Two weeks after the Australian privacy watchdog filed a lawsuit against Medibank for failure to protect personal information of its citizens in a 2022 data breach, the Information Commissioner's office this week made public a comprehensive analysis of the security failures that led to the incident. Medibank, a prominent Australian health insurance provider, faced a devastating cyberattack in October 2022 that compromised the personal data of 9.7 million current and former customers. According to the report from the Office of the Australian Information Commissioner (OAIC), the attack was likely caused by a lack of basic cybersecurity measures like requiring its workers to use multi-factor authentication to log onto its VPN.

The Sequence of Events in the Medibank Breach

The attack on Medibank began when an IT service desk operator at a third-party contractor used his personal browser profile on a work computer and inadvertently synced his Medibank credentials to his home computer. This home device was infected with information-stealing malware, which allowed hackers to obtain these credentials, including those with elevated access permissions. The attackers first breached Medibank’s Microsoft Exchange server using these credentials on August 12, 2022, before logging into Medibank’s Palo Alto Networks Global Protect VPN. Incidentally, the VPN did not require multi-factor authentication (MFA), making it easier for the attackers to gain access. It was only in mid-October that Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, when they discovered data was previously stolen in a cyberattack.

"During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)." - the OAIC report.

Security Failures and Missed Alerts

Lack of Multi-Factor Authentication (MFA)

One of the critical failures in the Medibank breach was the health insurer’s neglect to implement MFA for VPN access. The OAIC report said that during the relevant period, the VPN was configured to allow access with just a device certificate or a username and password. It did not require the additional security layer provided by MFA. This oversight significantly lowered the barrier for unauthorized access.

Operational and Alert Management Failures

Despite receiving several security alerts from their Endpoint Detection and Response (EDR) software about suspicious activities on August 24 and 25, these alerts were not appropriately triaged or escalated. This delay allowed the attackers to continue their operations undetected for an extended period, which ultimately led to the exfiltration of approximately 520 gigabytes of sensitive data from the company's MARS Database and MPLFiler systems.

Data Compromised and Consequences

The stolen data included highly sensitive information such as customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers and extensive health-related data. The exposure of such information has severe implications for the affected individuals, ranging from identity theft to potential misuse of medical data in various frauds and scams. The attackers linked to the ransomware gang BlogXX, which is believed to be an offshoot of the notorious REvil group, leaked the data on the dark web. This incident not only caused significant distress to millions of Australians but also highlighted the grave consequences of inadequate cybersecurity measures.

Legal and Regulatory Actions Follow

The OAIC said that Medibank was aware “of serious deficiencies in its cybersecurity and information security,” prior to the hack. For example, citing an Active Directory Risk Assessment report from Datacom in June 2020, OAIC said Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains).

"A number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and nonprivileged users which was described as a “critical” defect."

Given the nature and the volume of the data Medibank stores and collects, “it was reasonable” for the company to adopt the security measures recommended by Australia’s privacy regulator, but “these measures were not implemented, or, alternatively, not properly implemented or enforced, by Medibank,” OAIC said.

Thus, in response to the breach and the negligence that led to it, Australia's data protection regulator OAIC, announced legal action against Medibank for failing to protect personal information. The company faces potential fines exceeding AU$2 million.

A spokesperson for the health insurer did not detail the plan of action against the lawsuit but earlier told The Cyber Express that ”Medibank intends to defend the proceedings.”

Medibank Hacker Sanctioned and Arrested

Earlier this year, the U.S., Australia, and the U.K. sanctioned Aleksandr Gennadievich Ermakov, believed to be behind the 2022 Medibank hack. Ermakov, also known by aliases such as AlexanderErmakov and JimJones, was subsequently arrested by Russian police along with two others for violating Article 273, which prohibits creating or spreading harmful computer code. Extradition of Ermakov is unlikely given the current political climate.

