www.abc.net.au
Open in
urlscan Pro
104.83.196.95
Public Scan
URL:
https://www.abc.net.au/news/2023-04-17/cybercrime-hacker-chats-about-medibank-revil-russia-ukraine/102179776
Submission: On June 22 via manual from US — Scanned from AU
Submission: On June 22 via manual from US — Scanned from AU
Form analysis 0 forms found in the DOM
Text Content
MORE FROM ABC Close menuABC iviewListen * ABC Home * News * Local * listen * iview * Everyday * More EDITORIAL POLICIES Read our editorial guiding principles * Accessibility * Help * Contact Us * About the ABC * Privacy Policy * Terms of Use * © 2023 ABC * * * * THIS SITE USES COOKIES The ABC uses cookies to improve your experience. Learn more about how we use cookies Accept all cookiesABC required cookies only Skip to main content ABC News Homepage SydneyChange location 18°CCelciusMax Min of 10°Celcius Search Log InLog In More from ABC * Just In * Watch Live * Voice Referendum * Politics * World * Business * Analysis * Sport * Science * Health * Arts * Fact Check * Coronavirus * Other * More News HomeABC News Homepage Latest newsIn-depth Video Share CHATTING WITH A HACKER By Jessica Longbottom, John Lyons, and Jeanavive McGregor Four Corners Updated 19 Apr 2023, 4:14am Published 16 Apr 2023, 6:26pm What would you say to the person who stole your personal data, held it ransom and posted it on the dark web? The people behind the cyber attacks on Australia are highly organised criminal gangs, often based in Russia, with dozens of employees and even HR departments. Authorities are still tight-lipped about who carried out last year’s Medibank hack that left the personal details of millions of Australians exposed on the dark web. However, security researchers have linked the attack to REvil — one of the most successful cyber gangs of all time. With the help of those researchers, we spoke to a hacker who says he’s worked for them. Known as “Kerasid”, he agreed to chat on an encrypted service. Four Corners How do you feel when you hack into a system? Kerasid Great, It’s a feeling of being on top of the world, like nobody can touch you Four Corners Do you see Australia as an attractive target? Kerasid Yes, let me tell you something Australians are the most stupidest humans alive and they have a lot of money for no reason alot of money and no sense at all Four Corners How do you feel when you hack into a system? Kerasid Great, It’s a feeling of being on top of the world, like nobody can touch you Four Corners Do you see Australia as an attractive target? Kerasid Yes, let me tell you something Australians are the most stupidest humans alive and they have a lot of money for no reason alot of money and no sense at all Kerasid didn’t hold back on the US either. “I loved American targets because I am not a fan of the Americans,” he said. “Companies in the States have quiet [sic] a lot of money. I loved seeing them suffer.” Suffer is no understatement. It’s a sophisticated operation designed to inflict maximum pain on victims to squeeze out the most ransom money. Hackers — also known as “affiliates” — gain access to an organisation. They steal sensitive data and then encrypt an organisation’s files using a gang’s ransomware application. The tactic is known as “double extortion”. The gang then carries out the ransom negotiation process. If a victim agrees to pay, both the affiliate and the gang take a cut. These syndicates have used this method on all types of organisations, even hospitals, putting lives at risk to try to extract ransom payments. The hacker that hit Medibank released the most intimate health issues of more than 2,000 people — such as mental health diagnoses and pregnancy terminations. Kerasid said he did some PR and “human resources” work for REvil, as well as some hacks. Four Corners So is it correct that revil was involved in the medibank hack? Kerasid yes indeed Four Corners So were you involved with medibank? Kerasid 😂 even if I was why would I incriminate mysekf :) Four Corners The medibank hack caused distress to millions of Australians. Does this concern you? Kerasid I could not care less Four Corners You say that you can’t care less about the distress caused by the medibank hack. But that revealed intimate details of men, women and children with their names and details. Isn’t that wrong? Kerasid 😂😂😂😂😂😂😂😂😂😂😂so sad it isn’t wrong in my eyes Four Corners So is it correct that revil was involved in the medibank hack? Kerasid yes indeed Four Corners So were you involved with medibank? Kerasid 😂 even if I was why would I incriminate mysekf :) Four Corners The medibank hack caused distress to