[Theme Music Starts]

RUBY:

From Schwartz Media I’m Ruby Jones, this is 7am.

The most sensitive data to be obtained by hackers in Australian history has been published.

A Russian network of hackers put the private medical data of Australians online including records of the termination of pregnancies and people’s drug and alcohol treatment.

The data was obtained in an attack on Medibank, and the vulnerability of the health insurer has now convinced the government to unleash new capabilities against hackers around the world.

Today, senior reporter for The Saturday Paper, Rick Morton, on the powers our intelligence agencies have been building up and how they plan on using them.

It’s Monday, November 21.

[Theme Music Ends]

RUBY:

Rick, we know that Medibank, which is the private health insurer, was hacked a few weeks ago now and the data of hundreds of thousands of people was stolen. But what do we know about how that actually happened?

RICK:

That's a really good question because there hasn't been a lot of information put into the public realm. Just a few hints here and there, but we are beginning to learn a bit more about it. And I've managed to get my hands on a few details about how it was pulled off and it was really unfortunately really simple. It turns out these hackers found the logging credentials for a single support desk worker at the health insurer. And this is a really important part that support desk worker did not have two factor authentication on their account, which is basically, you know, when you log into your email and it sends a text with a code to your mobile phone or it sends an email to another email backup account that you have to verify it’s you.
That's two factor authentication. It's considered the bare minimum in terms of security. And this account worker didn't have that.

Now, the hackers used that log in detail to gain access to virtually the entire contents of Medibank's business. And once inside, you know, they got really lucky. They were able to hang out basically for weeks without being noticed and spent the entire time ripping out, you know, sensitive data by the gigabyte. I think it was 200 gigabytes in the end that they managed to collect. Now, by the 12th of October, officers at the Australian Signals Directorate, which is ASD, which is part of the intelligence division that monitors or is in charge of digital surveillance signals. They were noticing some pretty suspicious cyber activity and actually got in touch with the company at 1:20 p.m. that afternoon on the 12th of October. And at the same time, Medibank staff were watching the same unusual activity and they were kind of trying to wonder what to make of it.

And then of course when the Australian Signals Directorate got in touch, they realised something was on. And the next day Medibank CEO David Koczkar released a statement to the stock exchange acknowledging that an intrusion had happened. But at this point they didn't think anything had been taken. And of course, that changed six days later when I'm going to say it became apparent the data was copied because the hackers got in touch with a sample of some of that data and said, hey, we've got some of the stuff you might want to pay us some money to make it go away. And of course, that was the beginning of a situation that just seemed to get worse and worse over the next few weeks as the size and scale of this problem grew.

RUBY:

Right. Okay. So it sounds like this was quite sophisticated Rick - hackers were actually inside the Medibank system for a matter of weeks taking whatever information they could get. So, as we learn more about that, about how it happened, what are we learning about who was behind it?

RICK:

Yeah, so this is quite interesting in that the Australian Federal Police on the 11th of November, Commissioner Reece Kershaw, just came out, fronted the media and actually said, We found you, we know who you are.

Archival tape -- Reece Kershaw:

To the criminals, you know, we know who you are…

RICK:

We believe that those responsible for the breach are in Russia.

Archival tape -- Reece Kershaw:

Are in Russia. Our intelligence points to a group of loosely affiliated cyber criminals who are likely responsible for past…

RICK:

This is an important definition for cyber criminals who are likely responsible for past significant breaches in countries across the world.

Archival tape -- Reece Kershaw:

These cyber criminals are operating like a business with affiliates and associates who are supporting the business.

RICK:

Almost like investors, in a way, is how these people operate. So they get protection and investment from others and then they, their business is to try and extort money from companies. And that's exactly what they did with Medibank. They demanded a $15 million dollar ransom, which I'm going to say thankfully Medibank has refused to pay, although it's a really thorny issue.

RUBY:

What happens then when Medibank refused to pay the ransom?

Archival tape -- David Koczak:

This is a decision that's consistent with the government policy on ransomware, and this is why we've made the decision to not pay this ransom.

RICK:

And this is why it's thorny, because the hackers are legit, they're proper criminals, and they began to leak the data.

Archival tape -- 7 News:

Good morning. We begin with breaking news, a huge development in the Medibank hacking scandal. Criminals have begun posting stolen data to the dark web, including customers' intensely personal and private information. It has now been confirmed …

RICK:

Clinical records which reveal, you know, people who may have had pregnancy terminations or sought drug and alcohol treatment, for substance abuse or mental health treatment, which, of course, none of these things are bad, but of course they're socially stigmatised.

