Sabotage in Waiting

In November 2025, ASIO Director-General Mike Burgess delivered one of the most direct public warnings Australian intelligence has ever issued about the state of the threat. “Spying is no longer just stealing secrets,” Burgess told a national security briefing. “It now encompasses preparing for sabotage — attacks designed to block energy supply or cut communications in a future conflict.” He described “elite teams” within authoritarian states actively mapping vulnerabilities in Australia's energy grid, telecommunications networks, and water systems — embedding themselves years in advance of any intended use.

This was not a warning about what might happen. It was a description of what is already underway.

The trajectory had been visible for some time. In February 2024, the Five Eyes intelligence agencies issued a joint advisory confirming that a state-sponsored threat actor had pre-positioned itself inside the critical infrastructure networks of multiple western nations — not to conduct an immediate attack, but to wait. Access achieved months or years earlier, maintained deliberately, ready to be activated at a moment of geopolitical tension. Power grids. Water systems. Communications networks. Transportation infrastructure.

The Burgess warning in 2025 marks a further escalation: the objective has moved beyond pre-positioning toward active sabotage preparation. The adversaries that now target Australian infrastructure are not criminal organisations motivated by financial return. They are state-directed actors with long time horizons and strategic objectives that have nothing to do with the commercial value of what they access. “Global tensions are the highest they've been in decades,” Burgess said. “It is prudent — not paranoid — to ensure we've secured the systems that underpin our society.”

Spying is no longer just stealing secrets. It now encompasses preparing for sabotage — attacks designed to block energy supply or cut communications in a future conflict. — Mike Burgess, ASIO Director-General, November 2025

How State-Sponsored Actors Target Critical Infrastructure

State-sponsored targeting follows a patient, methodical progression distinct from opportunistic criminal activity. Understanding that progression is essential to understanding where intelligence can intervene.

Reconnaissance precedes everything. Before any intrusion attempt, state-sponsored actors conduct extensive reconnaissance — open-source research into the operator's infrastructure, personnel, technology vendors, and third-party relationships; physical observation of facilities; and the cultivation of entity relationships with people who have knowledge of or access to the target. Much of this activity leaves traces in publicly accessible data.

Supply chain is the preferred entry vector. Direct intrusion against a hardened critical infrastructure operator is technically difficult and operationally risky. The far more common approach is supply chain compromise: targeting a technology vendor, software provider, maintenance contractor, or component supplier with legitimate access to the operator's systems. The 2020 SolarWinds compromise, which affected critical infrastructure operators across multiple western nations including Australia, did not target operators directly — it compromised a trusted software update mechanism and used that trust to gain access to thousands of downstream targets simultaneously.

Pre-positioning is the objective, not disruption. What makes state-sponsored infrastructure targeting uniquely dangerous is that the immediate objective is not to cause an incident — it is to achieve persistent access that can be activated later. The long dormancy between initial compromise and activation is what makes detection so difficult and so consequential.

What OSINT Can See

The assumption that state-sponsored threats are invisible until they act is not accurate. Sophisticated actors are patient and careful, but they are not operating in a vacuum. The reconnaissance phase, the supply chain targeting phase, and the maintenance of pre-positioned access all generate signals that appear in open-source environments.

The Physical-Cyber Nexus

State-sponsored targeting does not respect the boundary between cyber and physical security that most operators manage through separate teams. The most sophisticated actors operate across both domains deliberately, using physical reconnaissance to inform cyber intrusion and cyber access to enable physical disruption.

A geospatial signal near a remote substation might be routine in isolation. When it is correlated with a concurrent dark web listing of credentials associated with the same operator's systems, it is a materially different signal — one that warrants immediate escalation rather than a low-priority review.

This is the intelligence gap that state-sponsored actors have historically exploited: the absence of anyone connecting physical and digital signals across the same operational picture. CRIMP closes it.

Intelligence monitoring compresses the attacker's time advantage. When reconnaissance is visible in open-source data, it can be detected in the reconnaissance phase rather than the intrusion phase.

The Pre-Positioning Problem

The 2024 Five Eyes advisory described a specific and alarming operational pattern: attackers achieving and maintaining access to critical infrastructure systems for months or years in advance of any intended use. By the time geopolitical tension escalates to a point where that access might be activated, the initial compromise may be long past and the attacker already deeply embedded. Burgess's 2025 warning adds a sharper dimension: those actors are no longer simply waiting. They are actively mapping what would need to fail for an attack to succeed — simulating blackouts, communications cuts, and service disruptions before any trigger event occurs.

The security question has expanded. It is not only “how do we prevent being targeted?” but “is there any evidence we are already compromised, and what does the current intelligence environment tell us about whether pre-positioned access is moving from dormant to active?” CRIMP contributes to both questions — continuously monitoring the external intelligence environment for signals associated with active targeting campaigns against Australian critical infrastructure, so operators have visibility into the current threat landscape, not just threats directed at their specific assets.

The Australian Regulatory and Strategic Context

The Australian Government has been unusually direct in its public communications about state-sponsored threats to critical infrastructure. Burgess's November 2025 briefing was among the most explicit public statements any Five Eyes intelligence chief has made about the shift from espionage to active sabotage preparation — naming energy and telecommunications as the primary target domains and describing the adversary's methodology in operational terms. ASIO has repeatedly named foreign state actors as the primary source of sophisticated intrusions against Australian government and critical infrastructure targets. The ASD's annual cyber threat reports have consistently identified critical infrastructure as the highest-priority target category for state-sponsored actors.

The SOCI Act's Critical Infrastructure Risk Management Program (CIRMP) requires operators to address cyber security as one of its four mandatory hazard domains — calibrated for the full spectrum of cyber threats, including state-sponsored threats that operate with resources and patience that criminal actors cannot match. A CIRMP cyber program calibrated only for opportunistic criminal intrusion is not calibrated for the threat environment that ASIO, ASD, and Australia's treaty partners have publicly described. CRIMP's external threat intelligence monitoring, entity tracking, dark web surveillance, and cross-domain signal correlation constitute exactly the kind of ongoing, intelligence-led program that the cyber and supply chain hazard domains of the CIRMP are designed to incentivise.