Russian-linked cyber criminals blamed for Medibank data breach in Australia

A Medibank branch in Sydney, Australia, on Oct. 26, 2022. (Photo: Rick Rycroft/AP)

Cybercriminals with ties to Russia are responsible for a ransomware attack on one of Australia's top private health insurers, which resulted in the publication of sensitive personal data on the dark web, according to the Australian Federal Police (AFP).

During a brief news conference, AFP Commissioner Reece Kershaw informed reporters that detectives are aware of the identities of those involved in the attack on the health insurer Medibank, but he declined to identify them.

"The AFP is employing covert measures and collaborating nonstop with domestic and international organizations, including Interpol. We believe individuals responsible for the security compromise are located in Russia," he stated.

The stolen data, according to Medibank, belonged to more than a third of the Australian population, or 9.7 million former and present consumers, including around 20,000 international users.

This week, the company began posting handpicked batches of consumer data into the dark web, in files with labels such as good list, naughty-list, abortions, and boozy, which featured those who sought alcoholism treatment.

Without providing particular instances, Kershaw stated that police intelligence leads to a "group of loosely associated cyber thieves" who are likely responsible for past large data breaches around the globe.

"These cybercriminals operate as a company, with affiliates and partners providing support." We also suspect that some affiliates may be located in other countries," Kershaw said, declining to answer questions due to the sensitivity of the inquiry.

Links to notorious Russian hackers

Experts in cyber security believe the culprits are affiliated with REvil, a renowned Russian ransomware gang notorious for large-scale attacks on targets in the United States and worldwide, including major international meat supplier JBS Foods in June of last year.

This hack halted the company's whole beef processing activity in the United States and forced the corporation to pay a ransom of $11 million. The US State Department announced a $10 million prize in November for information leading to the identification or location of key leaders of REvil, also known as Sodinokibi.

Midway through January, the Russian state news agency TASS announced that Russia's Federal Security Service (FSB) had jailed at least eight REvil ransomware hackers at the request of the United States.

They were charged with "illegal circulation of payments," a crime punishable by up to seven years in prison, according to TASS, which cited the Tverskoi Court in Moscow.

Yaroslav Vasinskyi, a Ukrainian national, was extradited from Poland to the United States to face charges in March, according to a statement from the Justice Department. Vasinskyi was one of the key suspects in an attack on US software provider Kaseya.

According to Jeffrey Foster, associate professor of cyber security studies at Macquarie University, there is a significant connection between the REvil network and the group suspected of hacking the Medibank network.

"The most significant connection is that the REvil dark web site now redirects to this site. Foster, who monitors the blog where the group posts their requests, explained that this is the strongest and only connection between the two groups.

"Since Russia has indicated that they have detained and disbanded REvil, it appears likely that this is a case of a former REvil member who had access to the dark web website in order to perform the redirect, which requires access to the hardware," he explained. We do not know whether or not REvil has returned.

How the breach unfolded

Almost a month ago, Medibank first identified odd activity on its network. The corporation announced on October 20 that a "criminal" took information from its ahm health insurance and international student databases, including names, addresses, phone numbers, and claims data for operations and diagnoses.

The initial ransom demand was $10 million (15 million Australian dollars), however, the corporation has decided not to pay following considerable consultation with cybercrime specialists. According to Foster, it was later reduced to $9.7 million, or one dollar for each affected client.

At the time, Medibank stated that paying the ransom was unlikely to prevent the data from being released or returned to the company.

In a statement released on Friday, AFP Commissioner Mick Kershaw stated that Australian government policy does not permit ransom payments to cyber criminals.

"Any ransom payment, regardless of size, promotes the cybercrime business model and puts other Australians at danger," he warned.

Kershaw stated that investigators at the Australian National Central Bureau of Interpol will be speaking with their Russian counterparts about the individuals, whom he openly threatened would be prosecuted in Australia.

"To the criminals, we know your identities. In addition, the AFP has an impressive track record when it comes to bringing foreign criminals back to Australia to face the judicial system, he said.

Earlier on Friday, Australian Prime Minister Anthony Albanese stated that he was "disgusted" by the attacks and that the government of the country from which they originated should be held responsible.

"The nation from which these attacks originate should also be held responsible for the despicable attacks and the publication of information, including highly sensitive and personal information," said Albanese.

In a statement released on Friday, the CEO of Medibank, David Koczkar, stated that it was evident that the criminal group responsible for the hack was "enjoying the notoriety" and that it was possible that they would leak more material each day.

"The persistent nature of this criminal's strategy is intended to inflict anguish and injury," he said. "Behind these statistics are real people, and the exploitation of their data is abhorrent and may deter them from seeking medical care."

Publish : 2022-11-11 13:06:00

Give Your Comments