Medibank and Deutsche Bank hacked by the same thread actor

Sicherheit (Pexels, allgemeine Nutzung)[German]Currently, the hack of the Australian healthcare company Medibank is shaking Down-Under. This is because the attacker is offering millions of patient data on the darknet. Shortly before that, the Australian telecom provider Optus was hacked and millions of customer data were siphoned off. And very recently, the same cybercriminals who attacked Medibank are offering Deutsche Bank data on the darknet. According to reports, the names of the hackers, who operate out of Russia, are known. Update: Deutsche Bank sees no indications for a hack.


The Optus Hack

I didn't have it on the blog because Australia is far away. In early October 2022, Australian telcom provider Optus was forced to admit that the personal data of 2.1 million old and existing customers had fallen into unauthorized hands. The Hacker News reported on that case here. Another report can be found at Bleeping Computer.

According to this report, the hacker who had siphoned off 11 million customer records did apologize for it, and has since deleted the data, according to his own statements. But excerpts were published. The hacker was able to access the customer data through an unsecured API and tried to extort the company.

The Australian Federal Police (AFP) then arrested a 19-year-old in Sydney in early October 2022 who (as a copycat) used Optus customer data for extortion purposes. The suspect used 10,200 records of data captured by Optus hackers, and threatened victims via text message that their data would be sold to other hackers if they did not pay AUD 2,000 ($1,300) within two days. Because he gave a Commonwealth Bank of Australia account for the ransom, he was identified and arrested.

The Medibank Hack

Medibank is an Australian healthcare company based in Melbourne. The company provides private health insurance and health insurance solutions. Last month, there was a ransomware attack on the insurer. The ransomware attack of the Australian healthcare company Medibank has caused a real earthquake in Australia and the government is planning to tighten the legislation in terms of privacy and security requirements. In this security incident, the attackers were able to capture 9.7 million customer records of the health insurer.

The notice from the provider can be found here and states that criminals posted files containing Medibank customer data on a dark web forum. This data includes personal information such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for customers, in some cases passport numbers for our international students, and some health benefits data.


The Australian Federal Police (AFP) believes that those responsible for this cybercrime are in Russia. In this article, AFP confirms that they know the identity of the attackers. AFP is said to want to hold talks with Russian law enforcement agencies about the individuals suspected of being involved. However, this is likely to be rather difficult given the current political situation. The colleagues from Bleeping Computer have compiled some more information here and here. They write, that the attacker are probably linked to survivors of the REvil gang.

Deutsche Bank data on the darknet

If the report is true, there has also been a successful attack on Deutsche Bank, because according to the following tweet, the same group  responsible for the Medibank hack could be the attacker that is offering access data to Deutsche Bank's systems on the darknet. But that's not confirmed – Lawrence Abrams from Bleeping Computer told me, that it's an alleged initial access broker, not the same hackers who stole the data from MediBank. But it could be the same actor, that has sold the ransomware gang the access to the network (it's also unconfirmed and can be a scam).

Deutsche Bank Zugangsdaten im Darknet?

According to the tweet, the cybercriminals claim to have access data for the bank networks. The domain reportedly contains about 21,000 machines (mostly Windows) and uses an EDR solution from Symantec. The criminals also claim to have captured the internal network filtering rules. In total, they write something about 16 terabytes of data being captured. VDI and VPN access with passwords are offered.

Addendum: Security Affairs has more details – it's an initial access broker, who claims to have hacked Deutsche Bank.

Update: German site heise asked Deutsche Bank about reports of a hack. The bank says they have no indications of a hack (see).

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *