The Australian Federal Police claim to have identified the cybercriminal behind the Medibank ransomware attack, which has infiltrated personal data of 9.7 million customers.
AFP Commissioner Reece Kershaw speak on Friday that the agency knew the identities of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name individuals but said AFP believes those responsible for the breach are in Russia, although some branches may be in other countries.
In a tweet, Australian Prime Minister Anthony Albanese, whose Medibank data was stolen, said AFP knew where the hackers were and was working to bring them to justice.
Kershaw says police intelligence points to “a loosely linked group of cybercriminals” who are potentially responsible for previous major data breaches around the world, but not name the victims.
“These cybercriminals are operating like a business with affiliates and associates supporting the business,” he added, pointing to ransomware as a service operation like LockBit. On Thursday, a dual Russian-Canadian citizen was involved in the LockBit . operation arrested in Canada.
The hackers behind the previous Medibank breach were linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once nonexistent dark web leak site now redirects traffic to a new site that stores stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil .’s file-encrypting malware.
The Russian Embassy in Canberra was quick to deny allegations that the Medibank hacker group was based in Russia. “For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional communication channels,” the embassy said in a statement. announced on Friday. “We encourage the AFP to properly contact the respective Russian law enforcement agencies.”
Russia’s federal security service FSB (formerly KGB) said in January that REvil “do not live“After a number of arrests were made at the request of the US government. In March, Yaroslav Vasinskyi, a Ukrainian national, an alleged key member of the REvil group involved in an attack on the US software supplier Kaseya, was extradited from Poland to the US to face charges.
“Even after a series of law enforcement operations against REvil, the gang and its affiliates seem to keep coming back, based on analysis of the latest REvil ransomware sample,” said Roman Rezvukhin, chief the malware analysis and threat hunting team at Group-IB, told TechCrunch.
Kershaw said Friday that AFP, along with international partners such as Interpol, will “negotiate with Russian law enforcement about these individuals.”
“It is important to note that Russia benefits from sharing intelligence and data shared through Interpol, and with that comes accountability and accountability,” Kershaw said. “For the criminals: We know who you are, and more than that, the AFP has had some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the system. Justice.”
While AFP has successfully extradited people from Poland, Serbia and the United Arab Emirates in recent years to face criminal charges in Australia, the extradition of Russian hackers is likely to be a challenge. In 2018, Russian President Vladimir Putin stated that “Russia does not extradite its citizens to anyone”.
Despite the actions of the AFP, the Medibank breach continued to worsen following the decision to refuse to pay the ransom to the cybercriminals. On Thursday, the attackers’ dark web blog posted more stolen data, including sensitive files related to abortion and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the amount to $9.7 million, or $1 per affected customer, the blog said. .
“Unfortunately, we expect criminals to continue to churn out stolen customer data every day,” said Medibank CEO David Koczkar speak on Friday. “These are the people who are really behind this data, and misuse of their data is to blame and may discourage them from seeking medical attention.”