Russian Citizen Sanctioned By US, UK, Australia Over Medibank Hack

Authorities in the United States, the United Kingdom, and Australia have identified a Russian national involved in the devastating 2022 hack of an Australian health insurer.

On Tuesday the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), in co-ordination with Australia and the United Kingdom, “designated Alexander Ermakov (Ermakov), a cyber actor who played a pivotal in the 2022 ransomware attack against Medibank Private Limited, an Australian healthcare insurer.”

In October 2022 Medibank Private had confirmed a ‘cyber incident’ where hackers stole 200GB of Australian patient data, including names, addresses, phone numbers, dates of birth, financial data, and in some case actual medical data.

Russian hacker

The hackers managed to obtain the health data of 9.7 million past and present customers, including 1.8 million international customers.

The stolen files include health claim data for almost half a million people, including 20,000 people based overseas.

In November 2022 the Australian Federal Police (AFP) Commissioner said investigators knew the identity of the individuals responsible for the attack on Medibank, but declined to name them.

But unfortunately the Russian cyber criminals began releasing tranches of customer data onto the dark web, including details of HIV diagnoses and drug abuse treatments, after Medibank refused to pay a ransom.

The hackers categorised the files with titles such as good-list, naughty-list, abortions and boozy. This last category was for those patients who sought help for alcohol dependency.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson on Tuesday. “Today’s trilateral action with Australia and the United Kingdom, the first such co-ordinated action, underscores our collective resolve to hold these criminals to account.”

Sanctioned Ermakov

Australia has sanctioned Ermakov for utilising ransomware to attack the Medibank network and for the exfiltration of sensitive data of 9.7 million users of Medibank services.

The United States and the United Kingdom, in solidarity with Australia, also took action against the same individual because of the similar risk presented by this actor to the United States and the UK.

The sanctions make it a criminal offense, punishable by up to 10 years’ imprisonment, to provide assets to Ermakov or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.

It also means that all property and interests in property of Ermakov if located in the US, UK, or Australia, or in the possession or control of its citizens, must be blocked and reported to the OFAC.

In addition, any entities owned, directly or indirectly, by one or more blocked persons are also blocked.

And any persons that engage in certain transactions with Alexander Ermakov may themselves be exposed to sanctions.

REvil hackers

All three nations state that in October 2022, Ermakov had infiltrated the Medibank network, one of Australia’s largest private health insurers.

Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed notorious cybercrime gang REvil.

The US has previously sanctioned two individuals for perpetuating Sodinokibi/REvil ransomware incidents against the United States.

Russia has previously taken some ‘action’ against REvil.

In January 2022, Russian state news agency TASS had reported that at least eight REvil ransomware hackers had been detained by Russia’s Federal Security Service (FSB) at the request of the US.

This was before Russia’s illegal invasion of Ukraine, and the breakdown of relations between Moscow and the West.

The FSB security services reportedly raided 25 addresses and arrested 14 individuals in Moscow, St. Petersburg, Leningrad and Lipetsk.