Key findings
- A 600Gbps DDoS attack overwhelmed Australia’s largest privately owned digital service provider, causing widespread customer outages
- The same threat actor targeted a second major Australian provider within the same two-week window — a coordinated campaign
- Attack traffic originated largely from compromised Australian NBN home connections, weaponising domestic infrastructure
- Two major telco transit providers were taken completely offline as collateral damage — a cascading infrastructure failure
- ASD reported 280%+ increase in DDoS incidents in FY2024–25 — this attack is the new normal, not an outlier
- Most Australian organisations’ risk registers, BCP documentation, and vendor due diligence are structurally unprepared for this threat scenario
The attack, in plain terms
Early on a Saturday morning, the network of Australia’s largest privately owned digital service provider began degrading. Business customers across Australia lost partial or complete access to their hosted services — websites, email, cloud infrastructure. The cause was a distributed denial-of-service attack estimated to exceed 600 gigabits per second.
To put that in context: 600Gbps is enough traffic to stream several million simultaneous HD video streams. Directed at a single network operator, it does not find a software vulnerability or exploit a misconfiguration. It simply saturates the physical capacity of the infrastructure. The network is overwhelmed before any software-level defence can engage.
The admission is significant. This is not a company that was caught flat-footed through negligence. In eighteen years of operation, the leadership team had never encountered an attack of this scale. Their existing mitigation capabilities — which had served them well for nearly two decades — were inadequate not because they were poorly designed, but because the threat had moved past them.
By the numbers
How a 600Gbps attack works
The botnet model
The 600Gbps of malicious traffic did not originate from the attackers’ own infrastructure. It came from compromised devices on Australian NBN home connections — routers, smart home devices, security cameras, and internet-connected appliances sitting in ordinary Australian households. These devices had been silently compromised, often months or years earlier, and sat dormant until activated.
This is the botnet model. The attacker commands a network of thousands of unwitting participants — none of whom know their home internet connection is being used to attack Australian business infrastructure. The scale of traffic is a function of how many devices have been compromised, not how much infrastructure the attacker owns.
The ASD confirmed in September 2024 that PRC-linked actors had already compromised over 260,000 devices globally — including Australian SOHO routers — for exactly this purpose. The botnet infrastructure exists. It is pre-positioned in Australian networks. It is waiting.
The cascade: when two telcos go dark
What elevated this attack beyond a single-provider problem was its cascading effect. VentraIP relies on major telco providers for data transit — the backbone connections that carry traffic between their network and the rest of the internet. The volume of the attack was sufficient to take two of those transit providers completely offline, while simultaneously saturating all of VentraIP’s own peering links.
This is the structural vulnerability this attack exposed: the interconnection points of internet infrastructure are not designed to absorb attacks of this magnitude. When they fail, the damage is not contained to the primary target — it propagates upstream and laterally to other providers and customers who share that infrastructure.
The broader threat picture
This attack did not come from nowhere. Open source intelligence analysis of the threat landscape had been signalling an escalation in attacks against Australian digital infrastructure for months before this incident.
The GRC implications
For organisations with mature Governance, Risk and Compliance frameworks, this incident is a critical case study in third-party and supply chain risk. VentraIP is not a software vendor — for many Australian businesses it is critical digital infrastructure. And yet most organisations’ risk registers treat hosting providers as low-risk commodity suppliers.
This attack exposes six specific gaps that should now be addressed in any organisation’s GRC framework.
The OSINT intelligence picture
A structured OSINT analysis of publicly available intelligence sources reveals that this attack did not come from nowhere. Multiple documented signals were available to any organisation monitoring the threat environment. The question is whether your GRC framework is consuming that intelligence.
| Intelligence signal | Source type | Risk | Recommended control |
|---|---|---|---|
| NoName057(16) running sustained campaign against Australian infrastructure since Nov 2024, motivated by ADF Ukraine support | OSINT / Telegram | Critical | Update threat actor register; increase monitoring cadence around geopolitical trigger events |
| ASD ACSC: 200+ DDoS incidents in FY2024–25, up 280% — 31% targeting critical infrastructure | Government advisory | High | Mandatory risk register update; board briefing; vendor due diligence review |
| Aisuru/Kimwolf botnet leveraging compromised Australian NBN home routers as attack nodes | Threat intelligence | High | Include botnet sourcing in DDoS threat model; engage ISP on device compromise remediation |
| Pro-Russia actors cited Australia’s RAAF Wedgetail redeployment to Europe (June 2025) as motivation | OSINT / CyberCX Intelligence | Medium | Monitor geopolitical event calendar; pre-position incident response resources ahead of known trigger events |
| Microsoft Azure Australia targeted by 15.72 Tbps attack (Oct 2025) — largest cloud DDoS on record, same botnet family | Vendor disclosure | Critical | Validate cloud provider DDoS protection capability at Tbps scale; test failover procedures |
| PRC-linked actors compromised 260,000+ devices including Australian SOHO routers for botnet positioning (Sept 2024 advisory) | ASD/ACSC advisory | Medium | SOHO router security awareness program; engage ISP on botnet remediation; review remote work device policies |
| Hyper-volumetric attacks exceeding 1Tbps surged 65-fold year-on-year in Q2 2025 globally | Cloudflare / industry reporting | High | Require vendors to demonstrate mitigation capability at Tbps scale — not Gbps — in due diligence process |
What your organisation should do
- Map all critical business functions dependent on hosted providers
- Confirm your provider’s published DDoS mitigation capacity and incident response SLA
- Establish out-of-band communication methods that don’t depend on hosted infrastructure
- Brief leadership on the changed DDoS threat landscape
- Check cyber insurance covers upstream provider outages
- Update risk register: hyper-volumetric DDoS on upstream providers is now a named scenario
- Add DDoS resilience questions to vendor due diligence questionnaires
- Test BCP against 24–72 hour provider unavailability scenario
- Assess geographic and provider concentration in digital supply chain
- Subscribe to ASD/ACSC alerts and integrate into risk governance cycle
- Evaluate multi-provider redundancy for critical digital services
- Consider direct DDoS scrubbing relationships separate from your hosting provider
- Integrate geopolitical threat monitoring into GRC intelligence cycle
- Establish a structured OSINT function or engage managed threat intelligence
- Participate in ASD/ACSC threat sharing programs
The honest assessment
VentraIP’s post-incident communication was a model of corporate transparency: full technical disclosure, an honest acknowledgement of communication failures, and a clear commitment to systemic change. In eighteen years of operation, they had never seen anything like this. That is not a commentary on their preparedness. It is a commentary on how fundamentally the threat landscape has shifted.
The internet infrastructure that Australian businesses depend on is under coordinated, sustained, and increasingly well-resourced attack. The motivations range from geopolitical to criminal. The tools available — primarily IoT botnets comprising millions of compromised home devices — now generate attack volumes that overwhelm conventional defences at the carrier level.
This is not a problem any single organisation can solve in isolation. But every organisation can ensure their GRC framework reflects the reality of the environment they operate in. That means updating your risk register, asking harder questions of your providers, and building business continuity plans that work even when your hosting provider’s network is dark.