Malware, Content, Phishing, Ransomware

Australia Critical Infrastructure Hit by REvil Affecting Millions of Records; Authorities Vow Retaliation

Night Map of Australia with City Lights Illumination. 3D render

A monstrous hack on Australia’s largest private health insurer and a telecommunications giant has prompted the nation to mount a charge to fight back with counter moves of its own, according to multiple reports.

10 Million Records Compromised

The hackers have lifted nearly 10 million customer records from Medibank, the insurer, with nearly 20% of those coming from international customers, CNN reported. The files include health claims data for almost half a million people, including 20,000 international credentials.

The cyber crew in the Medibank score is reportedly the notorious REvil, the same Russian-linked group that took down meat processor JBS earlier last year, two food distributors and other big fishh. REvil has already begun to release batches of the data on the dark web, CNN said.

REvil has also been fingered for attacks on thousands of managed security service providers (MSSPs) and managed service providers (MSPs), transportation companies. REvil is suspected of authoring the Grandcrab ransomware-as-service.

Aussies Want to Hack the Hackers

What is particularly interesting about this latest campaign is Australian Cybersecurity Minister Clare O’Neil’s vow to “hack the hackers,” rather than just ramping up defenses, as the Washington Post reported. Her promise to fight back with cyberattacks mirrors in some ways how the U.S. has responded to REvil and other subsequent attackers.

Late last week, Australian Prime Minister Anthony Albanese said that the government of the country the hackers come from should be held accountable.

Albanese told CNN:

“The nation where these attacks are coming from should also be held accountable for the disgusting attacks, and the release of information including very private and personal information.”

Medibank first detected unusual activity in its network last month. The organization issued a statement in late October that names, addresses, phone numbers and some claims information had been pilfered from its systems, the CNN report said. The ransom demand was roughly $10 million or 15 million Australian dollars. Medibank has refused the ransom demand.

Telecom Carrier Hit

In late September, hackers also hit telecom carrier Singtel Optus, the second largest carrier in Australia with more than 10 million customers. It's unknown who carried out the Optus operation.

Optus subsequently rebuilt the data set that was exposed, which was “no small feat,” the company said in a letter to customers.

Both attacks cut through Australian infrastructure, duplicating to a degree the assaults REvil has carried out in the U.S. and Europe, officials said.

Australian Federal Police (AFP) Commissioner Reece Kershaw told reporters investigators know the identity of the individuals responsible for the attack on health insurer Medibank, but he declined to name them, CNN reported.

Kershaw put the cyber crooks on notice:

“To the criminals, we know who you are. And moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system. The AFP is undertaking covert measures and working around the clock with our domestic agencies and international networks including Interpol. This is important because we believe those responsible for the breach are in Russia."

More Hacks Reported

Australia is no stranger to cyberattacks. Late last year, reports surfaced that a little-known breach by Huawei into an Australian telecom company conducted nearly a decade ago used a malware-laded software patch to infiltrate the carrier’s networks. The malicious code reportedly scrubbed itself from systems after a few days. It worked like a digital wiretap, transmitting information back to China.

In January 2021, cyber swindlers masquerading as Australian Cyber Security Centre (ACSC) officials lured unsuspecting victims to hand over their personal credentials. The agency issued a warning over this malevolent phishing campaign.

Cyber War Is On

Along with other countries, particularly the U.S., Australia has regularly promised to chase down hackers and bring them to justice. In the U.S. last June, Cyber Command (CyberCom) Director Gen. Paul Nakasone said the U.S. had conducted offensive cyber operations in support of Ukraine as it tries to fend off Russian aggression. Nakasone’s remarks were the first official announcement by the U.S. that it is involved in cyber activities in support of Ukraine.

“We’ve conducted a series of operations across the full spectrum: offensive, defensive, information operations,” he said in an interview with Sky News.

In September 2021, Nakasone told attendees at the National Security Summit to expect U.S. intelligence and national security to mount a “surge” against nation-state sponsors of cyberattacks.

Nakasone, who also heads the National Security Agency (NSA), first signaled his intention to adopt a more aggressive cybersecurity stance three years ago but lacked a definitive adversary. Now, prompted by a series of blows landed by ransomware attackers, particularly Russian-backed operatives, cyber hijacking is a clear threat to national security, he said.

Nakasone advised on the implications:

“Even six months ago we probably would have said, ‘Ransomware, that’s criminal activity’. But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.”

Earlier in 2021, Nakasone told the U.S. Senate Armed Services Committee that CyberCom had carried out some two dozen strategic operations to safeguard the 2020 national elections. Eleven of the operations in nine different countries were “hunt forward,” intended to secure the 2020 election, he said.

Russia Claims REvil Dismantled

In January, with no shortage of irony, Russia’s FSB security agency said that it had dismantled REvil and arrested some of its members in response to a request from the U.S. and prodding from President Biden to shut down the ransomware gang and others, the NY Times reported.

Of course, there are downsides to cyber paybacks against cyberattackers. For example, as the Washington Post pointed out, it requires confidence that you’re hitting the correct perpetrators and also an understanding that doing so unveils your cyber abilities.

As a case in point, REvil disappeared from the internet on or about July 13, 2021. Industry insiders wonder if the U.S. launched a cyber operation against REvil in response to REvil’s alleged attack against Kaseya’s VSA software on July 2, 2021.

It isn’t only REvil that has been counter attacked by international law enforcement. In January,2021, international law enforcement and judicial authorities in eight countries collaborated to dismantle the Emotet botnet, widely regarded as the world’s most dangerous and notorious malware operation.

Authorities said they gained control of Emotet’s infrastructure, which involved hundreds of servers located globally, by taking it down from the inside. The effort redirected the infected machines of victims to a law enforcement environment.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.