ASD Information Warfare Division

Audio readout of this profile.

Overview

The Information Warfare Division (IWD) is the offensive-cyber arm of the Australian Signals Directorate (ASD) — formally established 1 July 2017 as a co-equal directorate within ASD, alongside the Signals Intelligence Division and the Australian Cyber Security Centre (ACSC). The IWD operates Australia's offensive-cyber capability, conducting computer-network-attack operations against foreign targets authorised under Australian government direction, and conducts joint cyber operations with the United States (NSA TAO) and United Kingdom (GCHQ JTRIG) Five Eyes partners.¹

The IWD is institutionally distinct from the ASD's other operational divisions: the Signals Intelligence Division conducts foreign-signals-collection and reporting (the conventional SIGINT mission); the Australian Cyber Security Centre conducts defensive computer-network-defence against threats to Australian government and critical-infrastructure networks; and the IWD specifically conducts offensive-cyber operations. The institutional separation between these missions — and specifically the separation between the ACSC's defensive mission and the IWD's offensive mission — was a deliberate institutional-design choice intended to preserve the ACSC's operational and reputational standing as a trusted national-cyber-defence resource for Australian non-government organisations.²

The IWD has not been tracked under a canonical APT designation in the threat-intelligence-industry's vendor taxonomies — the Australian operational profile has substantially overlapped with the broader Five-Eyes joint-operational record, and Australian-attributed activity has not generally surfaced as a distinct cluster in the threat-intelligence-industry's threat-actor tracking. The institutional identity is established directly through Australian government acknowledgments rather than through external threat-attribution work.³

History & Origins

Australia's offensive-cyber capability predates the formal establishment of the IWD. ASD operated an offensive-cyber unit from at least the early 2010s under prior institutional arrangements, the specific institutional form of which is not publicly disclosed. The 2016 Defence White Paper publicly acknowledged Australia's offensive-cyber capability for the first time, and the subsequent 2016 Cyber Security Strategy and 2017 Independent Intelligence Review (the L'Estrange Review) recommended the formal consolidation of the capability into a dedicated ASD directorate. The IWD was established 1 July 2017 on the basis of those recommendations.⁴

The IWD's institutional design substantially reflected the United States Cyber Command institutional model, with adaptations for the Australian institutional and legal environment. Specifically, the IWD's offensive-cyber operational authority is exercised under direction from the Minister for Defence (the Australian institutional equivalent of the United States Secretary of Defense), with operational tasking subject to authorisation under the Intelligence Services Act 2001 and successive ministerial directions.⁵

Operational footprint (documented)

The publicly-attested IWD operational footprint is partial — substantially more of the unit's operational footprint is held in the classified Australian operational record than is publicly disclosed. The principal publicly-documented operational elements include:

Operations against the Islamic State media-and-recruitment infrastructure (2016–2018). The most extensively-publicly-acknowledged IWD (and predecessor-unit) operational programme. The Australian government — through then-Prime Minister Malcolm Turnbull's parliamentary national security statement (23 November 2016) and through subsequent acknowledgments by successive Defence Ministers — publicly acknowledged ASD offensive-cyber operations against the Islamic State's online media-production-and-distribution infrastructure across the post-2014 Mosul / Raqqa period. The operations specifically targeted the IS Amaq News Agency media infrastructure, the IS Telegram-channel distribution network, and the IS recruitment-and-radicalisation outreach infrastructure. The Australian acknowledgments were coordinated with parallel United States Cyber Command public acknowledgments of joint operations against the same target set.⁶

Joint Five-Eyes cyber operations. IWD personnel are operationally integrated with NSA TAO and GCHQ JTRIG in joint Five-Eyes cyber operations. The specific operational tasking is not publicly disclosed but is acknowledged in successive Australian Defence Department and Office of National Intelligence public materials.⁷

Defensive support to ACSC. Although the IWD's primary mission is offensive, the Division also provides specialised technical support to the ACSC's defensive operations — particularly the reverse-engineering of foreign-attributed malware families and the attribution-research support for the ACSC's threat-actor-tracking work.⁸

Counter-cyber-criminal operations (post-2022). The November 2023 ministerial direction expanded the IWD's mandate to include offensive-cyber operations against international cyber-criminal infrastructure operating against Australian targets — specifically including ransomware operators that have targeted Australian critical-infrastructure organisations. The Medibank Private (2022) and Latitude Financial (2023) data-theft incidents — both attributed by ASD to Russian-aligned cyber-criminal infrastructure — substantially structured the institutional case for the expanded mandate.⁹

Standing

The IWD's institutional existence and broad operational mandate are publicly acknowledged in successive Australian government publications. The ASD Director-General is the public face of the IWD's operational record. The specific operational targeting and tooling are not publicly disclosed.¹⁰

See also

• Australian Signals Directorate — parent service
• NSA TAO — Five-Eyes joint-operational partner
• GCHQ JTRIG — Five-Eyes joint-operational partner
• APT designation — naming-conventions context

Sources & Further Reading

1. Australian Signals Directorate official organisational page; Australian Department of Defence, 2017 Independent Intelligence Review (L'Estrange Review, July 2017) — the foundational institutional-design documentation for the IWD.
2. L'Estrange Review, op. cit.; subsequent academic analysis of the ASD institutional design in Australian Journal of International Affairs.
3. Mandiant, CrowdStrike, Microsoft threat-actor profiles — none of which track a distinct Australian-attributed APT cluster as of the contemporary period.
4. Australian Department of Defence, 2016 Defence White Paper; 2016 Cyber Security Strategy; L'Estrange Review, op. cit.
5. Intelligence Services Act 2001 (Cth) and successive Ministerial Directions to ASD; academic analysis in Public Law Review and Federal Law Review.
6. Prime Minister Malcolm Turnbull, parliamentary national security statement (23 November 2016) — the foundational Australian government acknowledgment of ASD offensive-cyber operations against IS; subsequent acknowledgments by Defence Ministers Marise Payne and Christopher Pyne (2017–2019). Coordinated United States acknowledgment by United States Cyber Command Commander General Paul Nakasone in successive Congressional testimony (2018 onward).
7. Office of National Intelligence (formerly the Office of National Assessments) periodic public reports; Australian Department of Defence published Five-Eyes-cooperation materials.
8. Australian Cyber Security Centre public threat-actor profiles (multi-year update); ASD's ACSC Annual Cyber Threat Report series.
9. Australian Department of Defence, public statement on the November 2023 ministerial direction; subsequent reporting in The Australian and The Sydney Morning Herald.
10. ASD Director-General successive public addresses (including to the Australian Strategic Policy Institute); ASD official organisational materials.