Aussie Police Identify Russian Hackers Blackmailing Medibank

Australian police have blamed cyber criminals in Russia for the data breach of Australia’s leading health insurer.

Last month Medibank Private confirmed a ‘cyber incident’ where hackers stole 200GB of Australian patient data, including names, addresses, phone numbers, dates of birth, financial data, and in some case actual medical data.

Now in a short press conference, Australian Federal Police (AFP) Commissioner Reece Kershaw told reporters that investigators know the identity of the individuals responsible for the attack on Medibank, but he declined to name them, CNN reported.

Medibank blackmail

“The AFP is undertaking covert measures and working around the clock with our domestic agencies and international networks including Interpol. This is important because we believe those responsible for the breach are in Russia,” Commissioner Kershaw said.

It seems the hackers managed to obtain the health data of 9.7 million past and present customers, including 1.8 million international customers.

Unfortunately, the stolen files include health claim data for almost half a million people, including 20,000 people based overseas.

And to make matters worse, the Russian cyber criminals this week began releasing curated tranches of customer data onto the dark web. They categorised the files with titles such as good-list, naughty-list, abortions and boozy. This last category is for those patients who sought help for alcohol dependency.

Commissioner Kershaw was quoted by CNN as saying that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, without naming specific examples.

“These cyber criminals are operating like a business with affiliates and associates who are supporting the business. We also believe some affiliates may be in other countries,” said Commissioner Kershaw, who reportedly declined to take questions due to the sensitivity of the investigation.

Don’t pay ransomware

In his statement on Friday, Commissioner Kershaw said Australian government policy did not condone paying ransoms to cyber criminals.

“Any ransom payment small or large fuels the cybercrime business model, putting other Australians at risk,” he said.

Kershaw said investigators at the Australian Interpol National Central Bureau would be talking with their Russian counterparts about the individuals, who he addressed directly with a threat to see them charged in Australia.

“To the criminals, we know who you are,” Kershaw was reported by CNN as saying. “And moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.

Earlier Friday, Australian Prime Minister Anthony Albanese reportedly said he was “disgusted” by the attacks and, without naming Russia, said the government of the country they come from should be held accountable.

“The nation where these attacks are coming from should also be held accountable for the disgusting attacks, and the release of information including very private and personal information,” Albanese reportedly said.

REvil hackers

Cyber security experts have said the criminals are likely linked to REvil, the Russian ransomware gang infamous for carrying out attacks on targets in the United States and elsewhere, including major international meat supplier JBS Foods last June.

Last November, the US State Department offered a $10 million reward for information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organised crime group.

In mid-January, Russian state news agency TASS reported that at least eight REvil ransomware hackers had been detained by Russia’s Federal Security Service (FSB) at the request of the US.

The FSB security services reportedly raided 25 addresses and arrested 14 individuals in Moscow, St. Petersburg, Leningrad and Lipetsk.

The gang shut down its operations in July 2021, before staging a failed comeback in September and having its information infrastructure hacked and forced offline by an international operation in October 2021.

In November 2021 a 22-year-old Ukrainian national was arrested in Romania and charged with activities as part of the REvil gang.