How it happened: Medibank hack came via a single login
Insiders say hackers exploited a basic flaw in Medibank’s security. It’s part of a dramatic surge in attacks that’s forcing authorities to step up the hunt for cybercriminals offshore.
In private briefings to other companies, Medibank has revealed the source of the catastrophic hack that allowed Russianbacked cybercriminals to steal the intimate medical records of about 480,000 customers.
The criminal syndicate found the login credentials for a single support desk worker at the health insurer that did not have two-factor authentication – a basic security standard that sends a message to a mobile phone or email account for verification once a username and password have been entered – and gained access to virtually the entire contents of the company’s business.
Once inside, the hackers got even luckier. They were able to lurk for weeks without being noticed, ripping out sensitive data by the gigabyte as they went. By October 12, officers at the Australian Signals Directorate (ASD) decided to act on some suspicious activity that was playing out on the Medibank network and phoned the company about 1.20pm.
As it turns out, Medibank staff were watching the same “unusual cyberactivity” and wondering what to make of it. The next day, chief executive David Koczkar released a statement to the market acknowledging the intrusion, but believed there was no evidence at that time to suspect critical information had been stolen. That changed six days later when the hackers got in touch with some sample records. The news seemed to get worse and worse over the next few weeks as the size and scale of the problem grew.
But the hackers, who demanded a
$15 million ransom that Medibank has refused to pay, may not have counted on their swindle being the one that fundamentally rewrote the rules of engagement for Australian authorities.
Late on Friday, November 11, Australian Federal Police Commissioner Reece Kershaw made a brief statement to media.
“We believe that those responsible for the breach are in Russia,” he said. “Our intelligence points to a group of loosely affiliated cybercriminals, who are likely responsible for past significant breaches in countries across the world.
“These cybercriminals are operating like a business with affiliates and associates, who are supporting the business.”
Kershaw was quick to note the AFP is working with its counterparts in Interpol – the Australian Interpol National Central Bureau was to make contact with Russia’s National Central Bureau of Interpol – but he seemed to hint this was unlikely to produce any outcome.
Russia has not exactly been co-operative of late and Kershaw reminded the organisation that it benefits from data shared via the international policing arrangements and “that comes with responsibilities and accountability”.
The next day, on Saturday, the minister for Cyber Security, Clare O’neil, announced one of the biggest shake-ups in the operating model of the ASD and the Australian Federal Police (AFP): a cross-agency, permanent force of 100 people whose job will be to hunt down cybercriminals around the world.
“So this is not a model of policing where we wait for a crime to be committed and then try to understand who it is and do something to the people who are responsible,” O’neil said on the ABC’S Insiders program on Sunday. “We are offensively going to find these people, hunt them down and debilitate them before they can attack our country.”
ASD director-general Rachel Noble told senate estimates on November 8 that the organisation, which sits in the Defence portfolio, does undertake and
“has undertaken operations to disrupt cybercriminals who have attacked Australia” in the past 18 months. Given old reporting lines, these must be authorised by the
Defence minister. When Dan Tehan was assistant minister for Cyber Security in 2017 in the Turnbull government, he cleared the way for the ASD to use its “offensive cyber capabilities” to take the fight against cybercriminals offshore.
What has changed is the scale and permanency of the approach. This has been on Labor’s mind since at least June last year when then Cyber Security spokesperson Tim Watts told the parliament: “It’s time to release the hounds on the ransomware crews.
“As recommended by the International Ransomware Taskforce report, the Australian Signals Directorate should develop a target list of the top 10 ransomware groups targeting Australian organisations and then set about disrupting their command and control infrastructure, their communications platforms and their finances,” he said.
“Ransomware groups should fear the consequences of being added to ASD’S targeting list.”
The Medibank hackers just made it to the top of that list.
It is something for which the Australian information security sector has long argued.
“I think it’s a big deal,” author of the information security publication Seriously
Risky Business and former ASD analyst Tom Uren tells The Saturday Paper. “The old way that they [ASD] would describe their mission is ‘reveal their secrets, protect our own’ but this is a third thing. You could probably call it ‘mess with other people’ to make their lives more difficult.”
One of the chief concerns in Australia now is the dramatic surge in cyberattacks and the time and resources required to improve defences against them. It’s a long-term proposition, not a quick fix.
“What I like about going after cybercriminals is a small number of groups are responsible for a lot of the havoc,” Uren says. “And so assuming you have success – like, you’re not going to stop them, but I think you can slow them down – that phenomena, that a small number cause a lot of harm, means that you can get a good return on investment.”
Whether these online strikes would be done only as retaliation or where there is a likelihood that a group would target Australians is not clear. It raises interesting questions about the use of force outside of war. But as Uren and others notes, these are not military targets.
“The best metaphor is when you had all these Somali pirates hijacking ships off the coast of Somalia. That’s a crime, right? It’s a crime, it’s not a military action,” one industry watcher says. “And eventually, you had the US Navy out there because it was fucking up the supply of goods, shipping, it was fucking up something important. What we have got here is ransomware that has got to same point.” In any case, there is no Minority
Report- style arrest before a crime is committed. Done right, the deterrence is in the mess authorities hope to create by breaking systems and networks of known criminals or hacking groups.
“Domestic law enforcement is the role of the state and we traditionally haven’t reached into other states for law enforcement purposes, outside of working police to police,” Uren says. “It makes sense to be more explicit about the checks and balances and how it’s consistent with international law … I think it’s worth being transparent.
