TL;DR
Australian SMBs are rarely the headline target for nation-state or elite intrusion groups, but they are increasingly the easiest path into someone else’s network. In 2026, the real risk is not “Why would an APT care about us?” but “What customer, supplier or managed service relationship makes us useful as a ladder rung?”
Groups such as APT29, Lazarus and Scattered Spider keep proving the same point: stolen identities, trusted vendor access and quiet data theft beat flashy malware. SMBs need cheap, practical detections around logins, admin activity and outbound data movement now.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Why this matters to SMBs even if you are not a government agency
The old assumption was that advanced persistent threat groups only cared about governments, defence contractors and critical infrastructure. That is no longer a safe working assumption for Australian SMBs.
In practice, many smaller businesses
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →For SMB owners, the key shift in 2026 is this: high-end attackers do not always need to break the final target directly. They can compromise a vendor account, hijack an email thread, steal a remote support session, or abuse shared cloud access to get where they want to go.
Three threat actors SMBs should actually pay attention to
APT29: quiet identity theft and long-term access
APT29, often associated with Russian state espionage, is known for patience. This is not usually smash-and-grab crime. Their style is stealthy access, credential abuse, cloud identity compromise and long dwell time.
What an SMB should worry about:
- Initial access through phishing, password spraying or stolen credentials
- Persistence through OAuth abuse, cloud token theft or mailbox rules
- Lateral movement via legitimate remote administration tools and trusted accounts
- Exfiltration through normal-looking cloud traffic rather than obvious malware beacons
Why it matters: if your Microsoft 365 tenant, shared mailbox or helpdesk account is compromised, an attacker may use your business as a trusted sender or trusted identity against your customers. That is supply-chain compromise without needing sophisticated malware on every endpoint.
Lazarus Group: financial theft, fake recruiters and cross-over tradecraft
Lazarus remains one of the most dangerous groups because it blends espionage-style persistence with financially motivated theft. Reporting over the past year has repeatedly linked North Korean operators to large-scale theft, especially where credentials, crypto assets, developer environments or privileged systems are involved.
What an SMB should worry about:
- Initial access via spear phishing, fake job offers, trojanised documents or malicious software downloads
- Persistence through backdoors, scheduled tasks and credential dumping
- Lateral movement into finance systems, developer tools, password stores and cloud administration
- Exfiltration of source code, financial records and authentication secrets before monetisation
Why it matters: Australian SMBs in professional services, fintech, software and e-commerce may not be strategic targets, but they often hold reusable credentials, code-signing access or customer payment workflows. That makes them commercially useful.
Scattered Spider: social engineering that breaks modern security stacks
Scattered Spider is not a classic nation-state APT, but it absolutely belongs in this conversation because its identity-first intrusions have changed what “advanced” looks like. The group is known for aggressive social engineering, SIM swapping, MFA fatigue and helpdesk manipulation.
What an SMB should worry about:
- Initial access through phone-based impersonation of staff
- Persistence by enrolling new MFA devices or resetting passwords through support channels
- Lateral movement into SaaS admin consoles, SSO platforms and remote access tools
- Exfiltration from cloud storage, CRM systems and collaboration platforms
Why it matters: this is devastatingly relevant to SMBs because it targets process weakness more than technical weakness. A small internal IT team, outsourced helpdesk or informal identity verification process is exactly the sort of gap these actors exploit.
The supply-chain angle: you do not need to be famous to be useful
Most Australian SMBs should not picture a Hollywood-style breach. Picture something quieter.
An attacker gets into a small accounting firm’s Microsoft 365 environment and watches client conversations. Or they compromise an MSP’s remote management console and push tooling downstream. Or they steal credentials from a software vendor and use that trust relationship to access customer systems.
That is why “we are too small” is dangerous thinking. Smaller businesses often have:
- weaker identity controls
- fewer logs retained
- more shared admin accounts
- flatter networks
- less scrutiny on outbound traffic
To a serious threat actor, that is not a dead end. It is a shortcut.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Three cheap detections Australian SMBs can set up this week
1. Alert on impossible or unusual admin logins
Set alerts for new admin logins from unusual countries, impossible travel, new devices or logins outside your normal business hours. If you use Microsoft 365, Google Workspace or an SSO platform, this is often available in built-in audit logs or low-cost security tiers.
What it catches: stolen credentials, cloud account takeover, suspicious OAuth enrolment.
2. Alert on MFA resets, new forwarding rules and privilege changes
Create notifications for:
- any new MFA device registration
- mailbox forwarding rules to external addresses
- new global admin or privileged role assignment
- password resets for executives, finance or IT staff
What it catches: the exact post-compromise moves used by identity-focused actors to lock in access and quietly siphon data.
