The Pacific needs greater cyber resilience as malicious actors break into networks

Samoa and Papua New Guinea’s recent experiences with cyber intrusions are the latest reminders of the urgent need for enhanced cybersecurity resilience in the Pacific. What’s needed is capacity building and coordinated response initiatives.

On 11 February Samoa’s Computer Emergency Response Team (SamCERT) issued an advisory warning about APT40, a Chinese state-backed hacking group operating in the region. Days later, reports emerged that Papua New Guinea had suffered an unattributed cyberattack on its tax office, the Internal Revenue Commission, in late January.

SamCERT’s advisory marks the first time a Pacific island country has formally attributed a cyberattack to a China-linked group. While the advisory does not directly name China, it identifies APT40 as the perpetrator behind the cyber intrusion and provides a link to the Australian Signal Directorate’s website that details APT40’s connection with the Ministry of State Security, China’s foreign intelligence agency.

The advisory also warns that the hacking group conducts ‘operations directed at sensitive networks administered by Pacific Island nations’. While this reflects a growing awareness of foreign cyber influence in the Pacific, it also shows the caution that smaller nations exercise when publicly attributing cyber threats to state actors.

APT40, classified as an advanced persistent threat, conducts cyber operations by infiltrating networks and maintaining access. By loitering, it can monitor activity, collect data and carry out more sophisticated attacks targeting high-value accounts, including those of government officials.

This group and this method of operation are not new. Australia, the United States and New Zealand have all previously attributed cyberattacks to APT40. In the Pacific, Palau is the only country that has openly accused China of targeting its digital infrastructure, but didn’t issue technical attribution. Samoa’s willingness to publicly acknowledge this threat is a step towards greater cyber transparency in the Pacific and encourages more open discussions among regional leaders and cybersecurity experts.

Beyond the immediate implications of cyber espionage, these incidents highlight the broader hybrid threats Pacific nations face. Malicious actors often exploit weaknesses in cyber hygiene, including in server exploitation, phishing campaigns and web compromises, to gain initial access to networks. The intersection of cyber operations, economic dependencies and diplomatic sensitivities creates a complex security environment for the Pacific. While raising awareness of cyber threats is crucial, strategic communication must be handled in a way that fosters regional cooperation and builds cyber resilience without unnecessarily escalating geopolitical tensions.

Australia has worked with Pacific nations to enhance their incident response capabilities, provide technical assistance and facilitate information sharing. It has supported initiatives such as the Pacific Cyber Security Operational Network and the Cyber Rapid Assistance to Pacific Incidents and Disasters team. Samoa’s ability to issue a public advisory is, in part, a testament to such capacity-building efforts.

In contrast, Papua New Guinea communicated poorly following a cyberattack on its Internal Revenue Commission that paralysed tax administration functions and potentially exposed sensitive financial data. The commission first characterised the 29 January attack as a ‘system outage’, reflecting deeper structural challenges in the region’s cyber resilience framework, such as infrastructure gaps and bureaucratic red tape.

While it’s ideal for organisations to be transparent about being victims of a cyberattack, this requires a level of cyber maturity. Doing so effectively would require a level of technical capability and strategic communications preparedness to manage public awareness and response that many of these institutions in the Pacific have not yet built.

Governments in the Pacific recognise the importance of cybersecurity. PNG launched its National Cyber Security Strategy in 2024 joining several other countries who have published or are drafting their own. But many still face limitations in resources, technical expertise and infrastructure.

Pacific nations and international partners need to prioritise strengthening national computer emergency response teams and fostering regional cooperation. Enhancing incident detection and response capability, as well as promoting intelligence sharing across borders will help mitigate future cyber threats.

Arguably, Australia’s strategic investments in the region’s digital infrastructure, including high-capacity subsea cables, are important to digital transformation in the region. But transformation is outpacing cybersecurity preparedness, creating a widening gap that exposes critical institutions to cyber threats. Support must be matched with comprehensive and sustained cybersecurity capacity-building programs that raise Pacific nations’ agency—not just token efforts.

Although Australia has committed to building cyber capacity across the region, its support should extend beyond government networks to include businesses, critical infrastructure operators and civil society. Long-term resilience will come from increasing public awareness, developing a skilled cybersecurity workforce and integrating cyber resilience into national security strategies.

At least, Australia needs to gather like-minded partners, such as Japan, France and India, to coordinate investment in Pacific cybersecurity, ensuring that the region is equipped with the necessary tools and expertise to counter the growing sophistication of cyber adversaries.