The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers.
AFP Commissioner Reece Kershaw said on Friday that the agency knows the identity of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name the individuals but said the AFP believes that those responsible for the breach are in Russia, though some affiliates may be in other countries.
In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the AFP knows where the hackers are and are working to bring them to justice.
The Australian Federal Police have identified the hackers, revealing they’re located in Russia.
We know where they are.
And we are working hard to bring them to justice.
— Anthony Albanese (@AlboMP) November 11, 2022
Kershaw said that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, but did not name victims.
“These cyber criminals are operating like a business with affiliates and associates who are supporting the business," he added, pointing to ransomware as a service operation such as LockBit. On Thursday, a dual Russian-Canadian national linked to the LockBit operation was arrested in Canada.
The hackers behind the Medibank breach have previously been linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once-defunct dark web leak site now redirects traffic to a new site that hosts the stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil’s file-encrypting malware.
The Russian Embassy in Canberra was quick to rebuff allegations that the Medibank hackers are based in Russia. "For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication," the embassy said in a statement on Friday. "We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies."
Russia's federal security services FSB (formerly the KGB) said in January that REvil “ceased to exist” after several arrests were made at the request of the U.S. government. In March, Ukrainian national Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an attack on U.S. software vendor Kaseya, was extradited from Poland to the U.S. to face charges.
"Even after a series of law enforcement operations against REvil, the gang and its affiliates still seem to keep returning, based on the analysis of the latest REvil ransomware sample," Roman Rezvukhin, head of malware analysis and threat hunting team at Group-IB, tells TechCrunch.
Kershaw said on Friday that the AFP, along with international partners such as Interpol, will "be holding talks with Russian law enforcement about these individuals."
“It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” Kershaw said. “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.”
While the AFP has successfully extradited people from Poland, Serbia and the United Arab Emirates in recent years to face criminal charges in Australia, extraditing Russian hackers is likely to be challenging. In 2018, Russian President Vladimir Putin declared that “Russia does not extradite its citizens to anyone."
Despite action by the AFP, the Medibank breach continues to worsen following its decision to refuse to pay the cybercriminals' ransom demand. On Thursday, the attackers' dark web blog posted more stolen data, including sensitive files related to abortions and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said.
“Unfortunately, we expect the criminal to continue to release stolen customer data each day," Medibank CEO David Koczkar said on Friday. "These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care."