Key Points
- Data from the Medibank breach has started to be released on the dark web.
- It's suspected the group behind the attack is linked to REvil, a Russian cyber criminal gang.
- The data released includes hundreds of names, address, birth dates and Medicare details.
A ransomware group has started posting customer data stolen from Medibank on the dark web after the private health insurer refused to pay a ransom.
On Wednesday, hundreds of names, addresses, birth dates and Medicare details belonging to the group that claimed it was responsible for the attack.
A post accompanying the lists said the group was releasing the information in stages because of its complexity.
Medibank confirmed on Wednesday were that of some of its customers, and warned that the criminals responsible would continue to release personal data it obtained in the hack on the dark web.
On Friday, Australian Federal Police Commissioner Reece Kershaw said he would not be naming individuals, but confirmed the AFP believes they are based in Russia.
"We believe those responsible for the breach are in Russia ... our intelligence points to a group of loosely affiliated cybercriminals who are likely responsible for past significant breaches in countries across the world," he said.
"These cybercriminals are operating like a business with affiliate and associates who are supporting the business ... we believe we know which individuals are responsible but I will not be naming them."
Mr Kershaw said the AFP would be holding talks with Russian law enforcement about the individuals suspected to be involved in the attack.
While the AFP are not naming suspects at this stage, it is suspected the group behind the attack is linked to REvil, a Russian cybercriminal gang.
Who is REvil?
REvil is a Russian-based ransomware crime group that threatens to publish data it steals from companies on its site Happy Blog, unless they are paid a ransom.
Mohiuddin Ahmed, senior lecturer in cybersecurity at Western Australia's Edith Cowan University, said the group is among the top five most notorious cybercriminal gangs in the world.
Last year the group hacked an Apple contractor and asked for a ransom of US$50 million ($76 million).
In January, Russian authorities announced that it had dismantled REvil and charged several of its members.
But Mr Ahmed said that doesn't mean that others members of the group aren't still active.
"There might be group members out there who are not arrested, or were still operating - having a different identity, having some other support from some other group members," he said.
Why is REvil suspected to be behind the Medibank hack?
"First, a hacker or a group of hackers, sold the Medibank employee credential to another group," he said.
"Then that group, which we believe to be REvil, are the ones who have conducted this malicious activity on Medibank's network, and they are the ones who have posted the samples of data on the dark web."
Troy Hunt, founder of the website Have I Been Pwned, which lets people check if their email address or phone number has been compromised in a data breach, said there's one key clue that points to someone linked to REvil being behind the Medibank breach.
"At some point in time, REvil’s dark web website has started redirecting to the one which is now posted the Medibank data," he told SBS News.
"Very often there's different individuals in these groups that come and go, they have their own infighting, their own problems, their own promotions and employment changes."
Should we be concerned if REvil is responsible?
Mr Ahmed said given the gang's track record, people should be "really concerned" if REvil is back, but advised waiting until any official investigations are complete before jumping to conclusions.
The AFP has launched Operation Pallidus to investigate the hack.
It's also expanded Operation Guardian - its joint initiative with state and territory police set up to investigate the Optus data breach in September - to include the Medibank leak.
AFP Assistant Commissioner Cyber Command Justine Gough said on Wednesday the agency would be "actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data".
"This is not just an attack on an Australian business. Law enforcement agencies across the globe know this is a crime type that is borderless and requires evidence and capabilities to be shared," she said.
Other federal government agencies, including the Australian Signals Directorate, are also continuing to provide Medibank with technical advice and assistance.
Cyber Security Minister Clare O'Neil described the hack as the "lowest of low".
"I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act," she told parliament on Wednesday.
"People are entitled to keep their health information private, even amongst ransomware attackers, the idea of releasing personal medical information of other people is considered beyond the pale."
Mr Hunt said he's less worried about who was behind the hack, and more that such a large quantity of data has been leaked.
"It's about as bad as it could have been," he said.
"It's larger than what I initially thought when I saw a couple of archive files that added up to a few 100 megabytes, but they extract out to data which is significantly larger than that, and there does seem to be quite a large number of people in there."