Security Centre (ACSC) that allows for the exchange of information about enforcing protections to keep Australians safe from mobile number fraud and scams. In recent years, ACMA has also increased its efforts to investigate and take enforcement action against regulated entities following cyber attacks.

Australian regulators have demonstrated a distinct focus on the cyber resilience of organisations and are exercising their powers to investigate any failings or suspected contraventions falling within their remit. As they continue to develop their investigative capabilities in relation to cyber security, we anticipate that regulators will keep cyber risks firmly on their agenda and be increasingly willing to exercise their enforcement powers, which will bring more clarity to the scope and consequences of cyber and privacy regulatory action.

We say this because at this stage, much of the legislation in question is untested and yet to be judicially determined. Uncertainty remains as to how some of the cyber and privacy regulatory action may pan out, including its potential consequences. One common unresolved issue is whether a cyber attack that affects multiple individuals will give rise to a single breach, or multiple breaches of the relevant legislation (including section 13G of the Privacy Act 1988 (Cth)). This is an important issue as it determines the potential penalties that may apply. In 2025 and beyond, we foresee that the increase in regulatory activity across cyber and privacy will shed light on such matters as enforcement actions develop and reach their conclusion.

4. Increased measures to counter threats of technology-enabled espionage, foreign interference and sabotage

At a time when geopolitical tensions increasingly shape the digital landscape, threats posed by nation-state actors are an ongoing risk to Australia. For example, sophisticated campaigns undertaken by groups such as APT40 have repeatedly targeted Australian networks, as well as government and private sectors in the region with a focus on critical infrastructure including energy, healthcare and telecommunications sectors.

As outlined in the Australian Security Intelligence Organisation’s (ASIO) Director-General's Annual Threat Assessment 2025, threats posed by espionage and foreign interference continue to intensify and are aided by advancements in technology, with AI enabling disinformation and eroding trust in institutions, and deeper pools of personal data being vulnerable to collection, exploitation and analysis by foreign intelligence services. Cyber units from nation states routinely try to explore and exploit Australia’s critical infrastructure networks, mapping systems to lay down malware or maintain access in the future. If tensions continue to escalate, foreign regimes may become more determined to pre-position cyber access vectors that they can then exploit.

Threats like these demand a proactive approach to resilience and adaptability. In Australia, there are various measures in place that address these ongoing risks.

The Australian Signals Directorate (ASD) has an offensive cyber capability, which it uses against adversaries to protect Australians and Australia's national interests. These include a broad range of offshore activities to deter, disrupt, degrade and deny adversaries. In addition, the Australian Federal Police (AFP) leads the investigation of serious and organised cyber crime activity that impacts the government, systems of national significance, or the wider Australian economy. The AFP and ASIO also lead the Counter Foreign Interference Taskforce for tactical and operational responses to cases of foreign espionage and interference, identifying them, investigating them, disrupting them and prosecuting those responsible.

In addition to these cyber offensive capabilities, we have seen a growing focus on defensive capabilities that adopt shared responsibility to mitigate threats. On 14 January 2025, the Department of Home Affairs announced the launch of an initiative called "Countering Foreign Interference in Australia: Working Together Towards a More Secure Australia" which outlines measures to identify, mitigate and prevent foreign interference. This initiative was introduced to combat sophisticated and persistent foreign interference activities from a range of countries, which have cyber security implications particularly for the technology and critical infrastructure sectors. The strategy seeks to increase Australia’s collective resilience against foreign interference, stressing that it is a shared responsibility. As part of this, individuals and organisations have been urged to report any signs of interference activities and to bolster cyber security controls.

While there are measures in place to address the risks of technology-enabled foreign interference, as AI and other technologies gain sophistication, laws will need to address how these technologies are used to gather information for espionage or for the purpose of generating misinformation for foreign interference. We anticipate ongoing enhancements to measures that counter these risks in the years ahead.

This article appears in the 2025 edition of CyberSight 360: A legal perspective on cyber security and insurance