Australian Signals Directorate exposes Russian hacker as the culprit in Medibank breach

30 Apr 2024, by Slade Baylis

We’ve been following the Medibank breach since it occurred back in 2022, having reported on it initially when it happened¹, as well as providing several updates as things developed.  Just last month we put an article out about how Operation Guardian (which is a joint partnership between law enforcement and the private sector to combat cybercrime) revealed that 11,000 subsequent attacks had been linked to that original breach².

For those that missed it, the ASD (Australian Signals Directorate) announced earlier this year that they had been able to identify and expose the identity of the Russian hacker that was responsible for the breach. 

A quick summary of the Medibank data breach

The Medibank breach was a data breach that occurred back in 2022 and was one of the largest and most compromising attacks in Australian history.  The health insurer has said that 9.7 million Australians in total had their basic personal information stolen by the hackers, including 5.1 million Medibank customers, 2.8 million AHM (Australian Health Management) clients, and 1.8 million international customers.

The attack vector in this attack was found to be stolen login credentials from a single support desk worker who did not have two-factor authentication configured, which was then used to gain access to other systems and data.

Apart from the sheer scale of this breach, it was particularly worrying due to the type of information stolen - as the information stored by healthcare providers and insurers is a treasure-trove for cybercriminals.  With this type of information, cybercriminals can easily identify and potentially extort victims with the threat of releasing their personal information to the public. 

The weakness that allowed the Medibank hacker to be identified

In most data breaches, tracking the cybercriminals down to the actual people involved is often not achievable, or at least not achieved very often.  At most, all that is able to be gathered is the country of origin of the attack, as well as which hacking group is most likely responsible.  In this case however, it was a combination of the ego of the perpetrator, as well as the cooperation between Medibank and the ASD, that lead to it being possible to identify the key individual behind this attack.

The quick cooperation between Medibank and the ASD from the very outset of the breach ultimately allowed the ASD to have enough information to track down and identify the culprit.  As reported by 9 News³, Medibank Private chose to bring in expert help right from the beginning when they had discovered their computer networks had been hacked.  “Joan”, the lead of the ASD’s response team, said that due to this, "within days of the attack, we had very strong confidence that he was operating out of Russia”. 

The culprit was revealed to be Aleksandr Ermakov, a 33-year-old resident of Moscow.

For cybercriminals like Ermakov, often arrogance and ego are part of the reason they are able to be caught.  "There is an element of complacency for cybercriminals like Ermakov," Joan explains.  "They don't expect to get caught.  So for somebody like us, we play on that, which is why we're able to find them in places that they may not expect us to be looking”.  Agencies like the ASD, frequent the same forums and websites that these malicious actors use in order to find out “where cybercriminals may be lurking, to listen to their conversations, and to procure information in that way".

Ermakov sanctioned by Australia as part of plan to disrupt Russian cybercrime syndicates

As the number of high-profile cybercrime incidents grow, the government has increasingly made announcements about greatly increasing their efforts to stop further breaches and to also investigate ones that do occur.  In response to this cyberattack, Australia for the first time used new international powers to place sanctions on Ermakov – including a travel ban as well as targeted financial sanctions. These sanctions aren’t just limited to restricting Ermakov - but also extend to those who deal with him directly. 

As reported by 9 News⁴, the sanction “makes it a criminal offence, punishable by up to 10 years' imprisonment and heavy fines, to provide assets to Ermakov, or to use or deal with his assets”.  The restrictions also apply to those who provide aid through cryptocurrency, which is a mainstay in cybercrime operations.

Have any question about the Medicare breach?

If you have any questions about the Medicare breach, or alternatively want do see what you can do to improve your own security posture, let us know!  We can provide advice both for those just starting out or for those already well established.

You can contact us via phone on 1300 769 972 (Option #1) or alternatively reach out to us via email at sales@micron21.com 

Sources

1, Micron21, “Optus, Medibank, and now Harcourts – If they can be breached, what can you do to prevent it?”, <https://www.micron21.com/blog/optus-medibank-and-now-harcourts-if-they-can-be-breached-what-can-you-do-to-prevent-it>
2, Micron21, “Operation Guardian links 11,000 new cyber-crime incidents to Medibank breach”, <https://www.micron21.com/blog/operation-guardian-links-11-000-new-cyber-crime-incidents-to-previous-medibank-breach>
3, 9 News, “Exclusive: The weakness that saw Medibank hacker exposed”, <https://www.9news.com.au/national/the-mistake-medibank-hacker-aleksandr-ermakov-made/09d54ead-c52b-4afa-a334-28ef694f3a67>
4, 9 News, “Australia sanctions Russian individual over Medibank cyberattack”, <https://www.9news.com.au/national/medibank-cyberattack-australia-sanctions-russian-individual/89563799-7b17-4491-a2e7-ac9656bcf7ef>