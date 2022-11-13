The Australian Federal Police have publicly attributed the hacking and mass data exfiltration of Medibank customer information to Russia-based criminal groups, but pulled up well-short of implicating state or military intelligence involvement.

In the public attribution, made during a press conference held by AFP commissioner Reece Kershaw on Friday, there was no specific identification made of the BlogXX/REvil ransomware crew who appear to be taking credit for making demands and posting Medibank customer information in an apparent effort to maximise damage after a refusal to pay a US$10 million ransom.

“The AFP is undertaking covert measures and working around the clock with our domestic agencies and our international networks. This is important because we believe those responsible for the breach are in Russia,” Kershaw said.

“Our intelligence points to a group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world. These cybercriminals are operating like a business with affiliates and associates who are supporting the business.”

Kershaw said the AFP believed “some affiliates may be in other countries.”

“We believe we know which individuals are responsible, but I’ll not be naming them.”

“I will say that we’ll be talking with Russian law enforcement about these individuals. The AFP is responsible for the Australian Interpol National Central Bureau, which has direct contact with National Central Bureau Moscow,” Kershaw said.

“Interpol national central bureaus cooperate on cross border investigations, operations and arrests to take investigations beyond national borders [and] they can seek cooperation from any other National Central Bureau.”

The referral to Interpol essentially puts Russian authorities on notice that Australia expects doors to be knocked on, a fairly optimistic outlook given Australia’s conspicuous support of Ukraine. Nobody really expects any major outcome from the gesture, but what it does is place a marker on the jurisdiction the groups are believed to be operating out of.

Cyber experts like former AFP high-tech crime chief Nigel Phair supported using the long arm of international law.

“I applaud the AFP for talking about this publicly, who the criminals are and where they are. I hope they use the full force of the law to investigate and prosecute,” Phair said.

Last week the Australian Cyber Security Centre’s annual threat report cited the Russian invasion of Ukraine as having “altered the geopolitical balance in ways that could expose organisations to increased malicious cyber activity.”

“The integration of cyber operations into conventional war has drawn non-traditional combatants and civilian entities into the conflict. Criminal syndicates and issue-motivated groups have conducted activities in support of Russian or Ukrainian interests, independent of Russian and Ukrainian government chains of command,” ASD wrote.

“Issue-motivated groups have made claims of successful attacks against government and private networks, including exfiltration and posting of data on the dark web. Such activities facilitate future potential cyberattacks by malicious state and non-state actors.”

Business as usual then.

