Medibank hack: What financial sanctions on Russian hacker Aleksandr Ermakov mean and how effective they will be
The Albanese government has publicly named and placed financial sanctions on a Russian national who was found to play a role in the Medibank hack. Here’s what it means.
The Albanese government has hit Russia’s Aleksandr Ermakov with financial sanctions – the first time it has punished an international hacker under new rules to curb online crime – over his role in Australia’s worst cyber attack against Medibank.
The government was full of tough talk, with Cybersecurity Minister Clare O’Neil branding hackers “cowards” and “scumbags” who “hide behind technology”. But what do the sanctions mean and how effective will they be in deterring future cyber assaults and protecting Australians’ data?
The agencies identified Ermakov as perpetrator of the Medibank attack, which happened in October 2022 and resulted in the theft of health claims data and other personal information of almost 10 million Australians before it was published on the dark web.
This means Ermakov is now the first hacker to be hit with sanctions under the government’s new rules. Here’s how they work.
What are financial sanctions?
The financial sanctions fall under the Autonomous Sanctions Act 2011, which was amended in December 2021 to include malicious cyber activity.
This made it a criminal offence punishable by up to 10 years’ jail to do business, including through cryptocurrency or ransomware payments, with hackers that the government identified.
The rules, like other sanctions, banned hackers from travelling to or through Australia.
The act can be enforced on people also involved in proliferation of weapons of mass destruction, threats to international peace and security, serious abuses of human rights, activity undermining governance and the rule of law and violations of international humanitarian law.
The government named Ermakov after a 15-month-long investigation led by the Australian Federal Police and the Australian Signals Directorate.
Deputy Prime Minister Richard Marles and Foreign Affairs Minister Penny Wong said the rules are clear and threatened to put anyone in jail who assisted Ermakov.
“This morning, I can announce that Australia has used cyber sanctions powers for the very first time on a Russian individual for his role in the breach of the Medibank Private network,” Ms Wong said.
“The sanctions are targeted financial sanctions and are targeted financial sanctions and a travel ban. This will mean it is a criminal offence punishable with up to 10 years imprisonment to provide assets to Ermakov or to use ordeal with his assets, including through cryptocurrency or ransomware payments.”
Why were they used on Aleksandr Ermakov?
The financial sanctions have been implemented with the belief that they will frighten any bad threat actors who may have access to that Medibank data against any future uses of it.
The Australian government believes these rules will also scare potential hackers and have them think twice about targeting Australians with future hacks.
“It sends a clear message there are costs and consequences for targeting Australia and for targeting Australians. These sanctions are part of Australia’s efforts to ensure that we uphold the international rules-based order and upholding the norms of responsible state behaviour in cyber space,” Ms Wong said.
How do these rules compare to other countries?
In the UK, hackers can be punished under the Computer Misuse act, which prevents the unauthorised tampering of any data held on a computer.
Unauthorised access to a computer in punishable by up to two years in prison and a £5000 ($AU9675) while unauthorised access to commit fraud is punishable by up to 10 years in prison. Unauthorised use which poses a threat to national data is punishable by a life sentence in prison.
In the US, several laws also make unauthorised access to a computer punishable by law, with first offences typically punishable by up to 10 years and second offences up to 20 years. Extortion involved computers is punishable by between five and 10 years, and trafficking of passwords in punishable by between one and 10 years.
How effective will they be in deterring future attacks?
Cyber security experts says the government’s autonomous cyber sanctions framework is unlikely to prevent future attacks but have welcomed it as a step in the right direction.
Nigel Phair, of Monash University’s Department of Software Systems & Cybersecurity, said companies must do more to protect their customers’ data, particularly as cyber attacks escalate.
“Australian organisations need to continue to protect their information holdings, the systems where these reside and the people who access it. This includes undertaking fundamental risk management and introducing a competent control framework,” Professor Phair said.
“I congratulate the Australian government for undertaking such a complex investigation. Attribution of cyber criminals is one of the hardest things to do. This is unlikely to dissuade other internationally based cyber criminals from targeting Australian organisations or individuals, but is a step in the right direction.”
How do these rules affect my data?
While the sanctions cannot prevent misuse of Australians stolen data altogether, they do make all future dealings with Ermakov in relation to that data and other criminal activities punishable by law.
They also send a “message” to cyber hacking groups that stealing Australian data will not go unpunished and could be a criminal career limiting move, Mr Marles said.
“There is an enormously powerful effect which can be brought to bear in holding cyber criminals to account. Publicly naming him will have an enormous impact on his activities and send a very strong message to cyber criminals around the world that we mean business,” he said.
Ms Wong added: “We wish to use all elements of our national power to uphold these rules and keep Australians safe and secure.”
Abigail Bradshaw, head of the Australian Cyber Security Centre, said the sanctions today also substantially affect the ability of cyber hackers to do business.
“We know a lot about Mr Ermakov through our analysis, and what we do know is that cyber criminals trade-in anonymity. It is a selling quality. So naming and identifying with the confidence that we have from our technical analysis will most certainly do harm to Mr Ermakov’s cyber business,” she said.
How bad was the Medibank hack?
On October 19, 2022, Medibank revealed it had received a ransom demand from a hacker who claimed to have accessed the private data of its 9.7 million current and former customers.
Over the days that followed the hacker revealed they had accessed very private data including information of sexual health, pregnancies and what procedures they had undergone.
The severity of the breach and the access to sensitive files sent shockwaves across the country, and was the second in just months, following the Optus hack which had already sent a chill down the nation’s spine.
Cyber Security Minister Clare O’Neil on Tuesday described the Medibank hack as, “in my view, was the single-most devastating cyber attack that we have experienced as a nation”.
“These people are cowards and they are scumbags. They hide behind technology and today the Australian government is saying that when we put our minds to it, we will unveil who you are, and we will make sure that you are accountable,” she said.