The Australian government has imposed new cyber sanctions against hosting platform ZServers and five Russian individuals who enabled a landmark 2022 data breach at Medibank.
In October 2022, health insurer Medibank suffered a major cyber security incident at the hands of a ransomware criminal who would eventually dump the data of 9.7 million Medibank customers on the dark web – marking one of Australia’s biggest data breaches of all time.
On Wednesday, the Albanese government unveiled a follow-up action on the incident through new financial sanctions on five Russian cybercriminals affiliated with Russia-based hosting provider, ZServers.
ZServers – which effectively catered infrastructure for the Medibank attack – offers a “bulletproof” hosting (BPH) service which grants access to such web infrastructure as domains, IP addresses and servers, all-the-while refusing to cooperate with takedown requests and legal complaints over illicit content.
Government officials noted ZServers provided the network infrastructure and services used to host and release data stolen from Medibank, which included Medicare numbers, contact information and claims data.
After years of operation, its owner Aleksandr Bolshakov and employees Aleksandr Mishin, Ilya Sidorov, Dmitriy Bolshakov and Igor Odintsov have been hit with sanctions which now forbid them from entering Australia.
“The sanctions announced today make it a criminal offence to provide assets to ZServers or the five sanctioned individuals, or to use or deal with their assets, with penalties of up to 10 years’ imprisonment and/or heavy fines,” government officials wrote.
Deputy Prime Minister Richard Marles said the sanctions were the first of their kind against an “enabler of cybercrime”, highlighting no other entity has been targeted by Australian cyber sanctions to date.
“These sanctions send a clear message to malicious cyber actors that there are consequences of trying to do Australians harm,” said Marles.
“Disrupting the criminal ecosystem in this way impacts hundreds of cybercriminals at once.”
The ZServers sanctions arrived approximately one year after the government took similar action against alleged Medibank hacker Aleksandr Ermakov.
AUKUS partners join sanctions
Further sanctions were announced from fellow AUKUS members, the US and UK, for ZServers’s role in supporting prominent malware and ransom gang LockBit.
The US Department of the Treasury’s Office of Foreign Assets Control emphasised Lockbit is responsible for one of the “most deployed ransomware variants” today, before detailing how the gang leased numerous IP addresses from ZServers to conduct its ransomware attacks.
The UK’s Foreign Commonwealth and Development Office meanwhile sanctioned an additional ZServers front company ‘XHost’, which appeared to have been active in the UK since Jan 2022.
UK Foreign Secretary David Lammy took the opportunity to accost Russian president Vladimir Putin for building a “corrupt mafia state driven by greed and ruthlessness”.
“It is no surprise that the most unscrupulous extortionists and cybercriminals run rampant from within his borders,” said Lammy.
Not so bulletproof
BPH providers, unlike other hosting providers, are inherently suited to illicit content and operations – their main selling point is that they can actively ignore law enforcement engagement and complaints by operating in jurisdictions which have lenient laws against illicit conduct.
Similar to encrypted messaging app Telegram and defunct file-sharing platform Megaupload, ZServers’s loose approach to the content it hosts effectively earned it a reputation for being a ‘safe harbour’ among cybercriminals and pirates.
The Australian Federal Police (AFP), however, noted BPH providers are “not immune” to takedown efforts from law enforcement.
“Calling these hosting providers 'bulletproof' is a false marketing gimmick,” said AFP Cyber Command assistant commissioner, Richard Chin.
“Cybercriminals think they are safeguarded by these service providers, however, one massive swing from authorities can crack open and disrupt the infrastructure.”
Brendan Dowling, Australia’s ambassador for Cyber Affairs and Critical Technology, meanwhile noted the sanctions not only “expose ZServers activities”, but impose costs on the people who operate it.
“Cybercrime is an industry and we need to disrupt every aspect of it,” said Dowling.
In a BPH explainer, the AFP and Australian Signals Directorate noted Australian law enforcement, government and private industry are collaborating to target and disrupt BPH providers, including through blocking internet traffic.
