- Analysis
- Technology
- Cyber warfare
This was published 2 years ago
Pax Mafioso: The geopolitical side to the Medibank ransom attack
The ransom attack on Medibank involving the personal information of nearly 10 million Australians has exposed another front in the geopolitical confrontation between Russia and the world.
The criminal gang REvil’s hacking, ransom and release of personal details of Medibank’s customers serves a secondary strategic goal of the Kremlin by “punishing” businesses in Western allies.
“REvil operates as a cybercrime cartel who also pays homage to the Kremlin as a cybermilitia,” said Tom Kellermann SVP of Cyber Strategy at US-based Contrast Security.
While the criminal gangs are not directed by the regime, they are strategically aligned to plunder Western targets, a trend that has escalated since the start of Russia’s war against Ukraine.
“These attacks punish Western allies and the proceeds of set economic sanctions,” said Kellermann. “We live in a Brave New World.”
A portion of the funds raised by ransomware gangs can even be funnelled back – via cryptocurrency – to support the regime under whose protection they operate, Kellermann said. They, in turn, can help regimes such as Russia’s and North Korea’s skirt sanctions, an arrangement Kellermann dubbed: “Pax Mafioso”.
Australian authorities on Friday identified the REvil hacking group as the perpetrators of the cyberattack on Medibank and Russia as the source country of the attack.
The hackers accessed the data of 9.7 million Australian customers, and demanded $US10 million ($15 million) on the promise to give it back. The group began posting it on the dark web, allegedly singling out victims based on their profiles.
While there has been no explicit political messaging surrounding the Medibank hack, the behaviour of Russian ransomware gangs has changed over the past year, becoming more aggressive and brazen towards their Western targets.
The trend of criminal cybergangs embracing the ideology or motivations of the Kremlin has accelerated since Vladimir Putin’s invasion of Ukraine in February.
Speaking about Russian ransomware gangs in general, Internet 2.0’s co-CEO Robert Potter said: “They’ve been co-opted into the ideology of the Kremlin.”
This is not the first time the REvil ransomware gang has hit Australia. REvil was behind the ransomware attacks on meat processor JBS in Australia and abroad in May last year.
Before the war in Ukraine began, Russian authorities arrested more than a dozen members of the REvil gang in a move interpreted at the time as a gesture that Moscow would take US concerns about Russia’s ransomware gangs seriously.
The arrests “sent a message of the benefits of co-operation with Russia, while at the same time underscoring the potential costs to the United States if relations worsen,” The Washington Post reported.
Once the invasion began, Putin ended any efforts to restrain the gangs operating from Russia’s jurisdiction. Since then, as in so many other areas of politics and society, a kind of politicised polarisation has swept across the world of hackers and online criminals.
“We’ve been picking up a co-opting of the ideology of ransomware gangs from the top or an aligning of ideology from the bottom, coming through from their messaging...” said Potter, of Internet 2.0, an organisation that tracks cyber activity.
The slippery nature of cybercrime gangs, as well as their currency of choice, cryptocurrency, complicates efforts to sanction the players involved. The funds passed from criminal hacker gangs to regimes can undermine sanctions placed on the nations that play host to them.
The UN, for example, has concluded that North Korea has hacked about half-a-billion dollars in cryptocurrency that was then used “to support its nuclear and ballistic missile programs to circumvent sanctions”.
Ransomware gangs, meanwhile, can also pass along hacked information to their country’s intelligence community, creating another area of overlap between crime and geopolitics.
“They provide back doors into all victim organisations so the intelligence services can have immediate access,” said Kellermann.
Criminal gang hacking theft and ransom schemes is aided by risk-averse companies reluctant to draw unwanted attention to the intrusions. Robust cybersecurity insurance policies have also historically made paying the gangs an easier option.
Medibank has refused to pay the ransomware gang.
The US, Australia and like-minded democracies have been adapting to the new form of cyber aggression that has flourished in part because it sits neatly outside any single area of business or law enforcement.
The White House this month convened the second annual International Counter Ransomware Task Force which brought together representatives from 37 countries and the EU. Among their pledges were to co-ordinate on priority targets, actively share information between governments on gang activity and apply anti-money laundering and anti-terrorism rules for cryptocurrency providers. The taskforce will also “take joint steps to stop ransomware actors from being able to use the cryptocurrency ecosystem to garner payment.”
Australia, as the inaugural chair for the international taskforce, will lead efforts to “co-ordinate resilience, disruption, and counter illicit finance activities” among member countries.
The Medibank hack and ransom follows the high-profile hack of telco Optus, in which the identity documents of millions of customers were hacked.
Russian criminal gangs were behind three-quarters of all ransomware attacks in the second half of 2021 in the US.