Separate criminals had hand in Medibank hack

The criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum.

Sarah Ison and Jared Lynch

Medibank was forced to apologise to customers on Monday after the insurer sent letters to their dead relatives, saying their medical records and other personal data might have been stolen in the cyber attack. Picture: Hollie Adams

2 min read

9:36PMOctober 24, 2022.

Updated 9:45AMOctober 25, 2022

The criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

Australia’s largest private health insurance company last week revealed it had up to 200 gigabytes of data stolen from its servers, including customers’ intimate health information and even the location of treatments.

“In some cases, we will have written to former customers and unfortunately that might mean we have sent communications to some people who have passed away,” a Medibank spokeswoman said.

“We understand that receiving such a letter could be distressing to family members and we apologise if we have caused hurt in our efforts to communicate to everyone as quickly as possible.”

The Australian now understands a credential broker – which refers to a type of criminal that steals and sells credentials – stole a Medibank login with a high level of access to the health insurer’s network, before advertising the information on a Russian-language criminal forum.

A second criminal bought the data, which they used to access Medibank, and began collecting intelligence on the structure and function of the network.

While inside the Medibank system, the criminal built a bespoke tool for the Medibank platform and with one clear purpose – large-scale data theft.

The criminal put all the customer information into a zip file and then moved it, which alerted Medibank to suspicious activity on the network.

It is not known how long the criminal who bought the Medibank login was on the network, with investigations by the Australian Federal Police and Australian Signals Directorate still ongoing. Director of the Australian Strategic Policy Institute’s international cyber policy centre Fergus Hanson said the hack seemed to be a “common cyber criminal operation”.

“I think the first part is: how do you get access in the first place? That’s the thing that matters, and the fact a credential vendor just found it and sold it is important,” he said.

The fact two apparently unrelated criminals both had a hand in the breach reflected the level of “specialisation” in the cyber criminal market.

Federal govt to increase fines for serious data breaches to a minimum of $50m

Whether or not the criminals were affiliated to a major cyber gang – such as the Russian-based Hive ransomware group – is still subject to the AFP and ASD investigations, as is the location they operated out of.

While the ASD alerted Medibank early on to “chatter” that the health insurer could be subject to a ransomware attack, no evidence of ransomware has been detected.

While the actual theft of the Medibank credentials could have been a relatively simple operation, Mr Hanson said the bespoke data-harvesting tool designed by the person who bought the credentials suggested there was a “a decent operator at the other end” of the hack.

Chief executive of cyber security firm Gridware and adjunct professor at Western Sydney University, Ahmed Khanji, said criminals often “dwelled” on networks for months at a time before launching an attack. “If there’s no direct financial opportunity, what they (the criminal) will do is steal that data and then sell it on. The crown jewels for cyber criminals is now data,” Mr Khanji said.