millions of Australians. Does this concern you? Kerasid I could not care less Four Corners You say that you can’t care less about the distress caused by the medibank hack. But that revealed intimate details of men, women and children with their names and details. Isn’t that wrong? Kerasid 😂😂😂😂😂😂😂😂😂😂😂so sad it isn’t wrong in my eyes Kerasid told us he’d made millions out of hacking and moved freely between the UK and eastern Europe, without fear of being arrested. “I don’t believe in flashing money. When you are not humble, it all goes wrong,” he said. “Don’t get me wrong I have cars, watches, houses but the most important thing to me is family and my wife.” He also claimed he was a key leader of REvil — known as 0_neday. If so, that would be quite a coup. 0_neday is one of only two known leaders of the REvil gang who has a public persona and he hasn’t posted anything on public forums in more than a year. We tried to prove the link but, in the end, we couldn’t stack up the claim that he led the gang. Four Corners travels to Ukraine in search of answers about the criminal syndicate behind one of Australia’s largest-ever data breaches. Watch now on ABC iview. WHO IS REVIL? REvil – short for Ransomware Evil – was prolific in 2020 and 2021, carrying out dozens of attacks and raking in at least $US200 million. It tried to extort Apple by stealing drawings for new products, helped send currency exchange business Travelex into administration after locking up its systems, and threatened US and Australian food supply chains when it shut down JBS abattoirs. Cyber analyst Jon DiMaggio — who has spent years studying REvil — says they made the “double extortion” method famous, and loved creating hype. Cyber analyst Jon DiMaggio. Four Corners “They would post bits of [data] publicly on their website, in order to embarrass victims and sort of entice them to pay the ransom,” he said. “They would reach out to reporters and talk to them and do interviews. They drew a lot of attention.” The hacker who negotiated with Medibank claimed to be affiliated with several gangs, including REvil. However, Medibank’s team was sceptical. John MacPherson is the head of cyber security at Ashurst, a company that was working for Medibank at the time of the hack. “They were never able to demonstrate that they were part of a group who would do what they say they were going to do,” he said. It’s often important for companies to know who they’re negotiating with, because some of the criminal syndicates are known for being true to their word: decrypting and returning data when a ransom is paid. The strongest link to REvil was the leak site that the hacker published the stolen data on. If you typed in the address for the REvil’s leak site into your browser, you would be redirected to the page that hosted the Medibank leak. Cyber security analysts say it’s highly probable that only someone who was close to REvil could have redirected the traffic to that new site. However, here’s where it gets a bit strange. REvil basically stopped operating at the end of 2021 after a Federal Bureau of Investigation crackdown on the group led to arrests around the world. Their activities came to a halt, and their servers went offline. So, we pressed Kerasid on whether the people who hacked Medibank were the same people behind REvil. “The answer is yes, however, there is some new faces,” he said. Jon DiMaggio says Kerasid is half right. “I think that the current version of REvil is not the real group. I do believe that it’s possible that they have a member or two of the real group, along with some new players. But those members were not the key leaders,” he said. “They don’t have the capability to develop new ransomware and they don’t have the capability to even do some of the high-level hacks that the other group did.” Kerasid may have worked for REvil, and still be involved with this REvil offshoot, but we don’t have proof of that. We do however have proof that he worked for another massive crime gang called Conti, because of this: In February last year, a Ukrainian security researcher dumped more than 60 thousand internal messages and documents from the Conti gang online, in retaliation for the group’s public support of Russia. Among them were some messages from Kerasid, that suggested he was a malware developer. MIDDLE MANAGERS AND EMPLOYEE BONUSES The leak detailed information including Conti’s recruitment methods, ransom tactics and structure. It showed Conti had between 60 and 100 employees, an HR function to recruit budding cyber criminals, and coders who developed the malware. There was also