Medibank hacker named as Russian mastermind, sanctions invoked
Medibank #Medibank
“We have named him for the first time globally and his identity now being completely plain is on display for every agency around the world but also anybody who is seeking to operate with him,” Defence Minister Richard Marles said.
Mr Ermakov is alleged to be a member of Russian ransomware gang REvil, which was blamed for some the biggest cyber attacks in the world, including the attack on the Colonial Pipeline in the US, and meat processor JBS, which affected its operations in Australia, the US and Canada.
Members of REvil, also known as Sodinokibi, were arrested by Russian authorities in early 2022, purportedly shutting down the gang, although Mr Ermakov was not among those arrested and remains at large.
Medibank, Australia’s biggest health insurer, discovered it had been hacked in October 2022 when it began receiving ransomware demands for $US10 million ($15 million).
All up, 9.7 million records were stolen, including details of names, birth dates, Medicare numbers, and sensitive medical information. Some records were published on the dark web.
The health fund spent about $45 million responding to the hack, such as beefing up its cybersecurity.
The Medibank attack, hard on the heels of a similar hack of Optus’ customer data, sparked an overhaul of Australia’s cybersecurity regime.
“Medibank in my view was the single most devastating cyberattack that we have experienced as a nation,” Home Affairs Minister Clare O’Neil said.
“We all went through it, literally millions of people having personal data about themselves and their family members taken from them and cruelly placed online for others to see.”
While experts quickly suspected REvil was behind the Medibank attack, the Australian Signals Directorate and federal police, with help from US and UK agencies, have spent almost 18 months conducting a forensic investigation to conclusively link Mr Ermakov to the hack.
“REvil is only one of many Russian cybercriminals. Those gangs we know are dynamic and have multiple partners,” the head of the Australian Cyber Security Centre, Abigail Bradshaw, said.
“So a disruption of REvil at one point in time doesn’t cease its business. We know a lot about Mr Ermakov through our analysis and what we do know is that cybercriminals trade in anonymity, so naming and identifying with the confidence that we have from our technical analysis will most certainly do harm to Mr Ermakov’s cyber business.”