“Espionage kind of falls under the use of force. And I would say that what we’re talking about here is also falling under the use of force. So we’re not talking about killing anyone by cybering them to death, we’re talking about disrupting their phone or their chat messages or wiping their computer or something like this. In that sense, it is inconsequential.”
There is a theory within information security circles that Australian authorities – whether the AFP or the ASD or both – found the hacker responsible for the Optus breach and applied pressure on them. That person, most likely a teenager or unaffiliated hacker, stumbled onto a programming interface exposed to the internet in which a telco staffer had set up a testing environment.
This staffer had filled the development site with actual production data – that is, 10 million customer records and other information – that had not been randomised. It’s a breathtakingly simple oversight and one that suggests the hacker themselves may not have been the most savvy. Especially given that they appeared to suddenly change their mind about using the information for extortion, apologised in online posts and then claimed to have deleted all of the data.
“That kind of behaviour … doesn’t seem like a hardened criminal group, right? That’s totally different from the behaviour with Medibank, where they are being real arseholes,” Uren says. “That makes you think of someone unsophisticated, which means that probably their Opsec [operations security] is not that good, which makes it likely that they could be found. And if you’re going to find someone like that, and they happen to be overseas, to me, the logical thing is just get in touch and tell them to knock it off.”
Criminals with more runs on the board might take more convincing or, failing that, counterattacks, but that is something the ASD is well-equipped to do. Especially if they have the ongoing authorisation to act and act early.
Uren says cybersecurity attacks have accelerated in frequency and damage inflicted in the past couple of years, but thinks a “structural shift” has happened in the past few months. Why that is the case is difficult to answer.
“My theory is that at any point in time there is kind of a ‘what is reasonable for defenders to do’, and ideally that stays ahead of what attackers can do,” he says. “And I think the attackers just recently have figured out how to do something more effectively. So that it’s giving them a bit of an edge.”
This is the arms-race lens that is often applied to theatres of war. A senior manager of cybersecurity for one of Australia’s largest corporations tells The Saturday Paper there is a near-constant evolution between defence and offence.
“We are seeing an absolute crazy spike in cybersecurity hiring, not just recently but over the last two years,” they said. “People hired on $120,000 are being poached on
200 grand. Crowdstrike in particular are hoovering up all the talent they can get.”
Crowdstrike is a software company that provides endpoint detection response (EDR) which, according to this source, is “like antivirus on crack”. It’s increasingly useful technology because it doesn’t just target known attack “signatures” but novel ones, too. These are known as zero-day attacks, because they target vulnerabilities discovered by hackers that have not previously been used and, therefore, may not easily be guarded against, or that software developers have not yet been able to fix.
“So detection response is like the next level where it uses heuristics, like looking at the behaviour,” the cybersecurity executive says.
Like evolution, however, cybersecurity is as much a game of chance as it is one of good planning. Humans make mistakes. Technologies evolve. Combine those two assumptions and hackers find new ways to break in. According to the “Annual Cyber Threat Report” released this month, there was a cybercrime committed every seven minutes in Australia – 76,000 for the year. And those are just the ones that succeed.
Clare O’neil recalled National Australia Bank’s public acknowledgement that it is being hit with 50 million cyberattacks each month. The tax office with three million.
Just one of these needs to find an unpatched system on a network to gain entry. The vast majority of successful attempts are precisely because of flaws or vulnerabilities in software or applications that have not been patched or fixed.
When hackers find new exploitable gaps, these are extremely valuable whether they use them for their own purposes or sell them. Sometimes, governments buy them and hoard them because they want to use them against enemies.
“There’s a competition called Pwn2own where the best hackers in the world show off their stuff and get paid bounties from the companies,” the cybersecurity manager says.
“China doesn’t let its hackers go to that anymore because they want to keep all the zero-days for themselves.”
On Wednesday, Medibank held its annual general meeting and its chair, Mike Wilkins, said the company had made the right decision not to pay a ransom demanded by the hackers, even as yet more data regarding mental health treatments used by its customers was released on the dark web.
“In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm’s way by making Australia a bigger target,” he said.
In Australia, at least, this is the accepted rule and one on which companies face a lot of pressure when data – especially personal identifying information – is stolen. These same corporations have regular cybersecurity meetings between chief information security officers or their delegates to share information or tipoffs and strategies. Optus and Medibank both send staff to these meet-ups.
“No one in their right mind would pay a ransom,” says one company cybersecurity manager. “You’re just marking yourself as a company that can be attacked again and again because the chances you will be able to fix all of your security problems in the time between one attack and another are not good.”
If things seem difficult in the private sector, public agencies are not doing so well themselves. A March 2021 report on cybersecurity strategies in place across Commonwealth departments by the Australian National Audit Office found less than onequarter were complying with the “top four” mitigation strategies. That’s a fancy way of saying not even government entities are doing the bare minimum in security.
And that’s a recipe for disaster. On November 8, during questioning at senate estimates, the ASD deputy directorgeneral and head of the Australian Cyber Security Centre, Abigail Bradshaw, said officials were particularly focused on zero-day weaknesses.
“We are very concerned about the increasing number of vulnerabilities and the reduction in the time between proof of concept and exploitation of those vulnerabilities,” she said.
“In the past we would’ve expected to have several weeks – or, in fact, months – before they were prosecuted, but, in fact, in real life it has been a matter of days.”
As defence lags, the ASD has little to lose by going on the offensive.