an offensive team that scouted inside organisations to see what the best data was to steal and encrypt, and negotiators to get victims to pay up. Jeremy Kirk, an analyst with cybercrime intelligence firm Intel 471, says all the big cyber gangs, including REvil, are thought to have a similar structure. “You look like any other software company, but you’re actually just a criminal organisation,” Kirk says. “They’ve been able to get scale and efficiency, and attack more companies and organisations than ever before.” He says that, with Conti, the profits were funnelled to the top, while the workers at the bottom of the chain made between $US1,000 and $US2,000 a month. “They were higher-than-average salaries that you have in these locales, but … the people down below were not really rewarded very greatly,” Kirk says. The Conti chats show many of the employees were unhappy with their working conditions and, in turn, the bosses were unhappy with their productivity. Translated message from a Conti boss in the gang's leaked documents. Translation: Check Point Research There were even fines. But, on the plus side, there was also employee of the month. Translated messages from the leak of Conti documents. Translation: Check Point Research There was a team dedicated to negotiating ransoms and making the experience of payment as smooth as possible for companies that have been hacked. Leaked messages show that, at times, the Conti bosses wanted their negotiators to step up. “I think that we need to analyse them more deeply and frighten that we’ll leak something that is dear to them … we need to push harder,” one leaked message said. “We bargain like school children, gangsters don’t behave like that.” HACKING UKRAINE The Russian government gives gangs the green light to keep operating, as long as they don’t attack any companies within Russia. However, since the Ukraine war began, some analysts say the Kremlin has given the gangs an ultimatum: Hack for your country or your assets will be seized and you’ll go to jail. Cyber attacks have been a key part of both countries’ tactics in the war. Katherine Mansted — the director of cyber Intelligence with CyberCX — says Russia has been attacking Ukrainian communication networks, energy infrastructure and water supplies, often coordinating them with military strikes. A Russian missile strike on a broadcasting tower in Kyiv. Reuters “It is the … first war in history between two major cyber powers, Russia and Ukraine … and right from the beginning of the conflict, cyber has been an ever-present dimension of that conflict,” she explained. “It hasn’t been decisive, but it’s been there the whole way through that conflict. In many respects that’s going to be a blueprint for any future war that is fought, any future war that Australia is part of, there will be a cyber dimension.” Even if individual hackers and cyber criminals have not been co-opted by the government, analysts say, many are taking independent action against Ukraine anyway. When we asked, Kerasid would not say if he was working for the Russian government, but claimed to be providing support. Four Corners Have you been supporting Russia’s cyber attacks on Ukraine? Kerasid yes I’m a fan of it. Four Corners How have you been supporting Russia? Kerasid I have been providing initial access to ukrainian owned infrastructure I can’t comment on anything further of the conflict my handler has told me. sorry Four Corners Have you been supporting Russia’s cyber attacks on Ukraine? Kerasid yes I’m a fan of it. Four Corners How have you been supporting Russia? Kerasid I have been providing initial access to ukrainian owned infrastructure I can’t comment on anything further of the conflict my handler has told me. sorry Jon DiMaggio says Kerasid could well be doing what he says he is, as we know he was involved in developing malware at Conti. “He’s the exact type of expertise that they want,” he said. Di Maggio says REvil’s bosses are also supporting the war against Ukraine. “I, 100 per cent, believe they’re being leveraged by the Russian government,” he says. “They’re helping [Russian security and intelligence services] the FSB or the GRU … creating malware and facilitating attacks against Ukraine to better the mission of Russia.” The war has changed the cybercrime landscape, with many of the gangs now split between attacking Ukraine and extorting organisations across the world for ransom. Police are also getting better at disrupting the business model of the gangs, breaking up some of the bigger syndicates. That does not necessarily mean things will get easier. “What