The world's most determined state-sponsored hackers spent the past year targeting technology companies above every other sector on the planet. Not finance. Not energy. Technology.
That finding sits at the centre of CrowdStrike's 2026 Technology Threat Landscape Report, published on 9 June 2026. It is not an abstract geopolitical concern. For Australian and New Zealand businesses that rely on IT vendors, managed service providers, and cloud platforms, it is a direct and immediate risk.
China is after your technology providers' intellectual property and their access to your environment. North Korea has already placed operatives inside Australian organisations. And cybercriminals, turbocharged by AI, have made the IT sector their most lucrative hunting ground.
Boards and executives need to understand what is happening and what it means for third-party risk, supply chain security, and their own hiring practices.
Between April 2025 and March 2026, China-linked threat actors directed more attacks at the technology sector than any other industry globally. CrowdStrike's analysis attributes this focus to Beijing's strategic imperative to achieve technological self-sufficiency and competitive advantage in critical emerging technologies, including artificial intelligence, semiconductors, and quantum computing.
Three China-linked operations stand out from the reporting period. Sunrise Panda attacked a Southeast Asian technology company that provides enterprise email solutions to government customers downstream. Murky Panda conducted a large-scale password-spraying campaign against Microsoft Azure customers, compromising more than 340 organisations across multiple sectors. Warp Panda exploited VMware vulnerabilities to deploy the Brickstorm malware, a tool designed for long-term, persistent access.
The strategic logic is straightforward. Technology companies are not just targets in their own right. They are pathways. Compromising a managed service provider, a cloud platform, or a software vendor gives adversaries the keys to every customer environment that vendor touches. CrowdStrike's analysts describe this plainly: access to technology entities provides both high-value intelligence collection and a route to downstream customer environments that enables potential supply chain compromises.
This is not a theoretical risk for Australia and New Zealand. ASIO Director-General Mike Burgess told a Melbourne business conference in November 2025 that Chinese government and military hackers had actively probed Australia's telecommunications network and critical infrastructure. Burgess estimated espionage cost Australia A$12.5 billion in 2023-24, including approximately A$2 billion in stolen trade secrets and intellectual property in a single year. He was explicit: China conducts wholesale intellectual property theft at a scale that no other nation-state pursues.
New Zealand's National Cyber Security Centre (NCSC NZ) has been tracking the same pattern. In August 2025, the NCSC joined its international counterparts to warn that People's Republic of China-linked state-sponsored threat actors were targeting networks globally, with telecommunications, government, transportation, and military infrastructure in their crosshairs.
New Zealand recorded 5,995 cyber incidents in 2024-25, with 25% linked to suspected state-sponsored actors. Direct financial losses reached NZ$26.9 million. The NCSC estimates it prevented NZ$47.9 million in further harm through its detection work. Significant incidents rose, with 331 cases triaged for specialist technical support because of their potential national significance.
Both countries sit inside the same threat environment. The Five Eyes intelligence-sharing network means Australian and New Zealand agencies work jointly on advisories. The practical implication for trans-Tasman businesses is that a technology provider compromised in one jurisdiction creates exposure in the other.
The CrowdStrike report highlights a second state-level threat that deserves equal attention: North Korean IT worker infiltration. One North Korea-linked group, Famous Chollima, was responsible for 47% of all government-linked cyberattacks on IT firms during the reporting period. That concentration is significant. A single group, operating under the cover of freelance employment, accounts for nearly half of state-sponsored intrusions in the sector.
The method is deceptive in its simplicity. Operatives use fabricated identities, fraudulent credentials, and AI-generated personas to secure remote employment at technology companies. Once inside, they conduct cyberespionage and exfiltrate intellectual property. Earnings are funnelled back to fund North Korea's weapons programme.
The threat is not theoretical in Australia. Behavioural intelligence firm DTEX has been tracking the scheme since early 2025 and warned in March 2026 that dozens of Australian companies have likely been compromised. DTEX identified 87 suspect applicants using a known list of North Korean-linked email addresses, and only those were unhired applicants. The firm estimates DPRK-linked IT workers generate approximately A$864 million a year globally from these schemes.
The Australian Department of Foreign Affairs and Trade issued a formal advisory in November 2025 on the cyber risks of DPRK IT workers to Australian businesses. The United States Embassy in Australia co-issued a joint media note with the Australian Government in April 2026 describing the threat as having grown significantly in scale and sophistication. Australia already maintains broad sanctions against North Korea. In late 2025, those sanctions were tightened specifically to address overseas IT work and cryptocurrency theft.
