Cybercriminals in Russia are behind a ransom attack on one of Australia’s largest private health insurers that has seen sensitive personal data published on the dark web, the Australian Federal Police (AFP) said on Friday.
In a brief press conference, AFP Commissioner Reece Kershaw told reporters that investigators know the identities of the people responsible for the attack on health insurer Medibank, but he declined to name them.
“The AFP takes covert action and works around the clock with our national agencies and international networks, including Interpol. This is important because we believe those responsible for the breach are in Russia, he said.
Medibank says the stolen data belongs to 9.7 million past and present customers, including 1.8 million international customers. The files include health claims data for nearly half a million people, including 20,000 overseas-based.
This week, the group began releasing curated tranches of customer data on the dark web, in files with titles including good list, bad list, abortions and booze, which included those seeking help for alcohol addiction.
Kershaw said police intelligence points to a “group of loosely connected cybercriminals” likely responsible for previous significant data breaches around the world, without citing specific examples.
“These cybercriminals operate as a business with affiliates and business partners that support the business. We also believe that some affiliates may be in other countries,” said Kershaw, who declined to answer questions because of the sensitivity of the investigation.
Cyber security experts have said the criminals are likely to be linked to REvil, a Russian ransomware group notorious for major attacks on targets in the US and elsewhere, including major international meat supplier JBS Foods last June.
This breach shut down the company’s entire US beef processing operation and caused the company to pay an $11 million ransom. Last November, the US State Department offered a $10 million reward for information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organized crime group.
In mid-January, Russian state news agency TASS reported that at least eight REvil ransomware hackers had been arrested by Russia’s Federal Security Service (FSB) at the request of the United States.
They were charged with committing “illegal circulation of payments,” a crime punishable by up to seven years in prison, TASS reported, citing Moscow’s Tverskoi court.
In March, Ukrainian national Yaroslav Vasinskyi, one of the main suspects linked to an attack on US software provider Kaseya, was extradited from Poland to the US to face charges, according to a Justice Department statement.
Jeffrey Foster, associate professor of cyber security studies at Macquarie University, said there is an important link between the REvil network and the group suspected of hacking the Medibank network.
“The biggest link is that the REvil dark web site now redirects to this website. So that’s the biggest link we have between them, and the only link we have between them,” said Foster, who oversees the blog where the group posts its demands.
“As Russia has stated that they have arrested and disbanded REvil, it seems likely that this is a case of perhaps a former REvil member, who had access to the dark web site to be able to do the redirection that requires access to the hardware,” he said. “Whether REvil has returned or not, we don’t know.”
Medibank first discovered unusual activity in its network almost a month ago. On October 20, the company issued a statement saying a “criminal” had stolen information from its ahm health insurance and international student systems, including names, addresses, phone numbers and some claims data for procedures and diagnoses.
An initial ransom demand was made for $10 million (A$15 million), but the company said after extensive consultation with cybercrime experts it had decided not to pay. It was later lowered to $9.7 million — one for each customer affected, according to Foster.
At the time, Medibank said there was only a “limited chance” that paying the ransom would stop the data being published or returned to the company.
In his statement on Friday, Kershaw, the AFP commissioner, said Australian government policy does not condone paying ransoms to cybercriminals.
“Any ransom payment, small or large, drives the cybercrime business model, putting other Australians at risk,” he said.
Kershaw said investigators at the Australian Interpol National Central Bureau would speak to their Russian counterparts about the individuals, who he approached directly with a threat to see them charged in Australia.
“To the criminals, we know who you are. And besides, the AFP has some significant runs on the scoreboard when it comes to bringing foreign offenders back to Australia to face the justice system, he said.
Earlier on Friday, Australian Prime Minister Anthony Albanese said he was “disgusted” by the attacks and, without naming Russia, said the government of the country they came from should be held responsible.
“The nation from which these attacks originate should also be held accountable for the despicable attacks, and the release of information including highly private and personal information,” Albanese said.
In a statement on Friday, Medibank CEO David Koczkar said it was clear the criminal gang behind the breach “enjoyed the notoriety” and were likely to release more information every day.
“The relentless nature of these tactics used by criminals are designed to cause distress and harm,” he said. “These are real people behind this data, and the misuse of their data is deplorable and may deter them from seeking medical care.”