Australia has awoken from a cyber “slumber” and will “day in, day out hunt down the scumbags” who have stolen the health data of nearly 10 million Australians, home affairs minister Clare O’Neil has said.
After the Russian embassy complained it had not been informed the Australian government would publicly accuse Russian cybercriminals of being behind a hack on private health insurer Medibank, O’Neil did not resile from publicly blaming Russians for the hack.
“This is a really difficult and stressful time for Australians,” O’Neil said. “You are entitled to keep information about your health, whatever it is, completely private. And it has been stolen from you by Russian thugs. Our message today is that those thugs should watch out.”
Nearly 10 million Australians have had private health data held by Medibank stolen – with sensitive medical records detailing treatments for alcoholism, drug addictions and pregnancy terminations already posted on the dark web, and offered for sale.
After Medibank refused to pay a demanded ransom of US$9.7m – US$1 for every one of the 9.7 million people whose information has been compromised – the hackers began releasing sensitive data on the dark web this week. Further disclosures are expected.
The Australian government has said it “knows the identity” of the hackers of the Australians’ data and said they “are in Russia”, but it has not named them. Sources have told the Guardian those believed responsible are linked to the REvil Russian ransomware group.
The Russian embassy in Canberra criticised Australia’s “politicised approach” saying the Australian federal police commissioner, Reece Kershaw, claimed Russians were responsible before contacting Russian authorities.
“We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.
“Fighting cybercrime that adversely affects people’s lives and damages businesses demands a cooperative, non-politicised and responsible approach from all members of the world community.”
Kershaw said the AFP was working in cooperation with the national central bureau of Interpol in Moscow.
O’Neil said cyber-attacks, such as those on telco Optus, or health insurance provider Medibank, were a global scourge that required a permanent, dedicated agency to combat them.
“What we’re seeing in Australia is that we’re waking up from a slumber that we’ve been in,” she said.
She announced on Saturday that 100 officials drawn from the AFP and the Australian Signals Directorate would form a permanent “joint standing operation” against cybercriminal syndicates.
“They will show up to work every day with the goal of bringing down these gangs and thugs … a standing body within the Australian government which will, day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people.”
The chances of a Russian hacker being arrested and extradited appear remote. In 2018, the Russian president, Vladimir Putin, said “Russia does not extradite its citizens to anyone”.
But O’Neil said Australia needed “to shift away from the mindset here that the only thing that needs success is having someone behind bars”.
Australia’s joint standing operation “will be hunting these gangs around the world and disrupting the activities of these people. The smartest and toughest people in our country are going to hack the hackers,” O’Neil said.
“From now on, cybercriminals will be a constant and enduring target for our agencies to disrupt.”
Medibank has said the data of 9.7 million current and former customers has been hacked: they have had their names, dates of birth, phone numbers, email addresses and addresses stolen. Some customers’ unique numbers for Medicare – Australia’s universal public healthcare scheme – have also been stolen, along with the passport information of international customers.
The hackers have also accessed the health claims of about 160,000 Medibank customers, about 300,000 customers of its subsidiary company, ahm, and data from 20,000 international customers.
After Medibank refused to pay the demanded ransom, the hackers this week began posting sensitive health data on the dark web.
Two initial tranches were posted on Wednesday to a dark web blog linked to the REvil Russian ransomware group: a so-called “naughty list” that detailed people’s treatment for drug addictions or mental health issues, and a “good list” that contained more generic hospital procedure claims. Each list contained data from about 100 Medibank customers.
On Thursday, the hackers posted another file labelled “abortions.csv” containing more than 300 claims made by policyholders in relation to the termination of pregnancies, including non-viable pregnancy, ectopic pregnancy and miscarriages.
On Friday, a further list was posted on the dark web – “boozy.csv” – containing files associated with 240 customers related to alcoholism-related treatment.
On Saturday, the attorney general, Mark Dreyfus, warned the AFP would arrest and charge people for secondary offences resulting from the hack, such as buying stolen health data on the dark web.
“It is an offence to buy stolen information online which could include a penalty of up to 10 years imprisonment,” he said. bIt is also an offence to blackmail or manners customs.”