Australia’s adoption of remote work has opened a national security blind spot that foreign adversaries are actively exploiting to infiltrate critical infrastructure.

This is urgent because AI-generated identities, deepfake social engineering and inadequately vetted remote hires make traditional cybersecurity frameworks insufficient, exposing both government and private sectors to espionage and financial loss.

North Korea’s Jasper Sleet program and the June Qantas contact centre breach have shown these threats are real and ongoing. The Jasper Sleet operation, run by North Korea’s state-sponsored hackers, deploys thousands of IT operatives worldwide. Masquerading as freelancers and experts, they use AI-generated profiles, voice changers and virtual private networks to pass as legitimate workers. The group’s activities generate illicit income and provide covert access to sensitive systems. In one case, a firm operating across Britan, the United States and Australia unknowingly hired a North Korean operative who fabricated credentials, drew a salary for months and quietly stole company data before demanding ransom.

Social engineering has evolved just as quickly. Investigators believe the Qantas contact centre breach, which exposed nearly six million customer records, was likely enabled by AI voice deepfakes. Attackers posing as IT helpdesk staff persuaded employees to hand over credentials and reset multi-factor authentication. The breach highlighted an uncomfortable truth: even well-trained staff can be duped when the ‘colleague’ on the line sounds genuine in real time.

Australia’s 2023–2030 Cyber Security Strategy acknowledges these risks but leaves dangerous gaps. It doesn’t outline rigorous identity validation requirements for remote hires in the private sector, nor does it mandate continuous behavioural monitoring. Both are essential to defend against synthetic identities and insider infiltration. Meanwhile, recruitment agencies and third-party contractors remain largely unregulated, creating an easy on-ramp for hostile actors. The result is a patchwork of security practices across industries, with critical infrastructure sometimes relying on outdated vetting.

Stronger defence starts with identity checks that can’t be faked. Biometric verification, AI-driven fraud detection, and multiple video interviews make it far harder for fabricated profiles to slip through. Pair that with in-person ID verification at government-certified centres, and suddenly the barriers for would-be infiltrators rise dramatically.

But point-in-time checks alone are not enough. Continuous behavioural monitoring that tracks anomalies in login locations, device use or network patterns should be standard practice for sensitive remote roles. If someone hired in Melbourne, for example, suddenly logs in from Minsk, systems should flag it instantly. The Australian Signals Directorate has recommended behavioural analytics for years. It’s time for industry to treat it as a necessity, not a nice-to-have.

Recruitment pathways also need tougher oversight. Many breaches trace back to contractors or agencies with weak vetting, and adversaries know this. Expanding legal accountability under existing laws, with penalties for negligence, would close off one of the easiest back doors into corporate networks.

But technology and regulation can only go so far without cultural change. Businesses— especially contractors and small and medium enterprises—need sharper awareness of how these attacks actually unfold. Case studies of Jasper Sleet operatives and deepfake-enabled breaches should be shared widely to demystify the threat, along with the Department of Foreign Affairs and Trade’s advisory note on the topic. Just as Australians have learned to treat phishing emails with suspicion, employees need to adapt to a world where voices, faces and resumes can all be faked convincingly.

The bigger challenge is coordination. No single company, government agency or university can manage this problem alone. A national strategy bringing together government, industry and academia would create consistency, accelerate intelligence-sharing and give Australia the best chance of staying ahead of foreign adversaries who are already innovating.

The choice is stark. Either Australia treats remote-work infiltration as a national security priority now, or hostile operatives will continue slipping into networks under the cover of legitimate employment. By modernising vetting, tightening oversight and raising awareness, we can turn the remote workforce from a vulnerability into a frontline defence.