Working with the Australian Signals Directorate to hunt threat actors

Authored by Mark Anderson, National Security Officer at Microsoft Australia & New Zealand

Today, the Australian Government released identification details and imposed financial and travel sanctions on the cybercriminal involved in one of the highest profile cyber-attacks in Australia to date. Medibank’s ransomware attack in October 2022 was among a series of high-profile breaches on major organisations in Australia. With the amount of sensitive customer information involved, Medibank were under intense scrutiny as the crisis rolled out.

As Deputy Prime Minister, the Hon Richard Marles MP said in the press conference this morning, “the Australian Signals Directorate and the Australian Federal Police have worked tirelessly over the past 18 months to unmask those responsible for the cyberattack on Medibank Private and to ensure Australians are protected from malicious cyber activity.”

This is the first use of Australia’s autonomous cyber sanctions framework and is a result of Australian Government efforts to investigate and respond to this cyber incident. The significance of this cannot be understated. It sends a clear message – there are costs and consequences for cyber threat actors seeking to target Australia and Australians, and they will be held to account. It is also reassurance for Australians that behind the scenes, the efforts of our Government, in collaboration with organisations like Microsoft, are making a difference in protecting our nation from malicious cyber threat actors.

The attack reinforced to us that ransomware remains one of the most destructive cyber threats today. Seeking to extort organisations out of information or money, these ransomware actors are coordinating at unprecedented levels and the efforts are only getting more severe. As we’ve seen Medibank (and others) hit headlines over the past couple of years, behind closed doors there are exceptionally talented people collaborating across the Australian Government and organisations like Microsoft to track these criminals.

Microsoft’s Threat Intelligence Centre (MSTIC) played a key role in providing evidence to support the investigation into the Medibank cyber-attack. MSTIC tracks more than 300 unique threat actors, including 160+ nation-state actors and 50+ ransomware groups daily. The global reach and expertise that specialist teams like MSTIC have brought to the ASD investigation is a great example of the impact that can be made through global public and private partnerships.

The scale that can be reached with global collaboration efforts

Some sobering statistics in our latest Microsoft Digital Defence Report really bring to light why the sharing of threat intelligence and collaboration is critical:

  • There are 4,000 password attacks per second, which is an almost four-fold increase in two years
  • It takes just 72 minutes for an attacker to access your private data if you fall victim to a phishing email, and 1 hour and 42 minutes for an attacker to begin moving laterally within the corporate network.

This reinforces the sheer size of the challenge and that every minute counts in the cyber security battle. Also, that attackers only need to get it right once, while as defenders, we need to get it right every single time. This battle is also changing course, with cyber threat actors now showing up with unprecedented levels of cooperation with other criminals to scale their operations and destructive impact.

With today’s announcement, we see a massive step forward in demonstrating the impact of iterative efforts and ongoing global partnerships. Even though most of this work is conducted behind the scenes, Australians should know that the best and brightest minds are working together to shift the balance in favour of us as defenders.

We are proud to continue to evolve our partnership with the Australian Government under our recently announced Microsoft-Australian Signals Directorate Cyber Shield (MACS) initiative and to give Australians confidence in the efforts going into fortifying our nation’s cyber defences. Each identification of cybercriminals and disruption of cybercrime infrastructure brings forward lessons learned. We know that when we partner, we are stronger together and have a broader impact, protecting more people and organisations.

Header image (Left to right): John Lambert, Corporate Vice President and MSTIC Founder, Rachel Noble, Director-General, Australian Signals Directorate and Mark Anderson, National Security Officer, Microsoft ANZ.