It “most likely” won’t lead to an arrest, but the outing of Russian cyber criminal Aleksandr Ermakov for the 2022 Medibank hack “puts sand in the gears of cyber criminals,” a cyber expert has said as Australia’s government applies cyber sanctions for the first time.
The announcement that Ermakov had been singled out for the hack – in which 9.7 million personal details and medical records were stolen, and many published on the dark web –comes months after Russia rebuffed Australian calls to reveal the Medibank hackers’ identities, and more than a year after fingers were first pointed at Russian interests as being responsible.
As the subject of targeted sanctions under the autonomous cyber sanctions framework introduced by the Australian government in December, Ermakov faces a travel ban and has become persona non grata – with penalties including heavy fines and up to 10 years’ imprisonment for anybody who provides him with assets, or uses or deals with his assets – including through cryptocurrency wallets of ransomware payments.
The sanctions framework has been “reserved for the most egregious situations of international concern”, and designations under the policy require signoff from both the Minister for Foreign Affairs and Attorney-General, as well as other ministers as appropriate.
Ermakov was identified through the work of a multi-agency team – comprising cyber security and investigative experts within the Australian Signals Directorate (ASD), Australian Federal Police, and other agencies here and overseas – operating under the banner of Operation Aquila, which is continuing to pursue other leads related to the Medibank compromise.
Imposition of the sanctions “send a clear message that there are costs and consequences for targeting Australia and for targeting Australians,” Foreign Minister Penny Wong said in announcing the new sanctions, which she called “part of Australia’s efforts to ensure that we uphold the international rules-based order and uphold the norms of responsible state behaviour in cyberspace.”
Wong’s decision to impose the sanctions is a “hugely significant and unprecedented step,” Minister for Defence Richard Marles said, adding that “Australians should take an enormous sense of confidence in the professionalism and skill that exists within ASD.”
Marles – who also thanked the involvement of Microsoft and the Medibank team’s “incredibly open” engagement with ASD – called the collaboration “fundamentally important” and a “great thing for the country in terms of improving our cybersecurity.”
“This is a demonstration of how working with our partners… is an enormously powerful effect which can be brought to bear in holding cyber criminals to account.”
Shining a light in the shadows
Declaration of the sanctions marks an important chapter in the investigation of the Medicare breach – which, Minister for Cyber Security Clare O’Neil said, was “the single most devastating cyberattack that we have experienced as a nation.”
With millions of people having their personal data – and that of their family members – “taken from them and cruelly placed online for others to see,” she said, “it helped us to understand the enormous cost this problem will have to all of us as Australians.”
“It also showed us something about the calibre of the people we are dealing with,” she added, calling the cyber criminals “cowards” and “scumbags” who “hide behind technology”.
The complexity of attribution means the sanctions are “unlikely to dissuade other internationally-based cyber criminals from targeting Australian organisations or individuals,” Nigel Phair, a seasoned investigative and cyber security expert who is currently Professor of Practice within the Department of Software Systems and Cybersecurity in the Monash University Faculty of Information Technology, warned as the sanction was announced.
However, he said, in congratulating the government on its success, the public outing of the cybercriminal’s identity “puts sand in the gears of the cyber criminals by degrading their efforts to work with others in future criminal pursuits.”
Australian Cyber Security Centre (ACSC) head Abigail Bradshaw agreed, saying that the public outing of Ermakov, “with the confidence that we have from our technical analysts, will most certainly do harm to Mr Ermakov’s cyber business.”
“Cyber criminals trade in anonymity,” she said. “It is a selling quality.”
And while much of the work of the government’s ‘hack the hackers’ team can’t be publicly discussed, O’Neil said, “please know that the smartest cyber guns in our country work for the Australian government [and] they work for you day and night in hunting down people who are seeking to do harm to Australians.”
Opposition spokesperson James Paterson welcomed the announcement, but argued in an interview with Sky News that the Albanese government had been “slow on a matter of national security” by failing to more quickly apply the Magnitsky sanctions framework introduced by the Coalition government in late 2021.
“Cyber sanctions are important because what we’re trying to do is shape international norms [and] put a cost on this behaviour,” Paterson said while calling for more “offensive cyber operations against these gangs” and urging the government to extend the sanctions not only to the cyber criminals in question, but “the governments which harbour them.”
“The reality is that this is a very hard task, and we have to be honest and humble with the Australian people about what we can do.”