Thursday, November 10, 2022

Cocaine and opioids: Medibank hackers post stolen data

PM Anthony Albanese confirms he is a Medibank customer, backs company refusal to pay ransom


Medibank confirms names, addresses, birthdays posted to dark web by hackers after ransom deadline passes



Cocaine and opioids: Medibank hackers post stolen data

Updated Share

Criminals are expected to release more sensitive Medibank Private customer data after the first dump targeted people with cocaine and opioid addictions and mental health conditions from well-heeled suburbs.

Exchanges between the health insurer and the hackers also released online reveal the breach occurred through a virtual private network, an extra layer of security used to access company networks that in this case was apparently co-opted.

Medibank has previously confirmed the hackers stole almost 500,000 health claims, along with personal information. Louise Kennerley

The information posted to the dark web, seen by The Australian Financial Review, includes WhatsApp messages on October 18 at 10.38pm allegedly from the hackers to Medibank chief executive David Koczkar revealing the so-called “naughty list”, in which the customer details were first shared.

The list, released on Wednesday, contains details of 100 patients including their treatments for cannabis dependence, alcohol abuse, anxiety, constipation, reflux and alcohol, tobacco and drug use.

The data contains details of another 100 people on the so-called “good” list, with conditions including prostatitis, gastric band removal, cataracts and colitis.

Prime Minister Anthony Albanese confirmed he is a Medibank customer and the insurer was right not to pay a ransom. His data is not included on either list.

“This is really tough for people. I am a Medibank Private customer as well, and it will be of concern that some of this information has been put out there,” he told reporters in Parliament House.

“I am a Medibank Private customer as well”: Prime Minister Anthony Albanese says Medibank was right not to pay the hackers.  Alex Ellinghausen

Cyber Security Minister Clare O’Neil told question time that the number of people whose details are released is expected to rise. “The number of citizens whose medical information may have been compromised [by being posted] is small at this stage, but I want the Australian people to understand that that is likely to change,” she said.

In correspondence between the hackers and Medibank from October 21, also sighted by the Financial Review, the hackers say they have spent a month in Medibank’s system, figuring it out.

But in a message on October 26 they say they ran out of time to encrypt Medibank’s systems via a ransomware application and instead had already downloaded the data as a fallback, combining two types of attacks on the insurer’s systems.

In a message exchange from October 27, Medibank tells the criminals they are “very talented” and says it can see they have accessed the systems via a VPN, asking how else they got in. The criminals tell Medibank if it pays up they will help it to fortify its systems against future attacks.

“We will send you a full report about how we entered your network, and what steps we do inside,” the hackers reply.

“We will give you recommendations on how to protect your network and save you from communications with other groups in the future.”

The Australian Federal Police on Wednesday said it had expanded Operation Guardian to protect Medibank customers. It said in a statement: “The AFP is aware that distressing and very personal information has been released on the dark web and has immediately taken measures, including covert techniques, to identify further criminal activity.”

Australian Signals Directorate director-general Rachel Noble. Dominic Lorrimer

The release of the data has also raised questions about what Medibank knew and when, and what the company has revealed to its customers. The AFP on Wednesday said it had been working with Medibank since October 12.

Australian Signals Directorate director-general Rachel Noble told the Senate on Tuesday night the cyber agency had alerted Medibank to a possible ransomware attack on October 12, at which point it was told the company was already aware of the “unusual” activity on its networks.

Medibank shares were halted on October 13 and resumed trading on October 17. The insurer told investors: “There remains no evidence customer data has been removed from the network” and “normal business operations have resumed”.

The shares were paused again at 11.53am on October 19. The insurer told the market at 4.45pm it had “received messages from a group that wishes to negotiate with the company regarding their alleged removal of customer data”.

Details posted on dark web

Medibank confirmed its customers’ private medical information had been posted on the dark web in the early hours of Wednesday morning after the criminals began releasing information in response to its refusal to pay a ransom.

Its shares have sunk 21 per cent since the incident first surfaced and closed 0.4 per cent lower to 2.77 on Wednesday.

The insurer said in a statement: “Medibank has today become aware that the criminal has released files on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems.”

The data posted online includes personal details such as names, addresses and other identifying information. The Financial Review is not revealing them out of respect for privacy.

Mr Koczkar apologised to customers as the company said the information released came from a sample that was earlier accessed, understood to be the first 100 customers sent to Medibank by the criminals around October 18. It is understood that all but one of the customers has been contacted by Medibank since the names were received last month.