Lessons and Recommendations

The Medibank breach underscores several critical lessons for organizations regarding cybersecurity: 1. Implementation of Multi-Factor Authentication: Utilizing MFA for all access points, especially VPNs, is essential. MFA adds an additional layer of security, making it significantly harder for attackers to exploit stolen credentials. 2. Proper Alert Management: Organizations must ensure that security alerts are promptly and effectively managed. Implementing robust procedures for triaging and escalating suspicious activities can prevent prolonged unauthorized access. 3. Regular Security Audits: Conducting regular security audits to identify and rectify vulnerabilities is crucial. These audits should include evaluating the effectiveness of existing security measures and compliance with best practices. 4. Employee Training: Continuous training for employees on cybersecurity best practices, including safe browsing habits and the importance of using corporate credentials responsibly, is vital to minimize the risk of breaches originating from human error.

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia’s most destructive ransomware groups, but little more is shared about the accused. Here’s a closer look at the activities of Mr. Ermakov’s alleged hacker handles.

The allegations against Ermakov mark the first time Australia has sanctioned a cybercriminal. The documents released by the Australian government included multiple photos of Mr. Ermakov, and it was clear they wanted to send a message that this was personal.

It’s not hard to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million records on current and former Medibank customers. When the company refused to pay a $10 million ransom demand, the hackers selectively leaked highly sensitive health records, including those tied to abortions, HIV and alcohol abuse.

The U.S. government says Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.

“REvil was among the most notorious cybercrime gangs in the world until July 2021 when they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and generally motivated by financial gain,” a statement from the U.S. Department of the Treasury reads. “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”

The sanctions say Ermakov went by multiple aliases on Russian cybercrime forums, including GustaveDore, JimJones, and Blade Runner. A search on the handle GustaveDore at the cyber intelligence platform Intel 471 shows this user created a ransomware affiliate program in November 2021 called Sugar (a.k.a. Encoded01), which focused on targeting single computers and end-users instead of corporations.

In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang.”

In 2020, GustaveDore advertised on several Russian discussion forums that he was part of a Russian technology firm called Shtazi, which could be hired for computer programming, web development, and “reputation management.” Shtazi’s website remains in operation today.

The third result when one searches for shtazi[.]ru in Google is an Instagram post from a user named Mikhail Borisovich Shefel, who promotes Shtazi’s services as if it were also his business. If this name sounds familiar, it’s because in December 2023 KrebsOnSecurity identified Mr. Shefel as “Rescator,” the cybercriminal identity tied to tens of millions of payment cards that were stolen in 2013 and 2014 from big box retailers Target and Home Depot, among others.

How close was the connection between GustaveDore and Mr. Shefel? The Treasury Department’s sanctions page says Ermakov used the email address ae.ermak@yandex.ru. A search for this email at DomainTools.com shows it was used to register just one domain name: millioner1[.]com. DomainTools further finds that a phone number tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]net.

The December 2023 story here that outed Mr. Shefel as Rescator noted that Shefel recently changed his last name to “Lenin” and had launched a service called Lenin[.]biz that sells physical USSR-era Ruble notes bearing the image of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel includes images of stacked USSR-era Ruble notes, as well as multiple links to Shtazi.

Intel 471’s research revealed Ermakov was affiliated in some way with REvil because the stolen Medibank data was published on a blog that had one time been controlled by REvil affiliates who carried out attacks and paid an affiliate fee to the gang.

But by the time of the Medibank hack, the REvil group had mostly scattered after a series of high-profile attacks led to the group being disrupted by law enforcement. In November 2021, Europol announced it arrested seven REvil affiliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.

“The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time,” Intel 471 wrote. “This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.”

It is easy to dismiss sanctions like these as ineffective, because as long as Mr. Ermakov remains in Russia he has little to fear of arrest. However, his alleged role as an apparent top member of REvil paints a target on him as someone who likely possesses large sums of cryptocurrency, said Patrick Gray, the Australian co-host and founder of the security news podcast Risky Business.

“I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray said. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.”

Update, Feb. 21, 1:10 p.m. ET: The Russian security firm F.A.C.C.T reports that Ermakov has been arrested in Russia, and charged with violating domestic laws that prohibit the creation, use and distribution of malicious computer programs.

“During the investigation, several defendants were identified who were not only promoting their ransomware, but also developing custom-made malicious software, creating phishing sites for online stores, and driving user traffic to fraudulent schemes popular in Russia and the CIS,” F.A.C.C.T. wrote. “Among those detained was the owner of the nicknames blade_runner, GistaveDore, GustaveDore, JimJones.”