Microsoft has quietly disclosed that it played a “key role” in feeding information to the Australian Signals Directorate that helped identify who was behind the 2022 Medibank cyber attack.
Microsoft’s John Lambert (left) and Mark Anderson, with ASD director-general Rachel Noble.
Microsoft
The federal government yesterday publicly attributed the attack to Aleksandr Ermakov, a 33-year-old Russian national whose alases included Alexander Ermakov, GustaveDore, aiiis_ermak, blade_runner, and JimJones.
It also announced “targeted financial sanctions” and a travel ban against Ermakov. The financial sanctions make it a crime to provide assets to Aleksandr Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.
In a glimpse behind the scenes of the investigation, Microsoft A/NZ national security officer Mark Anderson wrote that “behind closed doors there are exceptionally talented people collaborating across the Australian government and organisations like Microsoft to track these criminals.”
The meat of Microsoft’s input into the investigation came through its threat intelligence centre, Anderson wrote.
”Microsoft’s Threat Intelligence Centre (MSTIC) played a key role in providing evidence to support the investigation into the Medibank cyber attack,” he wrote.
“MSTIC tracks more than 300 unique threat actors, including 160-plus nation-state actors and 50-plus ransomware groups daily.”
This, he said, was an example of the importance of global public and private partnerships to such investigations.
“Each identification of cybercriminals and disruption of cybercrime infrastructure brings forward lessons learned.”