Archival tape -- 7 News:

It would be so distressing knowing that that is out there in the system and that Medibank have basically thrown up their hands. And also said in this statement that we expect the criminals to continue to release files on the dark web. Of course, remember they have access to 9 million customers. We will continue to work around the clock …

RICK:

The hackers knew exactly what they were doing. They were going for the most, for want of a better term, the juiciest stuff.

RUBY:

And the point is that it's people's private information, right?

RICK:

One hundred percent. And like the most private stuff you could possibly think of, you know, we're talking medical advice and procedures and consultations, which people sometimes don't share with their significant other. And already the Medibank hack has established themselves as way more serious than the Optus hacker singular, I'm pretty sure, because in that case in the Optus case we think it's a kid, a teenager, managed to get a hold of 10 million customer records like names, addresses, passport numbers, driver's licence numbers, stuff like that. And of course they leaked a tiny fraction of that onto the dark web and then suddenly released an apology saying sorry, there’s too much attention. No, I'm not going to do anything. Everything's safe. I've deleted the data.

And I was having a chat to a former ASD analyst, and he's the author of an info security publication called Seriously Risky Business, Tom Uren. He was saying that Medibank got really unlucky because Optus got a newbie, that behaviour leak in the data and then all of sudden change their mind. It doesn't exactly scream hardened criminal and that's totally different from what hit Medibank. You know, to use Tom Uren’s word they've been real arseholes, they're being methodical, deliberate and they're making good on their threats, which is to release bits and pieces of data every time that Medibank refuses to pay their ransom. And we know that they have, if not the protection of the state of Russia, then certainly Russia is turning a blind eye to the criminal elements.

RUBY:

Okay, so what does that mean for Australian police, Rick? I mean, what can the AFP really do to try and take action against foreign hacking syndicates?

RICK:

Well I mean they're still obliged to try, right. And which is what Commissioner Reece Kershaw from the AFP was on about, you know, earlier this month when he was saying that the AFP is working with the Australian Interpol, National Central Bureau and they have a direct line to the National Central Bureau in Moscow, which is also Interpol. But Kershaw is kind of hinting that it's likely that nothing will come of this because Russia is not exactly being cooperative with any Western agency lately.

But this is where things get really fascinating because there are other options and we're going to have to eval ourselves of them. Now because this hack of Medibank is changing the way Australia will respond to hacking attacks. It has to. So we've been testing these little powers and hoarding these capabilities haven't really done much with it. Then of course Medibank gets hacked. They refuse to pay the hackers leak the most sensitive data we've ever had leaked in Australian history.

And I don't know that the hackers in Russia counted on this swindle being the one thing that fundamentally rewrote the rules of engagement for Australian authorities, or certainly ended up being the tipping point for a major shift in the way we pursue these criminals.

RUBY:

We’ll be back in a moment.

[Advertisement]

RUBY:

Rick, we now know that the Medibank hackers, they're based in Russia and it sounds like as a result of what they've done, things could really change in Australia in terms of the way that we attempt to police cybercrime. So tell me about what's on the table?

RICK:

So just to show you how fast things have been moving on the Saturday after the AFP released their assessment of the attackers to the public, the Minister for Cyber Security, Clare O'Neil, announced one of the biggest shake ups in the operating model of the Australian Signals Directorate and the AFP. And it's essentially just cross-agency permanent standing force of 100 people whose entire job it is going to be to hunt down cyber criminals around the world.

Archival tape -- Clare O’Neil:

This is a new operation, a permanent standing force of 100 of the best, most capable cyber experts in this country that will be undertaking this task for this for the first time offensively attacking these people, David. So this is not a model of policing where we wait for a crime to be committed and then try to understand who it is and do something to the people who are responsible. We are offensively going to find these people, hunt them down and debilitate them before they can attack our country.

RICK:

Now the ASD Director General Rachel Noble told Senate Estimates on the 8th of November, just a few days before this was announced. So it's been percolating that the organisation which still sits in the defence portfolio, it's not really a military organisation anymore but it is still accountable to defence. It does undertake and has undertaken operations to disrupt cyber criminals who have attacked Australia in the last 18 months.

Archival tape -- Rachel Noble:

In cyberspace, it's an important deterrence, and it is an important tool that we operationalise often against cyber criminals.

RICK:

And given the old reporting line for these must be authorised by the Defence Minister, which is now Richard Marles.
And just to go back to some of that history, when Dan Tehan had the cyber security portfolio responsibility in 2017, he cleared the way for the ASD to use its offensive cyber capabilities that is to take the fight against these criminals offshore.
What has changed since then is the scale and the permanency now of this approach previously with an ad hoc kind of, you know, maybe we will, maybe we won't. Now we've got an entire task force of essentially 100 people, and this has been on Labour's mind for a little while now.

Archival tape -- Parliament speaker:

Private members. Business minus number two Ransomware Payments Bill 2021.

