Digital clues expose Russian man Aleksandr Ermakov as Medibank hacker
The naming of Russian hacker Aleksandr Ermakov puts a ‘target on his back’.
Within weeks of the Medibank data breach, messages appeared on multiple dark web forums boasting of the massive cyber theft, and seeking a ransom of nearly $10 million.
Posted under online monikers, including GustaveDore, JimJones, and blade_runner, they included data dumps identifying those who had sought abortions, and treatment for HIV, drug addiction and mental health issues.
The shocking revelations spurred on investigators at the Australian Signals Directorate and the Australian Federal Police, who were already working with international counterparts to identify those responsible.
Medibank, which refused the ransom demand outright, supplied gigabytes of data to assist in the investigation.
“Every criminal leaves fingerprints or DNA behind. In the digital world, we call them ‘indicators of compromise’,” ASD cyber security co-ordinator Abigail Bradshaw said.
Those clues, including the details of the software used to infiltrate the Medibank system and the method of exfiltrating the data, were shared with Australia’s Five Eyes intelligence and enforcement partners, including America’s FBI and NSA, and British signals intelligence agency GCHQ.
As one high-level government source said: “No one’s operational security is perfect. You only have to make one mistake.”
Drawing on counterpart agencies’ massive data holdings and technical expertise, Australian investigators were able to match the digital clues to a range of suspected perpetrators.
Within less than a month, the AFP and ASD had zeroed in on the likely source of the attack.
“We believe that those responsible for the breach are in Russia,” AFP Commissioner Reece Kershaw revealed on November 11 – just over a month after the data breach was discovered.
“Our intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world.”
Kershaw also revealed that not all those involved in the crime were located in Russia. “We also believe some affiliates may be in other countries,” he said.
The AFP sought the assistance of the Kremlin even as the Albanese government condemned Russia over its brutal war on Ukraine. “That help was not forthcoming”, a source said.
By late last year, investigators were confident that key online identities linked to the case were aliases of the same person – Russian man Aleksandr Ermakov.
Assistant Foreign Minister Tim Watts advocated inside the government for the use of new autonomous sanctions against the professional cybercriminal, while Cybersecurity Ambassador Brendan Dowling liaised with partner administrations on the potential for reciprocal sanctions.
Photographs of Ermakov drawn from undisclosed social media accounts show a clean-shaven, well-dressed man. One appears to have been taken in an office cubicle; another in an up-market liquor store.
Ms Bradshaw said Ermakov as a “proficient cyber criminal” who was linked to Russia’s REvil and Royal ransomware groups.
“We know that he’s associated with a variety of different cybercrime-as-a-service providers, and a variety of large cyber criminal syndicates,” she said.
“He is a roaming affiliate, who makes his services available to others for the highest price, but who also seeks to profit and perpetrate crime based on the services offered by others.”
She said Ermakov was known to still be in Russia, where he and other cybercriminals benefited from the “permissive environment” for their businesses enabled by Vladimir Putin.
While he previously enjoyed an affluent lifestyle, that’s likely to change after his identification by Australia.
A senior government source said the unmasking of Ermakov would make him “radioactive” within criminal networks.
“If you are de-anonymised, it has a number of consequences. First you start getting shaken down by underworld figures. So that’s very costly. But it’s also very bad for business. It goes to your credibility.”
Cybersecurity expert Alastair MacGibbon said Ermakov would now have to look over his shoulder wherever he went.
“It certainly does curtail his life. Because when you think about it, these criminals do travel,” the CyberCX chief strategy officer said.
“They obviously don’t make their money to spend it in Siberia. They want to go spend it in nice, flashy holiday destinations. He won’t be able to do that, unless he travels under a fake name. It certainly puts a target on him.”