Russian hackers are behind the major Medibank data breach according to the Australian Federal Police, which also says it knows the specific individuals behind the cyber attack.
It comes as the hacking group released another batch of private medical data from the breach to the dark web, this time relating to mental health diagnoses and treatments.
The Medibank hack has impacted 9.7 million current and former customers of the private health insurance fund, including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.
Australian Federal Police (AFP) Commissioner Reece Kershaw on Friday fronted the press and pinned the blame on the significant Medibank hack on Russia-based criminals.
“The AFP is undertaking covert measures and working around the clock with our domestic agencies and our international networks, including Interpol,” Kershaw said.
“This is important because we believe that those responsible for the breach are in Russia. Our intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world. These cyber criminals are operating like a business with affiliates and associates, who are supporting the business.”
The Commissioner said the AFP believes it knows the specific individuals behind the hack but would not be naming them. It is widely believed to be infamous Russian ransomware gang REvil.
Kershaw urged Russian law enforcement to assist with the investigation.
“We will be holding talks with Russian law enforcement about these individuals,” he said.
“It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability.”
The Russian embassy in Australia said the AFP statement was made before they had contacted Russia.
“We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies,” the embassy said in a statement.
“Fighting cybercrime that adversely affects people’s lives and damages business demands a cooperative, non-politicised and responsible approach from all members of the world community.”
On Sunday night the Russian hackers released data on the dark web containing hundreds of customer claims relating to mental health.
The organisation said it would not be releasing more sensitive information until Friday, with the Medibank annual general meeting to take place on Wednesday.
The AFP Commissioner had a message for the hackers responsible.
“We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” Kershaw said.
Dubbed Operation Pallidus, Kershaw said the AFP investigation into the hack is “complex and ongoing”.
“I know Australians are angry, distressed and seeking answers about the highly-sensitive and deeply personal information that is being released by criminals who breached Medibank Private’s database,” he said.
“This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business. This cyberattack is an unacceptable attack on Australia and it deserves a response that matches the malicious and far-reaching consequences that this crime is causing.”
The AFP is undertaking “covert measures” against the hackers and is “working around the clock” with global authorities.
“The AFP and our partners are not going to give up in bringing those responsible to justice,” Kershaw said.
“Investigators under Operation Guardian are also scouring the internet and dark web to identify people who are accessing this personal information and trying to profit from it.”
Operation Guardian was launched in September to respond to the Optus data breach, which saw the data of nearly 10 million people stolen from the telco giant.
“Investigators under Operation Guardian are also scouring the internet and dark web to identify people who are accessing this personal information and trying to profit from it,” Kershaw said.
The Medibank hackers began posting information from the breach last week, with Prime Minister Anthony Albanese himself revealing he had been caught up in the breach. Medibank had earlier confirmed it denied the hackers’ request for a $15 million ransom.
The posted data included stolen names, addresses, birthdates and sensitive Medicare details.
Medibank is also facing the prospect of a class action lawsuit over the data breach. Bannister Law Class Actions and Centennial Lawyers launched a class action last week and has said it has received numerous expressions of interest from Medibank customers, while Maurice Blackburn has confirmed it is reviewing whether customers impacted by the hack are entitled to compensation.