Mapping a decade’s worth of hybrid threats targeting Australia
7 May 2025| and Strategist special report

Hybrid threats, enabled by digital technologies and fuelled by geostrategic competition, are reshaping international security and global norms. Most often, states (commonly working through non-state proxies) are exploiting cybersecurity vulnerabilities and engaging in economic coercion, information warfare and even physical sabotage. They do so in order to advance their strategic ambitions and undermine the interests of others, while avoiding the threshold for conflict.

ASPI has been collecting open-source data to examine the nature and frequency of hybrid threats targeting Australia. We’ve built a database that spans nine years, from March 2016 to February 2025, and in that time we have tracked 74 activities. Understanding the scale that confronts us is the first step to strengthening public awareness and building an effective national response.

We collected data from sources including government statements, media reports, cyber firm alerts and think tank reports. We also cross-checked reports, making sure the counted activities were reported across multiple credible sources. We assessed whether these past hybrid activities were state-linked and sorted the activities into six threat categories: economic coercion; foreign interference; narrative and information campaigns; cyberattack; military and paramilitary coercion; and diplomatic coercion.

Due to their nature, covert or unreported hybrid activities were not captured.

Frequency of hybrid threat activities in Australia (by threat category). Source: ASPI.

ASPI data shows that during the nine-year period, the most frequent activities were cyber in nature, including attacks and intrusions, accounting for around 35 percent of total activities. Most reported cyberattacks were perpetrated by China-linked hackers, including Naikon, APT40, APT27 and Aoqin Dragon. Their targets included the Australian government and Australian companies and critical infrastructure providers. Iranian state-sponsored cyber actors—including Fox Kitten and APT42—attempted to infiltrate industrial control systems in Australia as early as 2015 but were only detected a year later.

Narrative and information campaigns, which aim to shape public discussion of contentious political issues, accounted for around 20 percent of recorded threats. These included global efforts, such as the Chinese Communist Party’s information campaigns linked to the Spamouflage network. Spamouflage employs networks of inauthentic accounts across multiple social media platforms and is still active. It attempts to sway and distract public opinion and targets organisations and individuals, often with threatening harassment campaigns. Previously, these activities targeted an Australian rare earth mining company to impede market access and disrupt supply chains; coordinated harassment campaigns against journalists, researchers and activists of Asian descent; and sought to influence perceptions of partners and allies.

Foreign interference activities make up around 25 percent of the dataset. Such threats aim to interfere and sow discord in society. For example, during the referendum on an Indigenous Voice to Parliament, China-linked actors reportedly amplified ideologically motivated narratives, including those linked to the far right and to white supremacism. Additionally, Iran has monitored its diaspora in Australia, targeting individuals through intimidation, surveillance and personal data tampering.

Economic coercion accounted for around 20 percent of identified activity. Examples in the period included China’s tariffs on Australian barley and wine and its ban on the import of Australian lobsters. At times, such restrictions were accompanied by non-tariff trade barriers, such as consumer-led boycotts and disruptions to import clearance procedures.

Tariffs are an established tool of trade policy used to protect domestic industries, address trade imbalances or pursue national economic goals. But economic coercion involves actions that go beyond standard trade policy, including: engaging in targeted boycotts; blocking access to essential resources; and imposing sanctions with the explicit goal of forcing political concessions.

Military and paramilitary coercion, which accounted for around 15 percent of recorded hybrid activities, have seen a noticeable uptick in the past year. In February 2025, China conducted a series of provocative military actions, including a close encounter between a Chinese J-16 fighter and an Australian P-8 Poseidon maritime patroller over the South China Sea; the deployment of three Chinese naval vessels into Australia’s exclusive economic zone; and Chinese live-fire drills in the Tasman Sea. Although overt military coercion remains relatively rare compared to other forms of intimidation, these hybrid threat activities increase the potential for serious escalation.

Actors linked to hybrid threat incidents targeting Australia. Source: ASPI.

China remains, by far, the most active state engaged in hybrid threats targeting Australia, appearing in about 70 percent of reported activity. Russia (11 percent) and Iran (10 percent) also appear regularly in the dataset.

We also found non-state actors engaging in cyberattacks and promoting ideologically motivated violent extremism. Their presence adds to an already complex threat environment that continues to change and evolve each year.

Our research also tracked the Australian government’s publicly available responses across four categories: diplomatic; legislative and regulatory; capability enhancement; and public awareness. Not all government responses may appear in the public domain.

Diplomatic responses have included formal statements, joint declarations and collective advisories (an increasingly common practice among government cybersecurity agencies). On the legislative and regulatory front, Australia has, for example, introduced tighter foreign investment rules, established a foreign influence transparency scheme (although it has been criticised since its creation) and issued sanctions to target specific malicious actors including Iran and Russia (although sanctions are yet to be used against China, the most frequent offender).

Attribution by ministers has so far lacked teeth and uniformity. The 2018 Espionage and Foreign Interference Act provides an attribution framework, but the only open attribution so far has been directed towards Iran, a pariah state in which Australia has little economic interest (and therefore not much to lose).

Capability enhancements have included infrastructure upgrades—such as installation of advanced threat detection systems, the enhancement of encryption technologies for government and financial networks, and the strengthening of national cyber capabilities. For example, the REDSPICE program aims to significantly expand Australia’s cyber intelligence, including offensive and defensive cyber capabilities. Additionally, Australia has managed to diversify its trade partnerships to lessen the risk of economic dependence.

Meanwhile, public awareness has involved strategic communications through public statements, including ministerial comments, the Australian Security Intelligence Organisation’s annual threat assessments, and alerts by the Australian Signals Directorate. The federal government also shares information with states and territories.

The data shows that military/paramilitary coercion has received the highest response rates—with diplomatic responses to 80 percent of military/paramilitary coercion activities, capability enhancement responses to 70 percent, and public awareness responses to all cases of military/paramilitary coercion. This high prioritisation is understandable, given that such operations can result in significant loss of life and infrastructure. The strong response signals a commitment to pre-empt and mitigate the most dangerous threats.

However, other activities also carry significant long-term risks. A balanced response strategy is essential to ensure that, while military threats are robustly addressed, other evolving hybrid threats are not neglected.

Australia’s response to hybrid threat incidents. Source: ASPI.

An effective response requires Australia to prioritise protection, resilience and deterrence. We must protect ourselves by having enough awareness and capacity to implement preventative measures. We need resilience so we can bounce back quicker. But we must also deter by imposing costs on hybrid threat actors and the states that sponsor or enable them.

This includes developing and then being prepared to use two capability offerings: intelligence and policy. By design, intelligence-led approaches are effective against immediate danger but do not—by design—necessarily offer a strategic, enduring and public effect. Policy-led approaches provide more visible deterrence and seek to address strategic and systemic risks.

Australia has so far been strong on the first, for example through the prosecution of businessman Di Sanh ‘Sunny’ Duong for seeking to influence a minister. But the evolving nature of hybrid threats requires the political will and ministerial direction to do more on the second—enabling a truly national approach to national security.

As foreign actors develop more sophisticated and far-reaching strategies, Australia’s response cannot rely on coordination alone. While partnerships—with states and territories, industry and international allies—are essential, the effectiveness of countermeasures ultimately hinges on a political willingness to use the tools we already have and to build the adaptive tools we don’t. Inaction by Australia risks normalising hybrid activities.

Author

Fitriani is a senior analyst and Shelly Shih is a data researcher in ASPI’s Cyber, Technology and Security Program.

 

Image (top) of Australia on a digital display: da-kuk/Getty Images.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2025