Cyber criminals in Russia are behind a ransomware attack on one of Australia’s largest private health insurers that’s seen sensitive personal data published to the dark web, the Australian Federal Police (AFP) said Friday.
In a short press conference, AFP Commissioner Reece Kershaw told reporters investigators know the identity of the individuals responsible for the attack on health insurer Medibank, but he declined to name them.
“The AFP is undertaking covert measures and working around the clock with our domestic agencies and international networks including Interpol. This is important because we believe those responsible for the breach are in Russia,” he said.
Medibank says the stolen data belongs to 9.7 million past and present customers, including 1.8 million international customers. The files include health claims data for almost half a million people, including 20,000 based overseas.
This week, the group started releasing curated tranches of customer data onto the dark web, in files with titles including good-list, naughty-list, abortions and boozy, which included those who sought help for alcohol dependency.
Kershaw said police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, without naming specific examples.
“These cyber criminals are operating like a business with affiliates and associates who are supporting the business. We also believe some affiliates may be in other countries,” said Kershaw, who declined to take questions due to the sensitivity of the investigation.
Links to notorious Russian hackers
Cyber security experts have said the criminals are likely linked to REvil, a Russian ransomware gang notorious for large attacks on targets in the United States and elsewhere, including major international meat supplier JBS Foods last June.
That breach shut down the company’s entire US beef processing operation and prompted the company to pay an $11 million ransom. Last November, the US State Department offered a $10 million reward for information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organized crime group.
In mid-January, Russian state news agency TASS reported that at least eight REvil ransomware hackers had been detained by Russia’s Federal Security Service (FSB) at the request of the US.
They were facing charges of committing “illegal circulation of payments,” a crime punishable by up to seven years in prison, TASS reported, citing Moscow’s Tverskoi Court.
In March, Ukrainian national Yaroslav Vasinskyi, one of the chief suspects linked to an attack on US software vendor, Kaseya, was extradited from Poland to the US to face charges, according to a statement from the Justice Department.
Jeffrey Foster, associate professor in cyber security studies at Macquarie University, said there’s one major link between the REvil network and the group suspected of hacking the Medibank network.
“The biggest link is that the REvil dark web website now redirects to this website. So that’s the biggest link we have between them, and the only link we have between them,” said Foster, who is monitoring the blog where the group is posting their demands.
“As Russia has stated that they’ve arrested and disbanded REvil, it seems likely this is a case of maybe a former REvil member, who had access to the dark web website to be able to do the redirect which requires access to the hardware,” he said. “Whether or not REvil has returned, we don’t know.”
How the breach unfolded
Medibank first detected unusual activity in its network almost a month ago. On October 20, the company issued a statement saying a “criminal” had stolen information from its ahm health insurance and international student systems, including names, addresses, phone numbers and some claims data for procedures and diagnoses.
An initial ransom demand was made for $10 million (15 million Australian dollars), but the company said after extensive consultation with cybercrime experts it had decided not to pay. It was later lowered to $9.7 million – one for every customer affected, according to Foster.
At the time, Medibank said there was only a “limited chance” that paying the ransom would stop the data being published or returned to the company.
In his statement on Friday, Kershaw, the AFP Commissioner, said Australian government policy did not condone paying ransoms to cyber criminals.
“Any ransom payment small or large fuels the cybercrime business model, putting other Australians at risk,” he said.
Kershaw said investigators at the Australian Interpol National Central Bureau would be talking with their Russian counterparts about the individuals, who he addressed directly with a threat to see them charged in Australia.
“To the criminals, we know who you are. And moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.
Earlier Friday, Australian Prime Minister Anthony Albanese said he was “disgusted” by the attacks and, without naming Russia, said the government of the country they come from should be held accountable.
“The nation where these attacks are coming from should also be held accountable for the disgusting attacks, and the release of information including very private and personal information,” Albanese said.
In a statement Friday, Medibank CEO David Koczkar said it was clear the criminal gang behind the breach was “enjoying the notoriety,” and it was likely they would release more information each day.
“The relentless nature of this tactic being used by the criminal is designed to cause distress and harm,” he said. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”