The dark web blog of Russian cybercriminals leaking sensitive Medibank customer data has suddenly disappeared, but experts sweat that they might return.
On Sunday, the hacker group – which authorities had linked to Russia, and which is believed to be connected to the REvil ransomware organization – published 1,500 health claim records before going offline, leaving everyone scratching their heads.
“Leak sites drop offline all the time, but usually come back online within a few days,” said Brett Callow, threat analyst at Emsisoft.
“Usually, but not always. Occasionally, they drop offline and remain offline.”
“That happened to REvil’s initial site after the operation was seemingly disrupted by law enforcement. The bottom line is that we can’t read too much into this. It could be something or it could be nothing.”
The site seemingly disappeared between Monday and Tuesday, Australian time, and has not returned since.
The file server where leaked Medibank files were linked from the blog has remained online.
The group posted records related to claims on chronic conditions such as heart disease, as well as the patient details of people with cancer, dementia, mental health conditions and infections.
It was the fifth dump of files since Medibank refused to pay the US$10m (AU$15m) ransom.
“As I’ve said before, you cannot trust a criminal,” Medibank’s CEO David Koczkar had previously said.
Before their last dump, 123 customer claims associated with terminating pregnancies, mental health issues, and drug and alcohol use were posted on the blog, along with hundreds of customers’ personal details including names, addresses, dates of birth, phone numbers, email addresses and gender.
While the site has been taken offline to provide momentary respite to customers, experts warn that they might return.
Medibank had posted a customer notice of eligible data breach for the attack on November 11th. Since then, the website does not seem to have any updates.
According to the Guardian, a spokesperson for the Australian federal police (AFP) cited ongoing investigation into the hack but refused to comment further.
