Russia's embassy in Australia has criticised a statement by Australian Federal Police Commissioner Reece Kershaw that those responsible for the Medibank hack are based in Russia, saying the announcement was made before the AFP contacted Russian law enforcement agencies.
Earlier on Friday, Commissioner Kershaw said intelligence pointed to a group of Russian cyber criminals operating "as a business" being behind the devastating cyber attack on the Australian health insurer that is affecting almost 10 million customers.
"We believe those responsible for the breach are in Russia," Commissioner Kershaw said.
"These cyber criminals are operating like a business with affiliate and associates who are supporting the business.
"We also believe that some affiliates may be in other countries."
The AFP has not publicly named the group responsible, but security sources have told the ABC that authorities believe the culprits are the Russian-based syndicate known as "REvil", which takes its name from "ransomware evil", and who reportedly enjoy protection from President Vladimir Putin.
Commissioner Kershaw said the group was loosely affiliated with past significant breaches in countries across the world, and the AFP was scouring the internet and dark web for those accessing the information and attempting to profit from it.
"This is a time for all Australians, the community, business and law enforcement to stand together and refuse to give these criminals the notoriety they seek," he said.
He also called on businesses to do their part to ensure their systems were protected.
"Cybercrime is the break and enter of the 21st century and personal information is being used as currency," he said.
Commissioner Kershaw reiterated government policy did not condone paying a ransom as it "feeds a cybercrime business model".
Russia criticises Kershaw comments, calls for cooperation
Early on Friday evening, the Russian embassy in Australia released a statement criticising Commissioner Kershaw's decision to go public with the information before contacting Russian authorities.
"For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication," the statement said.
"We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.
"Fighting cybercrime that adversely affects people's lives and damages businesses demands a cooperative, non-politicised and responsible approach from all members of the world community."
Medibank contacts customers over stolen data
Medibank customers are being notified if their individual data has been stolen by the hackers.
In correspondence to one customer, seen by the ABC, the company said it was "deeply sorry to inform you that we believe some data relating to your membership has been stolen in the recent cybercrime event".
"This email details what specific membership data we believe was stolen, outlines actions you can take to safeguard your online identity, and the services available through our Cyber Response Support Program," the email said.
Which of your data has been impacted
Based on our investigation, we currently believe the following data relating to your membership has been stolen:
- 1.first name and surname
- 2.gender
- 3.date of birth
- 4.email
- 5.address
- 6.phone number
- 7.Client ID
- 8.Medicare number (but not expiry date)
We believe the criminal has not stolen:
- 1.Credit card and banking details
- 2.Your health claims data
- 3.Primary identity documents, such as a drivers licence. ahm does not collect primary identity documents for resident customers except in exceptional circumstances
- 4.Health claims data for extras services (such as dental, physio, optical and psychology)
Hackers release details on dark web
Earlier on Friday, before Commissioner Kershaw's statement, Prime Minister Anthony Albanese suggested Moscow should be held accountable for the criminal act.
"The fact is that the nation where these attacks are coming from, should also be held accountable for the disgusting attacks, and the release of information including very private and personal information."
On Thursday, the hackers released sensitive details of customers' medical procedures on the dark web and demanded $US1 ($1.60) for each of the 9.7 million Medibank customers.
Medibank has confirmed the personal information of more than 5 million customers has been released so far.
The AFP is now working with Interpol, which has direct contact with National Central Bureau Moscow, to take the investigation beyond borders.
"To the criminals: We know who you are and, moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system," Commissioner Kershaw said.
Key events
To leave a comment on the blog, please log in or sign up for an ABC account.
Live updates
By Bridget Judd
This is where we'll leave Friday's live updates about the Medibank data breach
But you can continue reading the full story right on this page.
I'll leave you with some of your thoughts about today's developments:
When Medibank call you this morning to say you’re in the 2% of the entire data leak with details being viewed and accessed…It shook me to my core. - Marjorie
Good work! I am sure that our “white hats” are now working on strategies to disable the servers if these reprehensible cyber criminals. - Peter E
Aren’t we technically at war with Russia so why would Russian LE help the AFP? - Rick
Well what’s the AFP and the government doing about it? People need to see action not just words - Peter
By Bridget Judd
Medibank has been working closely with the AFP from the outset
Speaking earlier, Commissioner Reece Kershaw said the government does not condone ransoms, because any payments "small or large fuels a cybercrime business model".
The ABC's defence correspondent Andrew Greene says Medibank has made a clear declaration it will not pay.
Andrew: Medibank has been working closely with the AFP from the outset, as well as with cyber security authorities – the Australian Signals Directorate and the Australian Cyber Security Centre.
Medibank has made a clear declaration it will not pay a ransom, unlike some other high-profile victims of cybercrimes.
By Bridget Judd
Before today, it was widely believed that Russian hackers were responsible
The ABC's defence correspondent Andrew Greene says none of this is really a shock.
Andrew: No, before today it was widely believed that Russian hackers were responsible for this hack, and although the AFP won’t publicly identify the group responsible, sources have told the ABC it is REvil – which is based in Russia, but has affiliates and associates in other countries
By Bridget Judd
Russia benefits from INTERPOL intelligence-sharing, and 'with that comes responsibilities'
As we heard a short time ago, the AFP will hold talks with Russian law enforcement about those they believe to be responsible.
