Australian government names and issues sanctions on individual linked to Medibank data breach

The Australian federal government has revealed Russian citizen “and cybercriminal” Aleksandr Ermakov is linked to the Medibank Private data breach that saw PII and critical medical information of Australian citizens and international students leaked on the dark web.

Department of Foreign Affairs and Trade

In an Australian first, the government also imposed a targeted financial sanction and a travel ban on Aleksandr Ermakov. This means providing assets to Ermakov or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments, is a criminal offence punishable by up to 10 years’ imprisonment and heavy fines.

The announcement sends a clear signal that individuals connected to cybercrimes committed in Australia will be identified and targeted with the hope that it will have some deterrent effect, emeritus professor of criminology at Flinders University Andrew Goldsmith told CSO.

Australia confirms REvil is behind the Medibank breach

In a press conference, Home Affairs and Cyber Security Minister Clare O’Neil confirmed that Ermakov is a member of REvil. In November 2022, the Australian Federal Police (AFP) had revealed that those responsible for the data breach of were in Russia. AFP Commissioner Reece Kershaw said at the time that the AFP believed to know those responsible for the breach. A few months later in an interview for 60 Minutes, Reece said the AFP had shared intelligence with Russian authorities and expected to see a result but were still waiting for any response.

Deputy Prime Minister Richard Marles said the AFP worked with overseas partners including the FBI, the NSA in America, GCHQ in the UK.

The likely results from the sanctions

At the time of the Medibank data breach, AFP’s Kershaw had said that anyone involved in the attack was a focus of the investigation and that cyber criminals operate like a business with affiliates and associates, who are supporting the business, and that some affiliates are believed to be in other countries.

While these sanctions apply to financial transactions within Australia and Australian financial organizations, naming one individual could mean these supporters may no longer want to work with him. Goldsmith said this is a significant signal. “The message is that others are being considered for naming. It’s setting an example with suggesting potential precedent for further naming. I think Australia is an attractive destination, has been for Russian investors, including people who have illicit funds within their control in the past and this will make it perhaps less attractive.”

This is in line with what Deputy Prime Minister Marles said that the sanctions “being put in place on Aleksandr Ermakov and publicly naming him will have an enormous impact on his activities and send a very strong message to cybercriminals around the world that we mean business.” Meanwhile, O’Neil said the sanctions announced today are just a part of the suite of efforts Australia is undertaking to try to debilitate these groups.

VP, principal analyst at Forrester Jinan Budge told CSO this is a solid move by the government. “I can’t imagine that the government could’ve done anything else if it wanted to remain credible and committed to its cybersecurity strategy. Otherwise, it would be all talk and no action, and this announcement is at least an intent to action.” She also said whether or not imposing sanctions on someone not in Australia will work is yet to be seen as this has never been tested.

If the AFP were to issue an arrest warrant — which has not been mentioned — there might be a notice put through the Interpol notice system, Goldsmith explained. “Which would put other countries on notice that this person is wanted for cybercrimes in Australia,” this could close down his travel options, according to Goldsmith.