Medibank CEO David Koczkar has apologised to customers and promised to offer them full support.  Arsineh Houspian

Mr Koczkar said in a statement: “This is a criminal act designed to harm our customers and cause distress. We take seriously our responsibility to safeguard our customers, and we stand ready to support them.”

Medibank said: “We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do.”

Mr Koczkar said Medibank had no idea any customer data had been stolen until it was sent to the insurer, but has continued to say its systems are robust. The information was obtained after a criminal stole a password and username from someone with the ability to gain access to all of Medibank’s customer data.

Medibank was forced to say the data of  9.7 million Australians, including people who could be in significant danger if their information was misused, had been stolen. The criminals had previously said they would release data related to people who had the “most followers” or were high profile, including “politicians, actors, bloggers, LGBT activists”.

“It didn’t happen because Medibank didn’t pay the ransom”: Cyber security Minister Clare O’Neil.  Alex Ellinghausen

The company has previously confirmed the hackers had stolen 480,000 customers’ health claims, along with personal information, when the unnamed group hacked into its system weeks ago.

‘Disgraceful human beings’

Home Affairs and Cyber Security Minister Ms O’Neil blasted the release of Medibank data on the dark web, labelling the cybercriminals “disgraceful human beings”.

“I don’t have words to express the disgust I feel at crimes of this nature,” she said. “The fact that people’s personal health information is being held over their head is just disgusting to me.”

Ms O’Neil said 1 million Australians were waking up “angry and fearful” about what would happen with their data.

“It didn’t happen because Medibank didn’t pay the ransom,” Ms O’Neil said. She said data was “used to re-victimise and re-victimise” even when ransoms were paid.

The cybercriminals began posting stolen data from Australia’s largest health insurer just after midnight on a website linked to Russia-backed cybercrime gang REvil. It appears they are slowly releasing the data, rather than dumping it all at once.

Naughty and good lists

Hundreds of names, addresses and Medicare details were being posted under a “good list” or “naughty list” on a blog belonging to the group. The information includes names, addresses, phone numbers, dates of birth, nationality and email address.

The hacker’s post says: “Looking back that data is not very understandable format (table dumps) we’ll take some time to sort it out and we posting a small part of the data, in ‘human readable format (sample in json)’ also we post all raw data. We’ll continuing posting data partially, need some time to do it pretty.

“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.”

Tennis great Todd Woodbridge told 3AW radio in Melbourne he believed he had been targeted by the criminals and asked to pay outstanding bills by text message, hinting the extortion attempts could hit many more customers.

Medibank did not immediately respond to questions about whether it is aware of other customers in this situation.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said the hackers would not want to release more data.

“It’s now a game of wait and see. How much data did the hackers obtain and how much of it will they release? And what will they do with any data that they do not release?” he said.

“At this point, the hackers really don’t want to release any data. The more they release, the more leverage they lose.

“This shouldn’t be assumed to mean that Medibank ever seriously considered paying. It’s common for organisations to immediately enter negotiations … in order to try to work out what data the hackers obtained and to stall its release. Every day the data isn’t released is another day in which the hackers could be apprehended.”

REvil is a Russia-backed cybercrime gang that has re-emerged after there were claims it had been taken down in January by the country’s government at the request of the US.

An FBI wanted poster for Russian Yevgeniy Polyanin, linked to REvil, after the JBS Foods hack last year. AP

REvil is a “ransomware as a service” operation. Its ransomware, which it makes available to “affiliates”, was among the most prolific in 2021.

It was blamed for the attack that stopped operations at JBS Foods in 2021, where the ransomware crippled the meatworks business in Australia and the US. About 7000 workers in Australia were stood down without pay until the issue could be partially resolved.

Medibank said any customers who are contacted by somebody claiming to have their data should report it to the Australian Cyber Security Centre or Scamwatch, and should call 000 if they believe they are physically at risk.

Correction: An earlier version of the article said the data revealed the HIV status of a Medibank customer, but that was incorrect.

Ayesha de Kretser is a Senior Financial Services Reporter with The Australian Financial ReviewConnect with Ayesha on Twitter. Email Ayesha at ayesha.dekretser@afr.com.au
John Davidson is an award-winning columnist, reviewer, and senior writer based in Sydney and in the Digital Life Laboratories, from where he writes about personal technology. Connect with John on Twitter.Email John at jdavidson@afr.com
Max Mason covers courts, insolvency, regulation, financial crime, cybercrime and corporate wrongdoing. He joined the masthead in 2013 and has held a number of roles, including media editor and telecommunications reporter. He is based in Sydney.Connect with Max on Twitter. Email Max at max.mason@afr.com