Medibank in Australia. Photo / Ian Currie, NCA NewsWire
Australia will formally declare a Russian crime gang responsible for the devastating Medibank hacks today with the Australian Prime Minister warning the country also needs to be “held accountable”.
At a press conference in Canberra, Australian Federal Police Commissioner Reece Kershaw confirmed that those responsible were in Russia.
“I will not take any questions because it is a very complex and serious ongoing investigation,” he said.
“But I do want to address Australians today to give as much information as I can.
“This cyber attack is an unacceptable attack on Australia and it deserves a response that matches the malicious and far-reaching consequences that this crime is causing.
“The AFP is undertaking covert measures and working around the clock with domestic agencies and our international networks including Interpol.
“This is important because we believe those responsible for the breach are in Russia.”
Kershaw said intelligence pointed to a group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world.
“We believe we know which individuals are responsible but I will not be naming them.
“What I will say is that we’ll be holding talks with Russian law enforcement about these individuals.
“It is important to note that Russia benefits from the intelligence sharing and data shared through Interpol and where that comes responsibilities and accountabilities.
“So the criminals, we know who you are and moreover, the AFP has some significant runs on the scoreboard.”
He also rejected the option of paying ransoms to stop the hackers.
“Finally, I want to reiterate, Australian government policy does not condone paying ransom, ransoms to cyber criminals.
“Any ransom payment, small or large, feeds a cybercrime business model, putting other Australians at risk.”
While there’s no suggestion that the criminal gang responsible is state-sanctioned or approved by Vladimir Putin, Anthony Albanese warned the country – which he did not name – does need to take some ownership of the crisis.
However, senior government sources have confirmed that Albanese has instructed the AFP to name Russia at a press conference later today.
While the media has widely reported that Russia is the most likely source of the hack, it’s the first time Australia has named the country it believes is responsible directly.
“I have spoken to the Australian Federal Police this morning, about the further information that has been disclosed,” Albanese said.
“Let me say this, I am disgusted by the perpetrators of this criminal act. And I’ve certainly authorised the AFP Commissioner later today, to disclose where these attacks are coming from.
“We know where they’re coming from, we know who is responsible, and we say that they should be held to account. The AFP Commissioner will be saying more today, but the fact is that the nation where these attacks are coming from, should also be held accountable for the disgusting attacks, and the release of information including very private and personal information.”
REvil was a Russian-based ransomware crime group that Russian authorities claimed was dismantled earlier this year.
Last year the group hacked an Apple contractor and asked for a ransom of US$50 million.
But it is that group – or former members of that group – that are believed to be responsible for the Medibank attacks.
Medibank chief executive David Koczkar has warned he expected the group to “continue to release stolen customer data each day”.
“The relentless nature of this tactic being used by the criminal is designed to cause distress and harm,” he said in a statement on Friday morning.
“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.
“It’s obvious the criminal is enjoying the notoriety. Our single focus is the health and wellbeing and care of our customers.”
Earlier this week, Home Affairs Minister Clare O’Neil slammed “scumbag” hackers who stole sensitive data from Medibank and started publishing what they claim to be information about Australian women who had to terminate non-viable pregnancies or had abortions.
The new information posted included a spreadsheet with the names and personal details of 303 patients and policyholders along with the billing codes relating to terminations.
In a file on the dark web forum called ‘abortion’, the hackers have included information about women who had procedures.
They relate to termination of pregnancy but may include women who had non-viable pregnancy such as fetal anomaly, ectopic pregnancy, molar pregnancy, miscarriages and readmission for complications such as infection
In a new post from a Russian ransomware group that is claiming responsibility for the data breach, the hackers have also offered to slash the cash payment they require to stop drip-feeding patients’ private medical records.
“We can make discount 9.7m 1$=1 customer,” the post states.
“Medibanks [sic] CEO stated, that ransom amount is ‘irrelevant’. We want to inform the customers, that he refuses to pay for yours [sic] data more, like 1 USD per person. So, probably customers data and extra efforts don’t cost that.”
In response, Medibank has confirmed today it is aware that the criminal has released an additional file on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems.
“The release of this stolen data on the dark web is disgraceful,” Medibank CEO David Koczkar said.
“We take the responsibility to secure our customer data seriously and we again unreservedly apologise to our customers.
“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web.
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.
“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care,” he said.
Given the sensitive nature of the stolen customer data, Medibank again asked the media and others not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly.
The Medibank hack began with the theft of the credentials of someone who had high-level access within the organisation.
The log-on credentials appear to have been sold to a Russian-language cybercrime forum.
The most detailed explanation was provided by Medibank on an investor call on October 17 – it refers to the stolen user credentials.
It revealed that it was Medibank itself that detected unusual activity in its cyber security systems.
This led to the cyber security team starting their incident response, supported by its cyber security partners.
Later that evening, Medibank identified the unusual activity was focused on the IT infrastructure.
It took the precautionary step to take the systems offline to protect the data of customers. The investigation, which is ongoing, indicated that cyber security systems had detected activity consistent with the precursor to a ransomware event.
This initial finding was shared with the Australian Cyber Security Centre, who provided Medibank with additional guidance in support of this conclusion.
“We believe compromised credentials were used to access our systems,” Medibank told investors.
“I can confirm that our investigation shows that systems were not encrypted by ransomware during this incident and there is also no indication that the incident was caused by a state-based threat actor.”
In Parliament, Home Affairs Minister Clare O’Neil delivered an emotional speech to the women impacted by the data leak, slamming the hackers as “scumbags”.
“As a parliament and as a government, we stand with you.
“You are entitled to keep your health information private and what has occurred here is morally reprehensible and it is criminal.”
A non-deadly alternative to 1080 is being developed which leaves pests sterile.