we often see is when groups are affected by law enforcement activity — even when there are arrests, even if those arrests are at the top of the organisation — the members of that group reinvent themselves,” Mansted said. “They move on, they find new groups to attach themselves to. They might turn their infrastructure off for a little bit of time, lie low, and then re-enter the game.” “So, unfortunately, it’s going to be really hard for us to break the business model of cyber-extortion.” Especially when the hackers are still just as bold. Four Corners Four Corners: Is there a computer you can’t get into? Kerasid Kerasid: nope Four Corners Four Corners: Is there a computer you can’t get into? Kerasid Kerasid: nope HOW DO WE KNOW THE PERSON WE CHATTED TO IS A HACKER? * We can never be 100 per cent sure, but we have taken several steps to verify * There is evidence the person with the handle “Kerasid” has been involved in criminal cyber activity for several years. He can be traced in leaked internal Conti gang documents * We were connected to Kerasid by a security researcher Watch Four Corners’ full investigation into the cybercrime syndicates attacking Australia on ABC iview. CREDITS: Story by: Jessica Longbottom, John Lyons, and Jeanavive McGregor Digital production and design: Nick Wiggins Odyssey format by ABC News Story Lab 1 / 9 Hackers steal sensitive data from a company and then encrypt its files. Four Corners: Nick Wiggins, Image: Unsplash Cyber analyst Jon DiMaggio. Four Corners Last year's Medibank hack left the personal details of millions of Australians exposed on the dark web. Four Corners A message that accompanied the leak of internal messages and documents from the Conti gang. Gangs like Conti structured themselves much like a normal company. Four Corners: Nick Wiggins Translated message from a Conti boss in the gang's leaked documents. Translation: Check Point Research Translated messages from the leak of Conti documents. Translation: Check Point Research A Russian missile strike on a broadcasting tower in Kyiv. Reuters The hacker said he "could not care less" about Australians affected by the Medibank data breach. Four Corners: Nick Wiggins TOP STORIES DUTTON CALLS FOR VOICE REFERENDUM TO BE ABANDONED IF GOVERNMENT ISN'T CONFIDENT OF SUCCESS FIVE QUICK HITS — THE VICTORS CRY AND THE VANQUISHED DANCE AS NEW SOUTH WALES WIN THE BATTLE BUT LOSE THE WAR ROLLERCOASTER FOR ROHAN AS GARY WINS GAME FOR GEELONG AFTER SHOCKING COLLISION WITH JEREMY CAMERON 'I DON’T WANT TO DIE': HARROWING EMERGENCY CALLS PLAYED TO DOMESTIC VIOLENCE INQUEST WOMEN'S ASHES LIVE: AUSTRALIA BATTING ON DAY ONE OF ONE-OFF TEST AT TRENT BRIDGE TO START SERIES JANA PITTMAN WOULD TIP WATER ON HERSELF EVERY RACE TO HIDE THE FACT SHE'D WET HERSELF: SHE'S NOT ASHAMED ANY MORE NEW ZEALAND DEBATES WHETHER ETHNICITY SHOULD BE A FACTOR FOR SURGERY WAITLISTS PUTIN APPEARS TO BE FEUDING WITH HIS ONLY FRIEND. BUT NOTHING INSIDE THE KREMLIN IS AS IT SEEMS MOST OF THE BUILDINGS ON JANET'S NEW PROPERTY ARE ILLEGAL. SHE SAYS SHE DIDN'T KNOW JUST IN * FIVE QUICK HITS — THE VICTORS CRY AND THE VANQUISHED DANCE AS NEW SOUTH WALES WIN THE BATTLE BUT LOSE THE WAR 5h ago5 hours agoThu 22 Jun 2023 at 12:38pm * INDIA, US SET TO DEEPEN DEFENCE TIES AS MODI MEETS BIDEN IN THE WHITE HOUSE 7h ago7 hours agoThu 22 Jun 2023 at 10:20am * DUTTON CALLS FOR VOICE REFERENDUM TO BE ABANDONED IF GOVERNMENT ISN'T CONFIDENT OF SUCCESS 8h ago8 hours agoThu 22 Jun 2023 at 9:53am * WOMEN'S ASHES LIVE: AUSTRALIA BATTING ON DAY ONE OF ONE-OFF TEST AT TRENT BRIDGE TO START SERIES 8h ago8 hours agoThu 22 Jun 2023 at 9:31am * ROLLERCOASTER FOR ROHAN AS GARY WINS GAME FOR GEELONG AFTER SHOCKING COLLISION WITH JEREMY CAMERON 8h ago8 hours agoThu 22 Jun 2023 at 9:03am * 'I DON’T WANT TO DIE': HARROWING EMERGENCY CALLS PLAYED TO DOMESTIC VIOLENCE INQUEST 9h ago9 hours agoThu 22 Jun 2023 at 8:44am More Just In Back to top FOOTER ABC News homepage More From ABC NEWS We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work. SECTIONS * ABC NEWS * Just In * Watch Live * Voice Referendum * Politics * World * Business * Analysis * Sport * Science * Health * Arts * Fact Check * Coronavirus * Other NEWS IN LANGUAGE * 中文 * Berita Bahasa Indonesia * Tok Pisin CONNECT WITH ABC NEWS * Facebook * Twitter * Instagram * YouTube * Apple News MORE FROM ABC NEWS * Contact ABC NEWS This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced. AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time) * Editorial Policies * Accessibility * Help * Contact Us * About the ABC * Privacy Policy * Terms of Use * © 2023 ABC * * * *