Share this article on:
In a strange turn of events, the hackers behind the cyber attack on Medibank have seemingly gone dark, with the dark web blog they were using to post the leaked data having gone offline.
The blog disappeared without any given reason between Monday and Tuesday Australian time, however, the file server containing the Medibank files that the blog linked to is still online.
Prior to this, the hackers, which are believed to be connected to Russian-based ransomware group REvil, had leaked the data of Medibank customers on five separate occasions, with the most recent leak occurring on Sunday.
A total of 1,500 records were released pertaining to anemia, as well as chronic conditions such as asthma, diabetes, cancer, heart disease and more.
Despite the constant barrage of data being released, Medibank has refused to pay the $15.6 million requested ransom, a move which has been supported by the Australian government.
While the leak site going dark may be a welcome site for many, the reason behind it is currently unknown, and as Emsisoft threat analyst Brett Callow points out, the site may come back.
“Leak sites drop offline all the time, but usually come back online within a few days. Usually, but not always. Occasionally, they drop offline and remain offline.
“That happened to REvil’s initial site after the operation was seemingly disrupted by law enforcement. The bottom line is that we can’t read too much into this. It could be something or it could be nothing.”
According to Medibank, roughly 25 per cent of the data that has been leaked has been incorrect, and does not match its own records, meaning that the hackers may be struggling to make heads or tails of the stolen data.
The most recent leak for example, which contained data relating to chronic conditions, was released in files labelled “HIV”, “psycho”, “STD” and “viral hep”.
Furthermore, despite the records of 160,000 Medibank customers, 20,000 international customers and 300,000 customers from Medibank’s budget brand AHM having been accessed, the health insurer has confirmed that the data that has been leaked only belongs to AHM users.
“Our analysis has shown 375 of the 1,496 records do not match against that policy for that procedure,” said a Medibank spokeswoman regarding the most recent leak.
“We are conducting further analysis on the files today to determine their accuracy. Previous files released have not matched our records.”
The AFP is ramping up operations against cyber criminals, announcing that it would be seeking assistance from Russian authorities through Interpol as part of its Medibank investigation. The Russian embassy in Canberra responded with an accusation against the AFP, saying that its announcement before informing Russian authorities was a “politicised approach”.
On a broader scale, the AFP is looking to make Australia a “hostile environment for cyber criminals”, having announced a task force to “hack the hackers” among other initiatives.