How Medibank joined Optus in hack hell

Ten days after Medibank first detected a hack, which has put the most personal health information of a million customers at risk of exposure, clues are starting to emerge about how the hackers got in.

Logs obtained by cybersecurity researchers and seen by The Sydney Morning Herald and The Age indicate someone with access to internal Medibank systems had their company login credentials stolen from their web browser. The credentials were stolen some time around August 7.

The Medibank hack may be even more severe than the Optus breach. Credit:Getty Images / Louise Kennerley

Such thefts are common and the stolen credentials often find their way to data exchanges, which this masthead has chosen not to name to avoid drawing attention to them. These exchanges serve as marketplaces, where criminals offer stolen data for sale for as little as a few dollars in cryptocurrencies that are hard to trace.

Armed with the login information, a cyber criminal would have taken the first step to breaking into Medibank.

Medibank chief executive David Koczkar has confirmed an element of this thesis, though the company has emphasised its investigations are still ongoing. “We believe compromised credentials were used to access our systems,” he told bank analysts in a briefing on Monday.

Whether those were the August 7 set or others is unclear.

Medibank Private CEO David Koczkar apologised for the breach.Credit:

The “compromised credentials” idea gels with a message from the hackers that this masthead obtained earlier in the week. “We have 200GB sensitive data… from your RedShift Cluster. All source code from stash, confluence documentation, and keys for decrypting Credit Cards,” the hackers wrote.

That claim, which is unverified and thick with technical language, references two systems that a hacker would likely target within a company.

The first is Confluence, made by the Australian technology giant Atlassian. It is a ubiquitous tool that companies use to store essential documentation on how their computer systems work.

Jamieson O'Reilly, the founder of an Australian firm called Dvuln that companies pay to find IT vulnerabilities, said Confluence is his first port of call after getting into a client's systems.

“We recently did a big engagement where we got into Confluence, and we spent about two weeks just studying the way the organisation worked through Confluence, and then we could launch further attacks,” he said.

The second system referenced by the hackers is RedShift, which is a data warehouse tool from the internet giant Amazon Web Services. It is where a company could store customer data of the kind the hackers now appear to have acquired.

A source familiar with the situation, but not authorised to speak publicly, said Amazon was aiding Medibank’s investigation. There’s no suggestion Amazon or Atlassian’s security systems were breached or that there are risks for either company’s tools.

Despite the apparent severity of the breach, Medibank spent last week emphasising that it had not found evidence of any customer information being stolen. As recently as Monday this week, Koczkar was using language that made the breach look minor.

“We have no evidence that there was any access to customer data, but that really is subject to our continuing forensic analysis,” Koczkar said as analysts peppered him with questions about what the hackers had seen.

“We can say definitively that there is no evidence that customer data has been removed from our systems,” he said at another point.

Koczkar defended Medibank's communications on Thursday, after the severity of the breach became clear.

"Our investigation has been ongoing and as these incidents are, they continue to evolve," he said. "From the start, I committed to share updates, right when they came to light. And previous statements had been very clear that they were point in time updates."

Home Affairs Minister Clare O’Neil, who lambasted Optus’ miscommunications, has reserved her ire for the hackers in this case. She has not said a harsh word against Medibank and declined to say whether she classified the attack on the insurer as “sophisticated” – which has become a loaded word since the Optus hack – or not.

O'Reilly says assessing the severity of the hack will depend on how Medibank secured the stolen credentials or limited their use. If they were all that was required to access its systems, then the hack was more basic than the Optus breach, he said.

"Even a 16-year-old can go and get an account on [a stolen credentials site], search for an infected computer that has Medibank credentials saved on it, and then download or purchase those credentials for like 10 bucks and then login through the front door."

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

Most Viewed in Technology

From our partners

Source: Read Full Article