RICK:

At least since June last year, when the then cyber security spokesperson, Tim Watts, told the Parliament:

Archival tape -- Tim Watts:

There is an urgent need for this bill. The Australian Cyber Security Centre has labelled ransomware where the quote highest cyber threat facing Australian business. Indeed, it's more than just a threat to business. Ransomware is a significant national security threat in its own right.

RICK:

Ransomware, the type of cyber attack particularly used to extort companies or to get them to pay money to get their data back. What was essentially foreshadowing what is now this policy, which he said the Signals Directorate should draw up a list of the top ten ransomware groups that have threatened Australia and then set about disrupting their command and control infrastructure, their communications platforms and their finances. And it doesn't take Einstein to figure out that the Medibank hackers just made the very top of that list.

You know, the old way that the directorate would describe its mission is to reveal their secrets, protect our own. But this is a new third thing you could probably call it mess with other people to make their lives more difficult. It's probably the politest way you can say that and done right. The hope is that this will deter criminal activity by breaking systems and networks of known criminals or hacking groups.

It gives us an extra option because, traditionally you'd have to go to our domestic law enforcement who would police crimes within, for example, Australia. And then if something was happening overseas, that law enforcement agency would have to go to the overseas agency and then they'd have to work police to police. So this approach is breaking new ground. And this is really interesting, ethical and legal questions. You know, these are big strategic decisions for any Australian government to make and you know, it's got to consider the consequences now of how it deploys those powers.

RUBY:

Well, let's talk a bit about that Rick - the ethical and legal questions that arise. Because what we’re talking about here is trying to prevent a crime before it’s been committed - and I think that opens up a lot of questions about whether that’s possible to begin with and also whether it’s desirable - and if this is a path that we should be going down?

RICK:

You know, it's a really interesting question. How do you stop a criminal group from attacking you if they haven't committed the crime yet? It sounded on its surface a little bit, minority report. It's like, you know, thought crimes almost. But the reality is ethical hackers, authorities around the world, they already know who the major criminal groups are. The consideration then becomes. Well, what is the rationale? And, you know, in a military sense, to use force, there has to be a trigger point, i.e. someone whose used force against you before, and your response has to be proportional. And, Iran was saying that espionage does fall under the use of force considerations rather than, you know, policing criminal matter.

But what we're talking about here is not killing people. We're not sending people to jail. We're not arresting people extrajudicially. We're talking about, he said, disrupting their phone or their chat messages or wiping their computer harddrives or something like that. So in that sense, it's inconsequential. This is exactly the same situation, but in a digital sense. As the Somali pirates who were attacking container ships off the coast of Somalia. It's not a terrorist offence. They were criminals, they were trying to steal money and they were disrupting commercial operations. And eventually the American military sent the Navy in. It wasn't considered to be a military operation in the strictest sense. It wasn't declaring war on Somalia because they were pirates or criminals and they were not supported by the state. So it's a very similar vibe.
So there's no legal institution, as far as we're aware, that would stop this from happening. It's just, you know, how much of the consequences is any particular politician willing to bear if something were to become public and it's just not likely to happen?

RUBY:

Okay, so Rick, as the Government expands its abilities to counter attack against cybercriminals, to try and make it a more painful proposition for them to target Australians in the future, the people who’ve already lost their privacy have already had their intimate details taken and leaked online. There isn't really anything that can be done to fix that, to help them now, is there?

RICK:

No, no, there’s not, I wish there was a better answer to that, because there’s not. If you're a health insurer, then yeah, you've got to collect details about people who pay your insurance and people who make claims for certain procedures. There's no way around that. But there should be quite a regulation about how that data is controlled, how long it is kept for, and you know, how secure it is.

Now, there's other arguments about other companies, real estate agents, for example, about how much data they take on you for a rental application that's just crazy and doesn't need to happen. Certainly doesn't need to be kept for any particular time. So there's these other broader questions, but none of it helps people who've had their stuff taken. Medibank, none of it makes you feel better. And there's nothing at this point in time to lend anyone a sense of security about the next couple of years. Because I think we're about to see a lot more attacks like this that are successful and that do cause this kind of damage.

RUBY:

Rick, thank you so much for your time.

RICK:

Thanks, Ruby. Always a pleasure.

[Advertisement]

RUBY:

Also in the news today…

The Prime Minister Anthony Albanese has returned from a summit tour after reportedly conducting a constructive meeting with Chinese president Xi Jinping.

Albanese has said the meeting was “much more positive than was anticipated”, though at this time trade sanctions remain in place.

And the Fifa World Cup has begun today in Qatar.

The build-up to the tournament has been overshadowed by a number of controversies, including allegations of human rights violations and migrant worker deaths.

I’m Ruby Jones, this is 7am. See you tomorrow.