Thursday, November 10, 2022

Inside Australia’s most invasive data hack

Medibank hackers are Russian cybercriminals, AFP claims


Inside Australia’s most invasive data hack

“We will do everything in our power to inflict as much damage as possible to you,” hackers told Medibank last month. This is how the negotiations unfolded.

Updated 

At 1.20pm on October 12, Medibank Private received a call from Australia’s top cyber spy agency. It came with a message no Australian business wants to hear.

The Australian Signals Directorate had noticed something strange going on in Medibank’s systems and reached out to the country’s largest health insurer.

“We did reach out to Medibank and they were already aware of unusual cyber activity on their network which the CEO made public,” Rachel Noble, director-general of the ASD, told Senate estimates on Tuesday evening.

“They were, like us, trying to understand what it was we were both seeing from a different perspective.”

Medibank chief executive David Koczkar later told The Australian Financial Review he had received a call internally that day after “unusual activity” had been picked up, and the company went about figuring out what was happening. Just before 10pm, ASD notified Home Affairs Minister Clare O’Neil of the situation.

At 9.59am on October 13, Medibank requested a trading halt before alerting the market at 11.27am of the incident. It said, “at this stage there is no evidence that any sensitive data, including customer data, has been accessed”. Medibank notified ASD officially at around 1.30pm.

These were the first movements in what has become one of the most devastating cyberattacks on an Australian business, with hackers accessing the personal information of 9.7 million Australians, including people who could be in significant danger if their information was misused.

Turning the screws

Criminals posted their interactions with Medibank in an initial dump of data in the early hours of Wednesday. The shocking move seems to be aimed at turning the screws on the health insurer and forcing it to pay a ransom – which, in line with government advice, Medibank has publicly refused to do.

The data release on a website with links to Russia-backed criminal gang REvil reveals claims from the hackers that they had been in Medibank’s networks for a month.

It appears when they tried to execute a ransomware attack, the activity was picked up by the health insurer and the ASD. Whatever action was taken next stopped them from successfully encrypting Medibank’s systems, but the hackers still had time to pull out reams of highly sensitive data.

The data also contains details of about 200 patients – separated into two so-called “naughty” and “good” lists. The “naughty” list names people who have undergone treatments for conditions such as cannabis dependence, alcohol abuse and anxiety, while the “good” list includes people who have had procedures related to bowel disease and cataracts.

On October 18, at around 10.38pm, believed to be Moscow time, Koczkar received a direct message on WhatsApp with the “naughty” list. “Hi! As your team is quite shy, we decided to make the first step in our negotiation,” the message said. “We’ve found people with very interesting diagnoses.”

The hackers also contacted Medibank’s security operations with claims they had 200 gigabytes of data.

In messages on October 21 the criminals claimed to have spent a month inside Medibank’s systems.

Threats begin

By October 25, the hackers did not believe Medibank was taking them seriously, and threatened to make the data public so customers could sue the insurer.

“In the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible to you, both financial and reputational,” the criminals warned.

In the leaked communications, it is alleged Medibank replied on October 26 that it believed the “output was very small, about 5GB compressed”.

On the same day, the hackers said they “did not have time” to encrypt the Medibank network, but they did have time to download data. This points to the possibility that Medibank actually thwarted the ransomware the hackers tried to execute into its systems, but not before the data was taken.

Cybercriminal gangs will often operate as an enterprise in an effort to build a reputation that they will do what they claim – i.e., if you pay a ransom, they will delete the data. Government advice is to never pay a ransom.

On October 27, after Medibank allegedly admitted the hackers are “very talented”, the criminals promised a full incident report if a ransom was paid.

“We will send you a full report about how we entered your network, and what steps we do inside,” the messaging from the claimed hackers said.

“We will give you recommendations on how to protect your network and save you from communications with other groups in the future.”

On October 28, things came to a head. The hackers allegedly gave Medibank five days to “agree on the amount and receive accurate and acceptable payment terms”. On October 31, they mentioned a wallet, indicating they were probably after cryptocurrency.

Final 24 hours

On November 1, the hackers gave Medibank 24 hours to figure out payments.

The next day, Medibank told the hackers the company had not spoken publicly about their conversations with them, and if they made the private data public, they would be forced to terminate communications. This did not necessarily mean Medibank was considering paying a ransom. It is common for organisations to negotiate with hackers to stall the release of data.

On November 2, the hackers threatened to contact Medibank customers directly with the medical records, and mentioned a massive data dump.

Three days later, Medibank informed the hackers it “cannot pay your demand”, that it was government policy to never pay a ransom, and they “understand the impact this may have”.

On Tuesday, November 8, the hackers went public, giving Medibank a final 24 hours to respond.

Carrying out their threat, just after midnight the criminals posted the names, addresses, Medicare details and sensitive healthcare claim data of 200 customers.

There is no sense the crisis is over.