Russia-Based Group Identified as Hackers Behind Medibank Data Breach

Russia-Based Group Identified as Hackers Behind Medibank Data Breach
Medibank signage sits on top of the Medibank building in Melbourne, Australia, on Oct. 1, 2014. (Scott Barbour/Getty Images)
11/11/2022
Updated:
11/11/2022

The Australian Federal Police (AFP) has identified a group of “loosely affiliated” cyber criminals based in Russia as those behind the cyber attack on health insurer Medibank.

AFP Commissioner Reece Kershaw said the agency has been able to find the identities of the hackers but didn’t name them.

“These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he said on Friday.

“We also believe that some affiliates may be in other countries.

“It is important to know that Russia benefits from the intelligence sharing and data share through Interpol, and with that comes responsibilities and accountability.”

The AFP is responsible for the Australian Interpol National Central Bureau, which has direct contact with National Central Bureau Moscow and the International Criminal Police Organisation (Interpol).

Kershaw noted that AFP would be holding talks with Russian law enforcement about the cybercriminals.

AFP to Target Individuals Using Medibank Data

Meanwhile, investigators are also scouring the internet and dark web, targeting people who are accessing the information and trying to profit from it.

“This is a time for all Australians, the community, business and law enforcement to stand together and refuse to give these criminals the notoriety they seek,” Kershaw said.

“Cybercrime is the break and enter of the 21st century, and personal information is being used as currency.”

Kershaw reiterated government policy did not condone paying a ransom because any ransom payment, small or large, “feeds a cybercrime business model”.

Prime Minister Anthony Albanese earlier on Friday said that Moscow should be held accountable for the criminal act.

“The fact is that the nation where these attacks are coming from should also be held accountable for the disgusting attacks and the release of information, including very private and personal information.”

However, early Thursday morning, the hacking collective posted a message on a dark web blog linked to the REvil Russian ransomware group, claiming:

“Society asks us about ransom; it’s a 10 million [sic] USD. We can a=make discount 9.7m 1$=1 customer.”

“Medibank [sic] CEO stated that ransom amount is ‘irrelevant.’ We want to inform the customer that He refuses to pay for yours [sic] data more, like 1 USD per person. So, probably customers data and extra efforts don’t cost that.”

The data release came after Medibank announced it would not give in to a cyber hackers ransom demands after at least 9.7 million of its customers had data, including full names, birth dates, phone numbers, medicare numbers, and addresses, accessed in a cyberattack in October.

“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published," Medibank CEO David Koczkar told Medibank customers on Monday.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

“It is for these reasons we have decided we will not pay a ransom for this event,” he said.

The company said the decision was also consistent with the advice from the Australian government.

Customers are also warned that the data accessed could be published online or used to contact customers directly.

Victoria Kelly-Clark contributed to the report.