Brisbane, Australia
CNN
—
Cybercriminals with ties to Russia are behind a ransomware attack on one of Australia’s largest private health insurers that saw sensitive personal data posted on the dark web, the agency said on Friday. Australian Federal Police (AFP).
In a short press conference, AFP commissioner Reece Kershaw told reporters that investigators knew the identities of those responsible for the attack on health insurer Medibank, but he refused to give them any details. appoint.
“AFP is undertaking covert measures and working around the clock with our national agencies and international networks, including Interpol. This is important because we believe those responsible for the violation are in Russia,” he said. -he declares.
Medibank says the data stolen belongs to 9.7 million past and present customers – more than a third of Australia’s population – including around 20,000 international customers.
This week, the group began posting curated slices of customer data to the dark web, in files with titles such as good-list, naughty-list, abortions and boozy, which included those seeking help with their alcohol addiction.
Kershaw said the police intelligence points to a “loosely affiliated group of cybercriminals” who are likely responsible for major data breaches around the world, without citing specific examples.
“These cybercriminals operate as a business with affiliates and associates who support the business. We also believe some affiliates may be in other countries,” said Kershaw, who declined to answer questions due to the sensitivity of the survey.
Cybersecurity experts said the criminals were likely linked to REvil, a Russian ransomware gang known for its large-scale attacks on targets in the United States and elsewhere, including major international meat supplier JBS Foods last June. .
This breach shut down the company’s entire US beef processing operations and prompted the company to pay an $11 million ransom. Last November, the US State Department offered a $10 million reward for information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organized crime group.
In mid-January, Russian state news agency TASS reported that at least eight REvil ransomware hackers had been arrested by Russia’s Federal Security Service (FSB) at the request of the United States.
They were accused of committing “illegal circulation of payments”, a crime punishable by seven years in prison, TASS reported, citing the Tverskoi court in Moscow.
In March, Ukrainian national Yaroslav Vasinskyi, one of the main suspects linked to an attack on US software provider Kaseya, was extradited to the United States to face charges, according to a statement from the Ministry of Justice. .
Jeffrey Foster, associate professor in cybersecurity studies at Macquarie University, said there is a major connection between the REvil network and the group suspected of hacking into the Medibank network.
“The most important link is that the REvil dark web website now redirects to this website. So that’s the most important link we have between them, and the only link we have between them,” said Foster, who monitors the blog where the group posts its claims.
“As Russia claimed to have shut down and disbanded REvil, it seems likely that this may have been a former member of REvil, who had access to the dark website to be able to perform the redirect that requires access to the hardware,” he said. “Whether REvil has returned or not, we don’t know.”
Medibank first detected unusual activity in its network almost a month ago. On October 20, the company released a statement saying a “criminal” had stolen information from its health insurance system and international students, including names, addresses, phone numbers and some claim data. for procedures and diagnostics.
An initial ransom demand of $10 million (A$15 million) was made, but the company said after extensive consultation with cybercrime experts, it decided not to pay. It was later lowered to $9.7 million — one for each affected customer, according to Foster.
At the time, Medibank said there was only a “limited chance” that paying the ransom would prevent the data from being released or returned to the company.
In his statement on Friday, Kershaw, the AFP commissioner, said Australian government policy does not condone the payment of ransoms to cybercriminals.
“Any ransom payment, big or small, fuels the cybercrime business model, putting other Australians at risk,” he said.
Kershaw said investigators from Interpol’s Australian National Central Bureau would speak with their Russian counterparts about the individuals, whom he spoke to directly with a threat that they would be charged in Australia.
“To the criminals, we know who you are. And furthermore, the AFP has significant points on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.
Earlier on Friday, Australian Prime Minister Anthony Albanese said he was “disgusted” by the attacks and, without naming Russia, said the government of the country they came from should be held accountable.
“The country where these attacks originated should also be held accountable for the disgusting attacks and the release of information, including very private and personal information,” Albanese said.
In a statement on Friday, Medibank CEO David Koczkar said it was clear the criminal gang behind the breach “enjoyed notoriety” and was likely to release more information. each day.
“The relentless nature of this tactic used by the criminal is designed to cause distress and harm,” he said. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking treatment.”