The problem is structural. Australia's global outsourcing chains, where a large organisation uses a managed service provider which then subcontracts to offshore partners, create multiple layers where identity verification can be weak or inconsistent. North Korean operatives are embedded in this ecosystem. The CrowdStrike report also documents how North Korean actors exploited trust relationships between open-source developers to poison widely used packages, tricking developers into cloning malware-infected Git repositories that enabled access to macOS and Linux systems.
Nation-state actors generate headlines. But cybercrime remains the dominant threat by volume. CrowdStrike's data shows that 65% of attacks on the IT sector during the reporting period came from criminal groups, not state actors. Hacker gangs claimed to be actively extorting 572 technology companies on their data-leak websites. Dark web forums advertised compromises of 277 technology companies, representing an increase of almost 30% on the previous year.
AI is accelerating this. Criminal groups are using automated tools to generate credential-harvesting scripts and erase forensic evidence faster than defenders can preserve it. Poorly secured AI platforms are creating new entry points. In the first months of 2026, multiple criminal groups distributed malware, including a new macOS information stealer called Skrawl, by exploiting weaknesses in an AI agent platform.
The Australia and New Zealand picture mirrors this trend. Cyble documented 79 cyberattacks with supply chain implications in the first half of 2025 alone, with 63% directly targeting IT, technology, and telecommunications companies. Ransomware threats in the region doubled in the same period compared to the prior year. In June 2025, Scattered Spider compromised a major Australian airline's customer service portal and exposed records belonging to nearly six million customers.
The WEF Global Cybersecurity Outlook 2026 found that 65% of large organisations by revenue now identify third-party and supply chain vulnerabilities as their greatest challenge, up from 54% in 2025. One in three CEOs cites cyber espionage and intellectual property theft as a top concern arising from geopolitical tensions.
The threat picture described above has direct implications for how Australian and New Zealand boards and executives approach third-party risk, vendor selection, and cyber governance.
Technology companies are the most targeted sector globally. If your critical systems depend on managed service providers, cloud platforms, or software vendors, their security posture is your security posture. APRA's CPS 234 and CPS 230 require regulated entities to assess material third-party dependencies. CPS 230 specifically mandates a register of material service providers, tolerance statements, and testing of critical operations. The CrowdStrike findings make clear why that obligation exists and why compliance on paper is insufficient without genuine assurance.
Warp Panda's deployment of Brickstorm malware is designed for persistence, not immediate exploitation. China-linked actors map environments aggressively once inside, then wait. ASIO's Burgess warned that penetration of Australian systems is often followed by sustained mapping in preparation for potential future sabotage. Detection of this kind of access requires continuous monitoring at the network and endpoint level, not periodic audits.
The DPRK remote worker scheme exploits the gap between HR processes and security oversight. Australian organisations using global outsourcing chains or offshore talent need identity verification that goes beyond standard reference checks. DFAT's advisory on the cyber risks of DPRK IT workers provides practical guidance on screening indicators. The scheme is specifically designed to exploit the trust assumptions embedded in remote work arrangements.
Organisations that have not independently assessed their third-party risk posture, their supply chain security controls, and their detection and response capabilities are operating without an accurate picture of their exposure. A structured Cyber Gap Analysis, conducted by an independent third party, identifies the real gaps before adversaries do.
At Insicon Cyber, we work with Australian and New Zealand organisations in regulated sectors who are navigating exactly this threat environment. The patterns described in the CrowdStrike report are consistent with what we observe in our advisory and managed security operations work.
Three things matter most right now.
CPS 230's register requirement is not administrative box-ticking. It is the foundation of supply chain risk management. Without an accurate map of which vendors have access to your critical systems, you cannot assess whether their compromise creates exposure for you.
Periodic penetration testing and annual audits do not detect the kind of low-and-slow persistence that nation-state actors favour. Continuous, intelligence-led detection covering endpoint, identity, and network telemetry is the baseline requirement. Our adaptive SOC is built specifically for this.
Boards cannot assess their organisation's exposure from inside the organisation. Independent advisory, whether through our Cyber Gap Analysis or our Fractional CISO service, provides the unvarnished picture that internal teams, under operational pressure, often cannot deliver.
Our Cyber Gap Analysis gives boards and executives an accurate, structured assessment of cyber exposure across your operations, vendors, and technology stack. Contact our team to discuss a confidential briefing.