Brisbane, Australia CNN —
Cybercriminals in Russia are behind a ransomware attack on one of Australia’s largest private health insurers that has leaked sensitive personal information to the dark web, the Australian Federal Police (AFP) said on Friday.
In a brief news conference, AFP Commissioner Reece Kershaw told reporters investigators know the identities of those responsible for the attack on health insurer Medibank, but declined to name them.
“The AFP conducts covert operations and works around the clock with our domestic authorities and international networks, including Interpol. This is important because we believe that those responsible for the violation are in Russia,” he said.
According to Medibank, the stolen data belongs to 9.7 million past and present customers, including 1.8 million international customers. The files contain data on health claims for nearly half a million people, including 20,000 overseas.
This week, the group began posting curated tranches of client data on the dark web, in files titled Good-List, Naughty-List, Abortions and Binges, which included those seeking help for alcohol addiction.
Kershaw said police intelligence pointed to a “group of loosely affiliated cybercriminals” likely responsible for previous significant data breaches around the world, without providing specific examples.
“These cyber criminals operate like a company with affiliates and employees supporting the company. We also believe that some subsidiaries may be located in other countries,” said Kershaw, who declined to answer questions due to the sensitivity of the investigation.
Cybersecurity experts said the criminals are likely linked to REvil, a Russian ransomware gang notorious for large-scale attacks on targets in the United States and elsewhere, including major international meat supplier JBS Foods last June.
This breach crippled the company’s entire US beef processing operation and prompted the company to pay an $11 million ransom. Last November, the US State Department offered a $10 million reward for information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organized crime group.
In mid-January, Russia’s state news agency TASS reported that at least eight REvil ransomware hackers had been arrested by Russia’s Federal Security Service (FSB) at the request of the United States.
They were accused of committing “illegal transactions,” a crime punishable by up to seven years in prison, TASS reported, citing Moscow’s Tverskoy court.
In March, Ukrainian citizen Yaroslav Vasinskyi, one of the main suspects in an attack on US software provider Kaseya, was extradited from Poland to the US to face charges, according to a Justice Ministry statement.
Jeffrey Foster, associate professor of cybersecurity studies at Macquarie University, said there is an important connection between the REvil network and the group suspected of hacking the Medibank network.
“The biggest link is that REvil’s dark web site now redirects to this site. So that’s the greatest connection we have between them and the only connection we have between them,” said Foster, who oversees the blog where the group posts its demands.
“Since Russia has stated that they arrested and disbanded REvil, it seems likely that this is a case of perhaps a former REvil member having access to the dark web site in order to be able to perform the redirect that Access to the hardware required. he said. “Whether or not REvil has returned, we don’t know.”
Medibank first noticed unusual activity on its network almost a month ago. On Oct. 20, the company issued a statement saying a “criminal” had stolen information from its ahm health insurance and international student system, including names, addresses, phone numbers and some claims data for procedures and diagnostics.
An initial ransom demand of US$10 million (AU$15 million) was made, but the company, after extensive consultation with cybercrime experts, said it decided not to pay. It was later reduced to $9.7 million — one for each affected customer, according to Foster.
At the time, Medibank said there was only a “limited chance” that paying the ransom would prevent the data from being released or returned to the company.
In his statement on Friday, Kershaw, the AFP commissioner, said the Australian government’s policy does not condone paying ransoms to cybercriminals.
“Any ransom payment, big or small, boosts the cybercrime business model and puts fellow Australians at risk,” he said.
Kershaw said investigators at Australia’s Interpol National Central Bureau were speaking with their Russian counterparts about the individuals he spoke directly with threats of indictment in Australia.
“To the criminals, we know who you are. And on top of that, AFP has some significant runs on the scoreboard when it comes to bringing foreign offenders back to Australia to face the justice system,” he said.
Earlier Friday, Australian Prime Minister Anthony Albanese said he was “disgusted” by the attacks and, without naming Russia, said the government of the country they come from should be held accountable.
“The nation from which these attacks are coming should also be held accountable for the disgusting attacks and the release of information, including very private and personal information,” Albanese said.
In a statement Friday, Medibank CEO David Koczkar said it was clear that the criminal gang behind the breach “relishes the notoriety” and it was likely they would be releasing more information with each passing day.
“The relentless nature of these tactics employed by the criminals is designed to cause harm and harm,” he said. “There are real people behind this data and misuse of their data is unfortunate and may prevent them from seeking medical care.”