News

|

National Security

Russians named in cyberattack

November 12, 2022

David Crowe and Colin Kruger
The Age
Saturday 12 November 2022

Australians are being warned to expect a growing wave of Russian cyberattacks that hold more companies to ransom and spread concern among customers in a trend linked to state support for criminal gangs.

Security experts believe cybergangs are scaling up their attacks and changing their behaviour as they gain a form of protection from Russian President Vladimir Putin.

Australian Federal Police (AFP) Commissioner Reece Kershaw named Russia as the home of the hacking group that is demanding a ransom payment from Medibank after it stole the personal details of millions of customers.

Kershaw said the “loosely affiliated” hackers worked across several countries and operated like a business.

While Kershaw did not name the perpetrators, other sources told this masthead that authorities believed the REvil group was involved, pointing to one of Russia’s most active ransomware gangs.

Lowy Institute project director Ben Scott said the hack was very unlikely to be a response to Australian support for Ukraine, but added that Russian hackers ranged from private groups to state-sponsored organisations.

“They are very capable, active and aggressive across the board,” he said.

“Australia needs to be prepared for more cyberattacks from criminals and states alike.”

Scott said it was extremely unlikely the Russian government would do anything about it because of Australia’s support for Ukraine.

Medibank confirmed this week that the personal information of 9.7 million current and former customers had been stolen by hackers in October.

The company said it would not negotiate with the hackers or pay a ransom demand and apologised to customers.

The ransomware group began releasing tranches of stolen Medibank data on the dark web on Wednesday and the sensitive data of another 240 customers was published on Friday.

Former national cybersecurity adviser Alastair MacGibbon said security teams were responding to more incidents than earlier this year and the hackers were shifting their mode of attack toward the widespread theft of personal data.

“There has been an uptick in significant matters,” said MacGibbon, now the chief strategy officer at CyberCX, a security firm that advises Medibank and other clients.

“There has been a strong nexus between the Russian state and Russian online criminals, so much so that some would say that the Russian state has green-lighted the activities of those criminals.

“It would be fair to say that the Russian government in recent years has only paid lip service to the concept of controlling those groups.”

While Kershaw said the AFP would seek talks with Russian law enforcement agencies over the attack, experts said this was unlikely to produce results given Australia had imposed sanctions on most senior figures in the Putin regime.

Opposition cybersecurity spokesman James Paterson welcomed the decision to name Russia as the source country and said this opened up the possibility of applying sanctions on those who protected the attackers.

Federal parliament passed laws last December to enforce Magnitsky-style sanctions, which include measures to respond to cyberattacks and were named after a whistleblower who died in custody in Moscow in 2009.

“While Australia has yet to use Magnitsky sanctions against perpetrators of serious cyberattacks, this would be a prime candidate,” Paterson said.

REvil takes its name from “ransomware evil” and has a pattern of hacking computer systems, obtaining personal information and threatening to release the details until it receives a ransom – a tactic it is said to have used against major companies as well as Donald Trump, Lady Gaga and Madonna.

“Our intelligence points to a group of loosely affiliated cybercriminals who are likely responsible for past significant breaches in countries across the world,” Kershaw told reporters on Friday afternoon. “These cybercriminals are operating like a business with affiliates and associates who are supporting the business.”

The Australian decision to name the home country of the gang is a rare move that highlights concern about the rise in Russian hacking since Putin launched the invasion of Ukraine in February.

Prime Minister Anthony Albanese said he authorised the release of the AFP’s findings because the “disgusting” attacks needed to be condemned.

“We know where they’re coming from, we know who is responsible, and we say that they should be held to account,” he said.

“The nation where these attacks are coming from should also be held accountable for the disgusting attacks, and the release of information including very private and personal information.”

The Russian embassy complained that it had not been contacted before the AFP commissioner made his statement and it added that fighting cybercrime needed a cooperative, non-politicised approach.

The embassy did not answer specific questions from this masthead about whether the hackers came from Russia or whether they were supported by the Russian state.

US President Joe Biden said in March that cyberattacks were “part of Russia’s playbook” and that authorities believed the Russian government was exploring options for potential cyberattacks.

REvil began as a group that offered “ransomware as a service” so its hackers could be hired by others to target systems and demand a payment, but it has made a series of attacks in its own right.

The group was said to have been dismantled by Russian authorities in March, but experts believe it has restarted its operations.

Medibank chief executive David Koczkar said the company expected the hackers to release new data daily as part of their demands.

“The relentless nature of this tactic being used by the criminal is designed to cause distress and harm,” he said.

Home Affairs Minister Clare O’Neil told Nine’s Today show that she has had some “direct conversations” with Medibank about the company’s failure to protect customers’ confidential information.

“I would say across the Australian community, we have been in a slumber about cybersecurity threats that face us,” she said.

“We need to wake up from the slumber. This is the crime type of the future.”

The REvil group claimed on Thursday it had demanded a ransom of $US1 for each of Medibank’s 9.7 million affected customers, for a total of $US9.7 million ($15 million).

Recent News

All Posts