Australia tells Medibank hackers: ‘We know who you are’

The Australian Federal Police claims to have recognized the cybercriminals behind the Medibank ransomware assault, which compromised the non-public knowledge of 9.7 million prospects.

AFP Commissioner Reece Kershaw said on Friday that the company is aware of the id of the people liable for the assault on Australia’s largest personal well being insurer. He declined to call the people however stated the AFP believes that these liable for the breach are in Russia, although some associates could also be in different international locations.

In a tweet, Australian Prime Minister Anthony Albanese, whose personal Medibank knowledge was stolen, stated the AFP is aware of the place the hackers are and are working to deliver them to justice.

Kershaw stated that police intelligence factors to a “group of loosely affiliated cyber criminals” who’re possible liable for earlier vital knowledge breaches all over the world, however didn’t identify victims.

“These cyber criminals are working like a enterprise with associates and associates who’re supporting the enterprise,” he added, pointing to ransomware as a service operation similar to LockBit. On Thursday, a twin Russian-Canadian nationwide linked to the LockBit operation was arrested in Canada.

The hackers behind the Medibank breach have beforehand been linked to the high-profile Russian cybercrime gang REvil, also called Sodinokibi. REvil’s once-defunct darkish internet leak website now redirects site visitors to a brand new website that hosts the stolen Medibank knowledge, and the hackers behind the breach have additionally been noticed utilizing a variant of REvil’s file-encrypting malware.

The Russian Embassy in Canberra was fast to rebuff allegations that the Medibank hackers are primarily based in Russia. “For some motive, this announcement was made earlier than the AFP even contacted the Russian facet by the present skilled channels of communication,” the embassy stated in a statement on Friday. “We encourage the AFP to duly get in contact with the respective Russian regulation enforcement businesses.”

Russia’s federal safety providers FSB (previously the KGB) stated in January that REvil “ceased to exist” after a number of arrests have been made on the request of the U.S. authorities. In March, Ukrainian nationwide Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an assault on U.S. software program vendor Kaseya, was extradited from Poland to the U.S. to face prices.

“Even after a sequence of regulation enforcement operations in opposition to REvil, the gang and its associates nonetheless appear to maintain returning, primarily based on the evaluation of the most recent REvil ransomware pattern,” Roman Rezvukhin, head of malware evaluation and risk searching crew at Group-IB, tells TechCrunch.

Kershaw stated on Friday that the AFP, together with worldwide companions similar to Interpol, will “be holding talks with Russian regulation enforcement about these people.”

“You will need to observe that Russia advantages from the intelligence-sharing and knowledge shared by Interpol, and with that comes tasks and accountability,” Kershaw stated. “To the criminals: We all know who you’re, and furthermore, the AFP has some vital runs on the scoreboard in relation to bringing abroad offenders again to Australia to face the justice system.”

Whereas the AFP has efficiently extradited individuals from Poland, Serbia and the United Arab Emirates lately to face felony prices in Australia, extraditing Russian hackers is more likely to be difficult. In 2018, Russian President Vladimir Putin declared that “Russia doesn’t extradite its residents to anybody.”

Regardless of motion by the AFP, the Medibank breach continues to worsen following its resolution to refuse to pay the cybercriminals’ ransom demand. On Thursday, the attackers’ darkish internet weblog posted extra stolen knowledge, together with delicate recordsdata associated to abortions and alcohol-related diseases. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank earlier than lowering the sum to $9.7 million, or $1 per affected buyer, the weblog stated.

“Sadly, we count on the felony to proceed to launch stolen buyer knowledge every day,” Medibank CEO David Koczkar said on Friday. “These are actual individuals behind this knowledge and the misuse of their knowledge is deplorable and should discourage them from looking for medical care.”