The Australian Federal Police said they know the identity of the Russian ransomware criminal group that broke into the databases of Medibank, Australia’s largest private health insurer, stealing weeks of customer data inside the company’s computer systems. After Medibank refused to pay a ransom of US$9.7 million – $1 for each of the 9.7 million people whose information has been compromised – hackers began publishing sensitive data on the dark web. Two initial installments were published Wednesday on a dark blog linked to Russian ransomware group REvil: a so-called “naughty list” that detailed treating people for drug addictions or mental health issues, and a “good list” that contained more general claims hospital procedure. Each list contained data from around 100 Medibank customers. On Thursday, the hackers released another file labeled “abortions.csv” containing more than 300 claims made by policyholders related to termination of pregnancy, including non-viable pregnancy, ectopic pregnancy and miscarriages. On Friday, another list was published on the dark web – “boozy.csv” – containing files relating to 240 clients involved in alcoholism-related treatment. Medibank said the data of 9.7 million current and former customers had been breached: their names, dates of birth, phone numbers, email addresses and addresses were stolen. Some customers’ unique numbers for Medicare – Australia’s universal public healthcare system – have also been stolen, along with international customers’ passport details. The hackers also accessed the health claims of around 160,000 Medibank customers, around 300,000 customers of its subsidiary, ahm, and data from 20,000 international customers. Australian Prime Minister Anthony Albanese, himself a Medibank customer, said he was “disgusted by the perpetrators of this criminal act”. “We know where they’re coming from, we know who’s responsible, and we’re saying they need to be held accountable.” Australian Federal Police (AFP) commissioner Reece Kershaw told the hackers on Friday: “We know who you are.” “We believe those responsible for the breach are in Russia,” he told reporters in Canberra, but declined to name the alleged perpetrators, saying it would jeopardize an ongoing investigation. “We believe we know which individuals are responsible … our intelligence points to a loosely connected group of cybercriminals who are likely responsible for previous major breaches in countries around the world.” Kershaw said the attack was likely not confined to Russian territory and that some of the group’s affiliates may be active in other countries. He said the AFP was working in cooperation with Interpol’s national central office in Moscow. Kershaw said the AFP had “run the scoreboard” on extraterritorial investigations. The AFP has successfully extradited people from Poland, Serbia and the United Arab Emirates in recent years to face criminal charges – mainly drug-related – in Australia. But the chances of Russian hackers being extradited seem remote. In 2018, Russian President Vladimir Putin said that “Russia does not extradite its citizens to anyone.” Kershaw said Australian government policy does not allow ransom payments to cybercriminals. “Any ransom payment, small or large, fuels a cybercrime business model, putting other Australians at risk.” The AFP has expanded Operation Guardian – set up in September to protect 10,000 customers of telco Optus who had their personal details posted online earlier this year – to help Medibank customers. Australia’s cyber security minister, Clare O’Neil, has vowed that those behind the “morally reprehensible” online hack will be caught. “I want the crooks behind this attack to know that the smartest and toughest people in this country are after you,” he said. “I want to say, especially to the women whose private health information has been compromised … as the minister for cybersecurity, but more importantly, as a woman, this shouldn’t have happened and I know it’s a really difficult time.”
