Five Russians went out drinking. When they got back, Australia had struck
Siberian nightlife has its opportunities. Just ask Australian cyber spies, who used local criminals’ decision to enjoy a vodka-soaked night to bust a multimillion-dollar business run by Russians warehousing stolen data.
It wasn’t ordinary data. It was a treasure trove of millions of Australians’ sensitive health information, including on mental and sexual conditions, that had been pilfered from the insurer Medibank in August 2022.
Igor Odintsov (top left), Aleksandr Bolshakov (bottom left), Aleksandr Mishin (centre), Dmitriy Bolshakov (top right) and Ilya Sidorov (bottom right). The five men are linked to ZServers, which was hosting the data stolen from Medicare in 2022.
All 520 gigabytes of names, birthdates, addresses, contact information, Medicare numbers and passport details in 9.7 million records were sitting on servers operated by five Russians in the obscure industrial town on the West Siberian Plain, three hours drive from the Kazakhstan border.
The Australian Signals Directorate, which is the nation’s digital spying agency, already knew who had stolen the Medibank data. His name is Aleksandr Ermakov, a Moscow-based hacker who has since been arrested by Russian authorities for other crimes using a ransomware model, where sensitive data is stolen and the victims are forced into paying to get it deleted or returned.
But the bigger task for the directorate was to identify where Ermakov was keeping it.
“A lot of people think that [cybercrime] is always just one guy in a hoodie in a basement,” says Georgina Fuller, who is in charge of countering cybercrime at the agency. “They don’t realise that these kinds of actors are actually supported by a really thriving ecosystem of illicit businesses that are set up to enable them to commit their crime.”
For Ermakov, that was an obscure company called ZServers in Barnaul, a city of 630,000 that is closer to Mongolia than Moscow.
ZServers advertised its services on hacking forums, claimed to have been operating since 2011 and offered various hosting services to the underworld. It had “Brute” for forced entry into secure systems, “Scan” for assessing vulnerabilities and “Cracking Allowed”, for evading security.
And its claim to offer “bulletproof hosting”, impenetrable to outsiders and based in a jurisdiction that does not co-operate with Western law enforcement, was successful, judging by the amount of cryptocurrency the Australian Signals Directorate believes it received.
Aleksandr Bolshakov, 30, was the boss. He had two lieutenants, Aleksandr Mishin, also 30, and Ilya Sidorov, 32. Completing ZServers’ five-member team was Igor Odintsov, 30, and Bolshakov’s younger brother Dmitriy, a gun-loving 23-year-old weightlifter.
ZServers employee Dmitriy Bolshakov, 23, shows off his pistol with a friend.
Intelligence services from the Five Eyes nations – Australia, the United States, Canada, the UK and New Zealand – were already aware of ZServers before the Medibank hack because of its dubious customers.
But Australia’s signals directorate zeroed in after the hack because Ermakov, the perpetrator, had been sloppy covering his tracks as he broke into company after company. The directorate triangulated his aliases and connections online, leading the agency to suspect Ermakov had paid ZServers to store the Medibank data.
Fuller, the directorate executive, says ZServers’ boast to offer impenetrable hosting was just marketing. “They’re no more secure than any other service that’s operating in this illicit environment,” Fuller says.
While directorate analysts under Fuller probed ZServers’ systems, its linguists and behavioural psychologists began to profile the five Russians behind the company. “That process takes weeks, months, and in this case, sometimes years,” Fuller says. “But the point is that by the end of it, we’re very, very certain that we’ve got the right people, and we understand everything about them. We know where their weak points are, we know where they’re most vulnerable.”
Illicit millionaire’s factory
The Bolshakov brothers and their three criminal mates had turned ZServers into a millionaires’ factory. In the past year alone, the company generated more than $2 million in revenue according to the Australian Signals Directorate, hosting online criminal activity from phishing campaigns and ransomware to money laundering and criminal communications.
Among its customers have been the BlackCat ransomware group, which made software to steal data and licensed it to other criminal groups to use for a fee, and malware maker LockBit, which has attacked some of the world’s largest ports, banks and pharmacy chains. If you have received a dodgy text message in the past couple of years, there’s a fair chance it was sent via ZServers.
As the ZServers crew made money, they flaunted it. “They don’t call it ‘shyber’ crime,” Fuller says. “[Online criminals] live openly and out there. They’re making their profits, and they’re living a really good life in Russia.” Sidorov, the oldest ZServers figure, bought a speedboat and posted pictures of his outdoor adventures. Bolshakov, the weightlifter, posed with weaponry.
ZServers offered cut-price services to criminals, helping it to fly under the radar.
Having studied the Barnaul gang, the directorate decided to strike when the five Russians were expected to be out drinking, making it harder for them to respond. It deleted their stolen data and in coordinated announcements with the US and UK on Wednesday, revealed the Russian men’s identity and put sanctions on them.
While they risk arrest if they travel abroad, the men have not faced any sanction within Russia.
Medibank has offered support to customers whose information was stolen and released online. It is defending a civil claim from Australia’s privacy regulator, which alleges it did too little to protect such sensitive information.
‘Bulletproof’ no more
The ZServers crew appeared to believe that they would always fly under the radar by staying a step removed from the actual crime. Even for storing information linked to a high-profile hack like the Medibank breach, ZServers only charged $US50 a month for a server, a tiny amount for criminal gangs that often demand millions in ransoms.
But Australian Signals Directorate director-general Abigail Bradshaw says companies like ZServers enable other online crimes.
“In order to make sure that we’re not playing a game of whack-a-mole, we’re actually moving up into the critical infrastructure,” Bradshaw says. The agency has deleted 250 terabytes of stolen information held by so-called bulletproof hosting services.
Defence Minister Richard Marles praises the directorate’s work, along with its partners in the UK and US, to take down ZServers. “These actors market themselves on the basis of being both anonymous and bulletproof, and they are neither.”
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.