Australian Federal Police say cybercriminals in Russia behind Medibank hack
AFP Commissioner Reece Kershaw speaks to the media on November 11. IMAGE: Australian Federal Police
Alexander Martin November 11, 2022

Australian Federal Police say cybercriminals in Russia behind Medibank hack

Alexander Martin

November 11, 2022

Australian Federal Police say cybercriminals in Russia behind Medibank hack

The Australian Federal Police (AFP) has identified the perpetrators of the hack and attempted extortion of health insurance company Medibank, its commissioner told journalists on Friday.

Giving a short press conference without taking questions, AFP Commissioner Reece Kershaw said the force was “undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL,” as part of its investigation.

“This is important because we believe that those responsible for the breach are in Russia,” Kershaw said, explaining that the AFP’s “intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world.”

Australian Prime Minister Anthony Albanese, who has confirmed that he himself is a Medibank customer, said he had authorized the AFP to confirm where the cybercriminals were based.

“We know where they’re coming from, we know who is responsible, and we say that they should be held to account,” said Albanese, adding: “The nation where these attacks are coming from should also be held accountable for the disgusting attacks and the release of information — including very private and personal information.”

Medibank, which is one of Australia’s largest health insurance providers, stated last week that it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad.

All of the data which the criminals accessed “could have been taken,” the company said. This includes sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions.

Specialist investigators under the name Operation Guardian are “scouring the internet and dark web to identify people who are accessing this personal information and trying to profit from it,” said the commissioner.

At the time of Medibank’s announcement regarding the ransom payment, Clare O’Neil, the Australian minister for home affairs and cybersecurity, welcomed the company’s decision to not pay as “consistent with Australian government advice” and warned that doing so would directly undermine the country’s security.

It is not clear which ransomware group attempted to extort Medibank, although the company has now been listed on the extortion site formerly operated by REvil. It is not known who the current operators are.

In January, Russian officials with the Federal Security Service conducted 25 raids on homes owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions. Eight people allegedly involved in the ransomware gang were later hit with charges by a court in Moscow.

However researchers observed the gang’s leak site appeared to become operational again in May. Digital Shadows Senior Cyber Threat Intelligence Analyst Chris Morgan tied the group’s return to a dispute between officials in Russia and the U.S., who officially closed off a channel of communication dedicated to cybersecurity issues following the Russian invasion of Ukraine.

On Friday, the AFP’s Kershaw said: “We believe we know which individuals are responsible but I will not be naming them. What I will say is that we will be holding talks with Russian law enforcement about these individuals.”

Kershaw stressed that Russia “benefits from the intelligence-sharing and data shared through INTERPOL, and with that comes responsibilities and accountability.”

He said that the AFP was leading the investigation under the name Operation Pallidus and explained the ransomware ecyosystem’s business model: “These cyber criminals are operating like a business with affiliates and associates, who are supporting the business,” said Kershaw, adding that “some affiliates may be in other countries.”

The commissioner declined to take questions, saying he wanted to provide as much information as he could “without putting at risk the criminal investigation.” 

“I know Australians are angry, distressed and seeking answers about the highly-sensitive and deeply personal information that is being released,” he added.

“This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business,” he said, describing the cyberattack as “an unacceptable attack on Australia… [deserving] a response that matches the malicious and far-reaching consequences that this crime is causing.”

He said he had a direct message to the criminals: “We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.”

Alexander Martin is the UK Editor for The Record. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.