Medibank hacker blog mysteriously disappears but experts warn it may return
The dark web blog that Russian cybercriminals were using to post Medibank customer data has gone offline without explanation.
The site appears to have disappeared between Monday and Tuesday, Australian time, and has not returned since. The file server where leaked Medibank files were linked from the blog has remained online.
On Sunday, the hacker group – which authorities have linked to Russia and which is believed to be connected to the REvil ransomware organisation – posted 1,500 records related to claims on chronic conditions such as heart disease, as well as the patient details of people with cancer, dementia, mental health conditions and infections.
It was the fifth dump of files since Medibank refused to pay the US$10m (AU$15m) ransom.
Prior to Sunday, 123 customer claims associated with terminating pregnancies, mental health issues, and drug and alcohol use were posted on the blog, along with hundreds of customers’ personal details. Those details include names, addresses, dates of birth, phone numbers, email addresses and gender – but not medical information.
The site being taken offline has disrupted the release of people’s personal information but it is unclear what the cause of the disruption was, or if the site will return.
Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup
Brett Callow, threat analyst at Emsisoft, said it was hard to read anything into the site going offline.
“Leak sites drop offline all the time, but usually come back online within a few days,” he said. “Usually, but not always. Occasionally, they drop offline and remain offline.
“That happened to REvil’s initial site after the operation was seemingly disrupted by law enforcement. The bottom line is that we can’t read too much into this. It could be something or it could be nothing.”
A spokesperson for the Australian federal police (AFP) declined to comment, citing the ongoing investigation into the hack.
Last week the AFP commissioner, Reece Kershaw, said the hackers were likely Russian in origin, and said the AFP would be seeking the assistance of Russian authorities through Interpol. The announcement prompted a rebuke from the Russian embassy in Canberra, accusing the AFP of taking a “politicised approach” by making the announcement before informing Russian authorities.
Medibank declined to comment. The company had previously warned customers to expect data to continue to be posted by the hackers. The AFP is running Operation Guardian in parallel with its criminal investigation to seek to protect Medibank customers who have had their data posted on the dark web.
The AFP said it would be tracking down where the data may be posted elsewhere, as well as attempts to sell the data or extort Medibank customers caught up in the breach.