Medibank hacker: Australia to declare Russian crime gang responsible

While there’s no suggestion that the criminal gang responsible is state sanctioned or approved by Vladimir Putin, Anthony Albanese warned the country – which he did not name – does need to take some ownership of the crisis.

However, senior Government sources have confirmed that Anthony Albanese has instructed the AFP to name Russia at a press conference later today.

While the media has widely reported that Russia is the most likely source of the hack, it’s the first time Australia has named the country it believes is responsible directly.

“I have spoken to the Australian Federal Police this morning, about the further information that has been disclosed,’’ Mr Albanese said.

“Let me say this, I am disgusted by the perpetrators of this criminal act. And I’ve certainly authorised the AFP Commissioner later today, to disclose where these attacks are coming from.

“We know where they’re coming from, we know who is responsible, and we say that they should be held to account. The AFP Commissioner will be saying more today, but the fact is that the nation where these attacks are coming from, should also be held accountable for the disgusting attacks, and the release of information including very private and personal information.”

REvil was a Russian-based ransomware crime group that Russian authorities claimed was dismantled earlier this year.

Last year the group hacked an Apple contractor and asked for a ransom of US$50 million ($76 million).

But it is that group – or former members of that group – that are believed to be responsible for the Medibank attacks.

Medibank chief executive David Koczkar has warned he expected the group to “continue to release stolen customer data each day”.

“The relentless nature of this tactic being used by the criminal is designed to cause distress and harm,” he said in a statement on Friday morning.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.

“It’s obvious the criminal is enjoying the notoriety. Our single focus is the health and wellbeing and care of our customers.”

Earlier this week, Home Affairs Minister Clare O’Neil slammed ‘scumbag” hackers who stole sensitive data from Medibank and started publishing what they claim to be information about Australian women who had to terminate non-viable pregnancies or had abortions.

The new information posted included a spreadsheet with the names and personal details of 303 patients and policyholders along with the billing codes relating to terminations.

In a file on the dark web forum called ‘abortion’, the hackers have included information about women who had procedures.

They relate to termination of pregnancy but may include women who had non-viable pregnancy such as foetal anomaly, ectopic pregnancy, molar pregnancy, miscarriages and readmission for complications such as infection

In a new post from a Russian ransomware group that is claiming responsibility for the data breach, the hackers have also offered to slash the cash payment they require to stop drip-feeding patients’ private medical records.

“We can make discount 9.7m 1$=1 customer,” the post states.

“Medibanks [sic] CEO stated, that ransom amount is ‘irrelevant’. We want to inform the customers, that he refuses to pay for yours [sic] data more, like 1 USD per person. So, probably customers data and extra efforts don’t cost that.”

In response, Medibank has confirmed today it is aware that the criminal has released an additional file on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems.

“The release of this stolen data on the dark web is disgraceful,’’ Medibank CEO David Koczkar said.

“We take the responsibility to secure our customer data seriously and we again unreservedly apologise to our customers.

“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web.

“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care,” he said.

Given the sensitive nature of the stolen customer data, Medibank again asked the media and others to not to unnecessarily download sensitive personal data form the dark web and to refrain from contacting customers directly.

The Medibank hack began with the theft of the credentials of someone who had high-level access within the organisation.

The log on credentials appear to have been sold to a Russian-language cybercrime forum.

The most detailed explanation was provided by Medibank an investor call on October 17 – it refers to the stolen user credentials.

It revealed that it was Medibank itself that detected unusual activity in its cyber security systems.

This led to the cyber security team starting their incident response, supported by our cyber security partners.

Later that evening, Medibank identified the unusual activity was focused on the IT infrastructure.

It took the precautionary step to take the systems offline to protect the data of customers. The investigation, which is ongoing, indicated that cyber security systems had detected activity consistent with the precursor to a ransomware event.

This initial finding was shared with the Australian Cyber Security Centre, who provided Medibank with additional guidance in support of this conclusion.

“We believe compromised credentials were used to access our systems,’’ Medibank told investors.

“I can confirm that our investigation shows that systems were not encrypted by ransomware during this incident and there is also no indication that the incident was caused by a state-based threat actor.”

In Parliament, Home Affairs Minister Clare O’Neil delivered an emotional speech to the women impacted by the data leak, slamming the hackers as “scumbags”.

“As a parliament and as a government, we stand with you,’’ she said.

“You are entitled to keep your health information private and what has occurred here is morally reprehensible and it is criminal.”