Brisbane | Monday, November 28, 2022
Cyber criminals in Russia are behind a ransomware attack on one of Australia’s largest private health insurers that’s seen sensitive personal data published to the dark web, the Australian Federal Police (AFP) said Friday.
The attackers of the attack on the health insurer Medibank are known, according to investigations, but they will not be named, AFP Commissioner Reece Kershaw told reporters in a brief press conference.
“The AFP is working round-the-clock with local agencies, international networks, including Interpol, and using clandestine tactics. We suspect individuals responsible for the hack are in Russia, so this is crucial, he said.
According to Medibank, the 9.7 million previous and present customers, including 1.8 million overseas clients, whose data was stolen. Nearly 500,000 people’s health claims data are included in the files, including 20,000 persons who are based abroad.
This week, the organization began disseminating carefully selected batches of user data onto the dark web in documents titled “good-list,” “naughty-list,” “abortions,” and “boozy,” which included information on those who sought treatment for alcoholism.
Without citing particular incidents, Kershaw claimed that police intelligence indicates to a “group of loosely associated cyber thieves” who are probably to blame for past large data breaches around the world.
“These online criminals are conducting their operations like a company, with associates and affiliates providing support. Due to the sensitivity of the inquiry, Kershaw declined to accept questions. “We also think some affiliates may be in other countries,” he added.
Links to notorious Russian hackers
According to cyber security experts, the perpetrators are probably connected to REvil, a Russian ransomware gang infamous for significant attacks on targets worldwide, including major international meat supplier JBS Foods in June.
The company’s whole US beef processing division was shut down as a result of that hack, which led to the company having to pay a $11 million ransom. For information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organized crime group, the US State Department offered a $10 million reward in November of last year.
At least eight REvil ransomware hackers were detained by Russia’s Federal Security Service (FSB) at the US’s request, according to a mid-January report from the Russian state news agency TASS.
According to TASS, which cited Moscow’s Tverskoi Court, they were accused of engaging in “illegal circulation of payments,” a crime that carries a sentence of up to seven years in jail.
According to a statement from the Justice Department, Yaroslav Vasinskyi, a Ukrainian national and one of the main suspects connected to an attack on US software manufacturer Kaseya, was extradited from Poland to the US in March to face charges.
There is one key connection between the REvil network and the group suspected of hacking the Medibank network, according to Jeffrey Foster, associate professor of cyber security studies at Macquarie University.
The major connection is that this website is now a redirect from the REvil dark web page. Accordingly, it is the single and strongest connection we have between them, according to Foster, who is keeping an eye on the blog where the group is making its demands.
“Given that Russia has claimed to have detained and disbanded REvil, it seems likely that this is a case of perhaps a former member of REvil who had access to the dark web website in order to be able to perform the redirect, which necessitates access to the hardware,” he said. “We don’t know if REvil has come back or not.”
How the breach unfolded
Nearly a month ago, Medibank discovered strange behavior in their network for the first time. On October 20, the business released a statement claiming that a “criminal” had taken data, including names, addresses, phone numbers, and certain claims data for procedures and diagnoses, from its ahm health insurance and international student systems.
The initial ransom demand was for $10 million (15 million Australian dollars), however the business claimed it had opted not to pay following significant discussion with cybercrime specialists. Later, according to Foster, it was reduced to $9.7 million, or one for each impacted consumer.
When the ransom was first demanded, Medibank stated that there was only a “limited chance” that paying it would prevent the data from being released or given back to the company.
The Australian government policy, according to AFP Commissioner Kershaw’s comments on Friday, does not support paying ransom to online criminals.
Any ransom payment, no matter how big or small, supports the business model of cybercrime, endangering other Australians, he claimed.
Kershaw threatened to have the people charged in Australia and warned that investigators at the Australian Interpol National Central Bureau will be speaking with their Russian counterparts about the people.
“We are aware of who you are, crooks. Additionally, the AFP has made some notable gains in bringing foreign criminals back to Australia so they can face the legal system there, the official said.
Without mentioning Russia, Australian Prime Minister Anthony Albanese said he was “disgusted” by the attacks and that the government of the nation where they originated should be held responsible.
The country responsible for these vile acts and the disclosure of material that included highly sensitive and personal information, according to Albanese, should also be held guilty.
Medibank CEO David Koczkar stated in a statement on Friday that it was obvious the criminal organization responsible for the hack was “enjoying the notoriety” and that it was likely they would divulge more details each day.
“This criminal’s unrelenting nature of this strategy is aimed to create grief and injury,” he said. The exploitation of their data is abhorrent and can deter them from getting medical attention. These are real individuals behind this data.