ASIO, Australia's domestic intelligence agency, says nation state actors have built long term footholds inside Australian networks and could disrupt essential services at a moment of their choosing.
The annual threat assessment from Australia's intelligence chief has confirmed what allied security agencies have been documenting since 2024: nation-state actors are already inside the systems that keep the country running, and they have chosen to stay there.
The assessment, in the ASIO Director-General's Annual Threat Assessment 2026 (delivered 24 June 2026) and reported by The Register, says nation-state actors have established long-term footholds in Australian critical infrastructure with the explicit option to "cripple it at a time of their choosing." That phrasing reframes the question for everyone from the prime minister's cyber security committee to the operator of a regional water utility. The relevant inquiry is no longer whether attackers broke in. It is how long they have been there, and whose clock they are operating on.
The pattern mirrors what the United States and its allies have been disclosing for two years. A 2024 joint advisory from CISA, the US cybersecurity agency, catalogued as AA24-038A, named PRC state-sponsored actors, including the cluster tracked as Volt Typhoon, and warned that they were maintaining persistent access to American critical infrastructure across IT, operational technology, and the kind of built-in administrative tools that defenders rely on every day. Australia's cyber agency mirrored that advisory and followed it with a fact sheet for critical-infrastructure leaders that called the pre-positioning a strategic threat requiring executive action beyond routine IT hygiene.
The shape of the threat is what separates this story from a conventional breach. Traditional espionage ends when data leaves the network. The intrusions the ASIO assessment describes have no such tell. The attackers do not need to steal anything to win. Their prize is the persistent access itself, the option to disrupt power, water, transport, or communications on a day of their choosing, while defenders continue to operate as if nothing is wrong. That makes the dwell time the actual payload, not a byproduct of the intrusion, and it changes what a successful response looks like.
The strategic patience is consistent with the broader pattern ASIO has flagged. In the same period, the agency disclosed that a former Australian resident had directed an attack on a Melbourne synagogue, evidence that state-aligned actors are willing to use Australian-resident proxies to carry out directed operations. The shift from smash-and-grab to long-term presence is not new tradecraft. It is now an explicit, named element of the threat picture Australian leaders are being told to plan against.
Analysis from the Australian Strategic Policy Institute argues that the ASIO warning and the broader allied disclosure pattern constitute one threat, and that the response should match. The Australian Signals Directorate's annual cyber threat report for 2024 to 2025 documents the dwell-time and persistence behaviour that the strategic-patience framing describes.
The risk for the next year is not a single catastrophic event. It is the slow accumulation of options in adversary hands while defenders continue to measure their work by perimeter alerts and patch cycles. ASIO's framing forces a different question onto every critical-infrastructure operator: if the attackers are already inside, what is the response that assumes the access will be used?