Russian Medibank hackers could be first targets of Australian sanctions against cyber-attackers

Dfat confirms it has provided advice to minister Penny Wong about using cyber-related powers introduced last year

The Australian government has revealed it is considering using new sanctions powers against cyber-attackers for the first time, sparking calls for the Medibank hackers to be the initial targets.

The Magnitsky-style sanctions laws that were introduced in Australia a year ago include a world-leading measure to allow travel bans and asset freezes on those deemed responsible for “significant” cyber-attacks.

In an unusually frank disclosure, the Department of Foreign Affairs and Trade confirmed it had now provided advice to the minister, Penny Wong, about using these cyber-related powers.

“Yes,” it said in a newly tabled response to a Senate question on notice. “The department routinely provides advice to ministers on possible sanctions measures, including cyber sanctions.”

A Dfat spokesperson told Guardian Australia the legislation allowed for sanctions to be imposed in relation to significant cyber incidents, and the government “keeps its sanctions settings under consideration”.

But the government would not speculate about specific listings in advance, the spokesperson added.

The shadow minister for cybersecurity, James Paterson, said he was “encouraged and hopeful that the government will go down this path”.

“Of course, the opposition would provide very strong bipartisan support for any cyber sanctions they want to announce,” said Paterson, who extracted the confirmation through the Senate estimates process.

Paterson said the most likely starting point for such sanctions would be cyber incidents that have already been publicly attributed by the Australian government, including the Russian criminals responsible for the Medibank hack.

“In the words of the government, these criminals have done things that other cybercriminals are unwilling to do, which is target people’s personal health information and release it on the dark web to punish people,” he said.

“That crosses a number of lines. This is not run of the mill – this is especially egregious – and it has to be backed up with action against them.”

To date, the government has not named the individuals it believes responsible for the “totally reprehensible” publication of sensitive health information taken from Medibank, understood to include procedures claimed by policyholders related to the termination of pregnancy and miscarriages.

But the Australian federal police commissioner, Reece Kershaw, has said he is in possession of intelligence that hackers in Russia were responsible for the Medibank data breach. “To the criminals – we know who you are,” he said in November.

Paterson conceded the hackers were unlikely to come to Australia on holiday so would not be directly affected by travel bans, but this should not stop the Australian government from “using every tool we have available” to deter malicious cyber activity.

“We should be making the world a smaller and less welcoming place for them,” he said.

“If we don’t put a price on it we’re going to have more of this behaviour.”

Other cyber incidents to have been attributed by the Australian government include the targeting of Queensland government-owned electricity generator CS Energy by the Russian-aligned Conti ransomware group in November 2021.

Last year the Morrison government joined with allies to accuse China’s ministry of state security of malicious cyber activity by exploiting vulnerabilities in the Microsoft Exchange software.

Since the Albanese government came to office, its Australian Cyber Security Centre has linked the Iranian government’s Islamic Revolutionary Guard Corps to the “active” targeting of Australia, UK, US and Canadian organisations.

Last weekend Wong announced she was using another part of the Magnitsky sanctions laws to target Iran’s morality police and Iranian and Russian individuals linked to human rights abuses.

On Monday Dfat summoned Iran’s top diplomat in Canberra to register deep concern over the execution of an anti-government protester. It is the sixth time Dfat has taken this step since the crackdown on protests began in September.

A spokesperson said the Australian government would “continue to make representations to Iran over its egregious human rights abuses and use of the death penalty”.


Daniel Hurst

The GuardianTramp

Related Content

Article image
Cyber-attack on Australian defence contractor may have exposed private communications between ADF members
Dataset from communications platform ForceNet containing up to 40,000 records may be compromised after breach on external provider

Nino Bucci

31, Oct, 2022 @7:40 AM

Article image
Australian companies to face fines of $50m for data breaches
In wake of Optus and Medibank leaks, serious or repeated breaches of customer information will attract heavy penalties under new legislation

Amy Remeikis and Paul Karp

21, Oct, 2022 @7:00 PM

Article image
Hackers linked to China allegedly stole data from Australian defence contractor
The US justice department says an Australian solar business was also targeted in ‘a sweeping global computer intrusion campaign’

Daniel Hurst

22, Jul, 2020 @8:16 AM

Article image
Medibank mental health data posted on dark web as Russian hackers vow to ‘keep our word’
Group releases file containing hundreds of customer claims as government considers banning ransom payments for cybercrime

Josh Taylor

13, Nov, 2022 @9:39 PM

Article image
Australia to send drones to Ukraine and expand sanctions against Russia
New measures on first anniversary of Russian invasion form part of pledge to stand with Kyiv ‘for as long as it takes’

Daniel Hurst Foreign affairs and defence correspondent

23, Feb, 2023 @2:00 PM

Article image
Medibank confirms hacker had access to data of all 3.9 million customers
Data breach, which exposed all Medibank, ahm and international student data, could cost health insurer $35m

Josh Taylor

26, Oct, 2022 @12:44 AM

Article image
Medibank hackers announce ‘case closed’ and dump huge data file on dark web
Medibank confirms it may be the full trove of hundreds of thousands of customers’ private records that were stolen from the health insurer

Josh Taylor

01, Dec, 2022 @1:51 AM

Article image
Medibank hacker says ransom demand was US$10m as purported abortion health records posted
Post on blog linked to Russian ransomware group says it offered ‘discount’ ransom to health insurer of US$9.7m, or $1 for each customer’s data

Josh Taylor

09, Nov, 2022 @10:38 PM

Article image
Medibank says it won’t pay ransom for customer data stolen in cyber-attack
‘Limited chance’ such a move would result in return of data or prevent it being published, health insurer chief says

Josh Taylor

07, Nov, 2022 @7:18 AM

Article image
Medibank cyber-attack: should the health insurer pay a ransom for its customers’ data?
Speculation is rife about whether the insurer will pay a hacker who claims to have extracted 200GB of files

Josh Taylor

27, Oct, 2022 @3:00 PM