He says the AFP is responsible for the Australian INTERPOL National Central Bureau, which has direct contact with National Central Bureau Moscow.
"INTERPOL National Central Bureaus cooperate on cross-border investigations, operations and arrests.
"To take investigations beyond national borders, they can seek cooperation from any other National Central Bureau.
"It is important to note that Russia benefits from the intelligence-sharing and data shared through INTERPOL, and with that comes responsibilities and accountability."
By Bridget Judd
Given the severity of the attack, a decision was made to call Russian criminals out as the culprits
It’s hard to say whether the ransom should have been paid…it’s a fine balance between public policy and the interests of hundreds of thousands of individuals. On balance, I believe the ransom could have been paid quickly and secretly, and a lesson learned. Probably too late now, and hopefully not too many individuals will suffer.
- Dennis
Thanks for writing in Dennis. Commissioner Reece Kershaw spoke about this one a little earlier, saying Australian government policy does not condone paying ransoms to cyber criminals.
The ABC's defence correspondent Andrew Greene says it's generally unusual for Australia to do attributions for cyberattacks at all.
Andrew: But given the severity of this attack and in the context of the current geo-political environment following Russia’s invasion of Ukraine a decision has been made by the government to call Russian criminals out as the culprits for this attack.
By Bridget Judd
REvil is not considered part of the Russian state, but it operates with the protection of Vladimir Putin
Good luck with getting Russian authorities to assist!
- Thermal Mass
Thanks for writing in — it's a fair point.
We put this one to the ABC's defence correspondent Andrew Greene.
Andrew: Australia is unlikely to receive any cooperation from Russian authorities. Although REvil is not considered part of the Russian state, it operates with the protection of President Vladimir Putin.
Before Russia’s invasion of Ukraine western nations were already furious at Moscow for harbouring cybercriminals. Australia’s strong support of Ukraine makes it certain that Russia will not want to cooperate.
By Bridget Judd
Authorities suspect the perpetrators are members of the REvil group
The ABC's defence correspondent Andrew Greene has dropped in to answer a few questions about that update from the AFP and some of the main takeaways.
So what do we know about those responsible?
Andrew: Authorities suspect the perpetrators of the Medibank hack are members of the REvil group – a Russian based cyber-criminal gang.
Russia is a member of Interpol – and AFP Commissioner Reece Kershaw says Australia will seek to discuss the crime with Russian authorities.
By Bridget Judd
AFP: 'This cyber attack is an unacceptable attack on Australia'
If you missed the update from Commissioner Reece Kershaw a short time ago, the AFP has now released a full statement:
This cyber attack is an unacceptable attack on Australia and it deserves a response that matches the malicious and far-reaching consequences that this crime is causing.
The AFP is undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL.
By Bridget Judd
AFP: Cyber crime is the 'break and enter of the 21st century'
Commissioner Kershaw says cyber crime is the "break and enter of the 21st century", adding that "personal information is being used as currency".
"Finally, I want to reiterate, the Australian government policy does not condone paying... ransoms to cyber criminals.
"Any ransom payment, small or large, fuels a cybercrime business model, putting other Australians at risk."
That brings the press conference to a close.
By Bridget Judd
Do not aid 'these criminals by posting or publishing' leaked data
Commissioner Kershaw is asking the media and those on social media to "do the right thing" and not aid "these criminals" by posting or publishing sensitive information.
"This is a time for all Australians, the community, business and law enforcement to stand together," he says.
By Bridget Judd
Police 'scouring the internet and dark web' to find those accessing leaked personal info
Commissioner Kershaw says authorities will not give up "bring those responsible to justice".
He adds that investigators are also "scouring the internet and the dark web" to identify people who are accessing leaked personal information.
"So the criminals, we know who you are and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system."
By Bridget Judd
AFP to hold talks with Russian law enforcement
Commissioner Kershaw says he won't be naming the individuals responsible, but authorities believe they know who they are.
"What I will say is that we'll be holding talks with Russian law enforcement about these individuals."
By Bridget Judd
AFP believe those responsible for Medibank breach are in Russia
Commissioner Reece Kershaw says police intelligence points to a "group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world".
"These cyber criminals are operating like a business with affiliate and associates who are supporting the business.
"We also believe that some affiliates may be in other countries."
By Bridget Judd
AFP Commissioner Reece Kershaw is speaking now
He says it's a "very complex and serious ongoing investigation".
"But I do want to address Australians today to give us much information as I can... without putting at risk the criminal investigation.
"I know Australians are angry, distressed and seeking answers about the highly sensitive and deeply personal information that is been released by criminals who breach Medibank Private database."
By Bridget Judd
What can we expect from the update?
The ABC's Dan Ziffer says the AFP is expected to name who is behind the Medibank hack.
"The Australian Federal Police will release their information on the country they think has sponsored or been behind the attack," he says.
By Bridget Judd
We're about to hear from the AFP about the Medibank data breach
AFP Commissioner Reece Kershaw will make a statement about the current investigation into the Medibank data breach.
It comes after Prime Minister Anthony Albanese said authorities know "who is responsible".
"We know where they're coming from, we know who is responsible, and we say that they should be held to account," Mr Albanese said.
We'll have live updates from the press conference in a few short moments at 3:30pm (AEDT), but you can read more below in the interim.
