Share this article on:
Three out of five Five Eyes countries level sanctions against former REvil hacker Aleksandr Ermakov.
Both the US Department of the Treasury and the UK Sanctions Minister have announced a broad swathe of sanctions against hacker Aleksandr Ermakov, the man behind 2022’s Medibank hack.
On 23 January, the Australian government named Ermakov as the man behind the hack – which saw the personal information and medical records of 9.7 million Australians compromised in a data breach.
The sanctions mark the first of its kind among the allies.
“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Brian E. Nelson, Under Secretary of the Treasury, in a statement. “Today’s trilateral action with Australia and the United Kingdom, the first such coordinated action, underscores our collective resolve to hold these criminals to account.”
Anne-Marie Trevelyan, the UK’s Sanctions Minister, has similar words of support.
“We stand with our allies in Australia and the US and will continue to hold cyber hackers to account for damaging cyber attacks designed to undermine global democracies,” Trevelyan said in a separate statement.
“These cynical and reckless attacks cause real damage to people’s lives and livelihoods. We must work together to call out and combat these malicious attacks.”
While Foreign Minister Penny Wong said yesterday that the identification of the Medibank hacker was accomplished by the Australian Signals Directorate and the Australian Federal Police, the UK sanctions announcement suggests it was a more international operation.
“Today’s sanctions target Russian national Aleksandr Ermakov, who has been identified by the Australian Signals Directorate and Australian Federal Police along with international partners as a key actor in the Australia Medibank cyber attack in 2022,” the press release said.
The US announcement doesn’t make any mention of international partners but does call out Russia itself at some length over its lax attitude to cyber crime.
“Russia continues to provide a safe haven to ransomware actors like Ermakov, enabling cyber actors to freely perpetrate ransomware attacks and other malicious cyber activities from Russia,” the US Treasury release said.
“In addition, Russia has also enabled ransomware attacks by cultivating and co-opting criminal hackers. Treasury has previously stressed that Russia must take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.”
The sanctions make it a crime to provide any assets to Ermakov, whether in cash or cryptocurrency and make it a crime to pay the hacker any kind of ransom in the future. The sanctions also include a travel ban and any violation of the sanctions could see the perpetrator face up to 10 years in jail.
Catching the perp
In an interview with 9News on the evening of 23 January, ASD acting Director-General Abi Bradshaw went into some detail explaining the investigation and how Ermakov was identified.
“Ermakov had some sloppy tradecraft, and at ASD, you can only make that mistake once if you’re a criminal,” Bradshaw told 9News.
ASD specialists were able to find two individuals selling Medibank data on hacking site BreachForums – but neither was Ermakov. However, working with international partners such as the FBI in the US and GCHQ in the UK, the ASD was able to gather enough data to identify him despite his use of online aliases.
“There are many spiders in the dark web, and some of those spiders are ASD spiders, and part of our job is to hang out in those dark web forums,” Bradshaw said.
“To imagine where cyber criminals may be lurking, to listen to their conversations, and to procure information in that way.”
Bradshaw also said that the ASD is continuing to hunt for Ermakov’s ransomware associates.
“Ermakov is only one part of this investigation, and I can assure you that the dedicated officers of ASD and AFP are continuing this hunt,” Bradshaw said.
Despite the investigations, the Medibank data remains in circulation on BreachForums. As recently as December 2023, a forum user called ftopk1102 was selling a portion of the data containing about one million lines, including names and email addresses.
Comments powered by CComment