Australia has taken a historic step by publicly revealing and imposing cyber sanctions on a Russian hacker implicated in the 2022 ransomware attack on Medibank. This marks the first instance of Australia utilizing such penalties.
The cyber intrusion targeted Medibank, one of Australia’s largest private health insurers, compromising personal data from 9.7 million customers, including names, birthdates, medical information, and Medicare numbers. Disturbingly, some of this information was subsequently disclosed on the dark web, as confirmed by Australian authorities.
After an exhaustive 18-month investigation, the Australian government disclosed the sanctioned individual as Aleksandr Ermakov, a 33-year-old Russian national allegedly affiliated with the ransomware gang REvil.
Criminal Offense, Cyber Sanctions and Travel Ban
The sanctions criminalize the provision of assets to Ermakov, as well as the use or handling of his assets, including cryptocurrency wallets or ransom payments. According to the release, the offense carries a potential penalty of up to 10 years’ imprisonment, coupled with a travel ban on Ermakov.
Richard Marles, Deputy Prime Minister and Defense Minister, commended the government’s relentless efforts to unveil the perpetrators of the Medibank cyberattack.
The investigation involved collaborative efforts from various agencies, including the Australian Signals Directorate, Australian Federal Police, FBI, NSA in the United States, and GCHQ in the United Kingdom. Private sector cooperation, notably from Microsoft and Medibank, played a crucial role in the investigative process.
“The Australian Signals Directorate and the Australian Federal Police have worked tirelessly over the past 18 months to unmask those responsible for the cyberattack on Medibank Private and to ensure Australians are protected from malicious cyber activity,” said Deputy Prime Minister, the Hon Richard Marles MP.
Alleged Connection to REvil and Global Impact
The cyberattack on Medibank, initially associated with the REvil group by cybersecurity experts, triggered global cooperation in response. REvil, known for its large-scale attacks, had previously targeted entities in the United States, with a notable incident involving the international meat supplier JBS Foods in 2021.
Abigail Bradshaw, Head of the Australian Cybersecurity Center, acknowledged the dynamic nature of Russian cyber-criminal syndicates like REvil. While the disruption of REvil doesn’t halt its operations, publicly disclosing Ermakov’s identity is expected to hinder his activities and serve as a financial setback for the imposed sanctions.
Deputy Prime Minister Marles highlighted the substantial impact of revealing Ermakov’s identity, making it visible to global agencies and anyone considering engagement with him. Investigations into other individuals connected to the cyberattack are ongoing.
The ramifications of the Medibank breach extended beyond Australia, affecting 1.8 million international customers. The initial ransom demand was set at US$10 million (15 million Australian dollars), later reduced to US$9.7 million, a sum that Medibank refused to pay.