3. Baseline outbound data movement and remote admin tool use
Even cheap firewall, endpoint or cloud logs can show spikes in outbound transfers, unusual archive creation, or unexpected use of tools such as AnyDesk, TeamViewer, PsExec or PowerShell against multiple systems.
What it catches: lateral movement, staging for exfiltration and “living off the land” behaviour that blends into normal operations unless you are looking for it.
FAQ
Usually not as the end target, but very often as a pathway. If you support larger enterprises, government contractors, healthcare providers or critical suppliers, you may be targeted for your access rather than your brand.
No. Accounting firms, logistics providers, law firms, recruiters, manufacturers, medical practices and managed service providers all hold identities and trusted relationships attackers can abuse.
No. MFA helps, but modern attackers go after session tokens, MFA resets, helpdesk processes and cloud roles. You need logging and alerting around identity changes, not just MFA turned on.
Review who has admin access, turn on audit logging, and set alerts for unusual logins, MFA changes and external mail forwarding. Those three controls are cheap and disproportionately effective.
Conclusion
The 2026 lesson for Australian SMBs is brutally simple: advanced attackers do not need you to be important, only useful. If your business is connected to bigger customers, manages privileged access, or stores reusable credentials, you are part of the modern attack chain whether you like it or not.
Start with identity visibility, admin-change alerts and outbound activity monitoring. Small businesses do not need enterprise budgets to catch the first signs of an advanced intrusion, but they do need to stop assuming they are beneath notice. Visit consult.lil.business for a free cybersecurity assessment.
References
- Australian Cyber Security Centre: Essential Eight
- CISA and Partners: Scattered Spider Advisory
- NIST Cybersecurity Framework 2.0
- CISA: Mitigations for Living Off the Land Techniques
- MITRE ATT&CK Groups
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- One person, using an AI chatbot subscription, broke into 10 government agencies and stole 150GB of data — no special hacking skills needed [1]
- The same AI tools are available to anyone. That includes people who want to attack your business.
- The good news: the break-in only worked because basic security was missing. Fix the basics and you stop most of these attacks.
Imagine you have a really smart assistant who can figure out how to unlock any door, write custom lock-picking tools, and carry boxes out of your building without setting off alarms. Now imagine anyone in the world can hire that assistant for the same price as a Netflix subscription.
That's roughly what happened when a hacker used an AI chatbot called Claude to break into ten Mexican government offices between December 2025 and January 2026 [1][2].
What Actually Happened?
A single person — no big team, no government backing, no Hollywood hacking skills — used an AI assistant to do the hard work for them.
They told the AI: "find weaknesses in these computer systems." The AI found 20 of them [1]. They said: "now write me tools to get through those weaknesses." The AI wrote them. They said: "now help me grab all the data without being noticed." The AI helped plan that too [2].
In the end, they walked off with 150 gigabytes of data — that's like filling 30 DVDs worth of sensitive government files including people's tax records, voter information, and government passwords [1][2].
The whole operation cost roughly what you'd pay for a streaming service each month.
Why Should Your Business Care?
You might be thinking: "This was a government. I run a small business. Why would anyone bother with me?"
Here's the thing — small businesses are actually more attractive to many hackers, not less. Think of it like this: breaking into a government building is hard because they have security guards, cameras, alarms, and locked doors everywhere. Breaking into a small shop is easier because there might just be one lock on the front door.
The Australian Cyber Security Centre reports that small and medium businesses make up 43% of all cyberattack targets [3]. That's nearly half. You are not below the radar.
The AI tools used in the Mexican attack work exactly the same way against a small business's accounting software, customer database, or email system. And a small business is far less likely to notice — the Mexican government's agencies didn't even know about 20 security holes in their own systems until after the attack [1][2].
But Isn't This Really Complicated Tech Stuff?
Before AI tools like ChatGPT and Claude became available, pulling off an attack like this would have taken a team of people with years of specialised training.
Now? The hacker in this case was described as having "minimal technical skills" by the cybersecurity firm that investigated the breach [2]. They just needed:
- A computer
- An AI subscription
- Patience to keep asking the AI different questions until it helped
That's it. The AI did the complicated technical work. The hacker just had to direct it — kind of like a project manager giving instructions to an expert contractor.
Here's the Bit That Matters for Your Business
The attack only worked because the government systems had some basic security missing [1][2]:
- No multi-factor authentication on many systems (that's the thing where you need a code from your phone as well as a password)
- Unpatched vulnerabilities — known security holes that had been sitting there for months with fixes available but not applied
- No monitoring to notice when something unusual was happening
Here's the great news: fixing these three things costs almost nothing, and it would have stopped this attack.
Think of it like your front door. If you have a strong lock, a deadbolt, and a door camera — a burglar is going to walk past your place and try the next one. The AI-assisted hacker in this story found an unlocked door and walked in. Add the locks, and they move on.
What Should You Actually Do?
You don't need a dedicated IT security team. You need to add three locks to your digital front door:
Lock 1 — Turn on two-factor authentication (2FA/MFA). Every app your business uses for important stuff — email, accounting, file storage, your website login — should require a code from your phone as well as a password [3]. This one change stops most AI-assisted attacks dead. It takes about 10 minutes per app to set up.
Lock 2 — Keep software updated. When apps or your computer tells you there's an update, do it. The attack in this story exploited "known vulnerabilities" — security holes that the software companies had already released fixes for [4]. Updating is installing those fixes.
Lock 3 — Run a vulnerability scan. This sounds technical but it really just means: hire someone to check your systems for unlocked doors before an attacker finds them. lilMONSTER does exactly this for small businesses at a price that makes sense. One check can find the same kinds of problems that took the hacker months to exploit.
What About Using AI Tools in My Business?
Using ChatGPT or other AI tools for your own work is completely fine and genuinely helpful. The risk isn't in using AI — it's in:
- Entering sensitive customer or financial data into public AI tools (which might be used to train those systems)
- Not having any security logs showing what AI tools your staff are using on company devices
A simple rule: use AI to help with your work, but never paste a customer's personal details, financial records, or passwords into a public AI chatbot. Treat it like talking to a very smart stranger — useful for general questions, but not someone you hand your filing cabinet keys to.
The Bottom Line
A hacker with a monthly AI subscription just showed the world that sophisticated cyberattacks no longer require sophisticated attackers. That's a real change. But the defence is the same as it's always been: basic security hygiene that most small businesses still haven't done.
The businesses that get hurt are the ones who assume they're too small to be a target. The businesses that stay safe are the ones who treat security like they treat their accounting — a regular, non-optional part of running a business.
Security is an investment in keeping what you've built. It's not something to add after something goes wrong.
FAQ
Yes, in the same way a tool can be used for helpful or harmful purposes. AI assistants can help someone identify security weaknesses in computer systems, write attack tools, and plan data theft — as demonstrated in the Mexican government breach [1][2]. The defence is ensuring your systems don't have the basic weaknesses these attacks rely on.
No. Using AI tools for legitimate work is safe if you're sensible about it. The key rule is: never enter customer data, financial records, passwords, or anything sensitive into a public AI chatbot [5]. Use AI for tasks where you'd be comfortable with a third party seeing the content.
Warning signs include: accounts logging in at unusual times [8], slowdowns on systems you haven't changed, unexpected large file transfers, or staff getting locked out of accounts they haven't touched. Many small business breaches go undetected for months. A security review with lilMONSTER can check your systems for signs of past or ongoing compromise.
No. Cybercriminal groups operate globally and don't discriminate by geography. Australian businesses are targeted at the same rates as US and European ones — the ACSC's Annual Cyber Threat Report confirms a cyberattack on Australian businesses every six minutes [3].
The core controls — turning on MFA, keeping software updated, and running a vulnerability scan — cost between zero and a few hundred dollars. A professional security review from lilMONSTER starts with a free consultation at consult.lil.business. Investing $2,000–$5,000 per year in security is a fraction of what a breach costs on average — IBM puts the average at $4.88 million [6].
References
[1] P. Paganini, "Claude code abused to steal 150GB in cyberattack on Mexican agencies," Security Affairs, Feb. 2026. [Online]. Available: https://securityaffairs.com/188696/ai/claude-code-abused-to-steal-150gb-in-cyberattack-on-mexican-agencies.html
[2] Hawk-Eye Security, "How Hackers Used Anthropic's Claude to Breach the Mexican Government," Hawk-Eye.io, Feb. 2026. [Online]. Available: https://hawk-eye.io/2026/02/how-hackers-used-anthropics-claude-to-breach-the-mexican-government/
[3] Australian Cyber Security Centre, "Annual Cyber Threat Report 2024–2025," ACSC, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-2024-2025
[4] Cybersecurity and Infrastructure Security Agency, "Known Exploited Vulnerabilities Catalog," CISA, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[5] NIST, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," NIST, 2023. [Online]. Available: https://airc.nist.gov/RMF
[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[7] CrowdStrike, "2026 Global Threat Report," CrowdStrike, 2026. [Online]. Available: https://www.crowdstrike.com/global-threat-report/
[8] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
Ready to lock your digital front door before an attacker finds it unlocked? lilMONSTER helps small businesses build simple, affordable security that actually works. Book a free consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.