Australia has used its new cyber sanctions powers for the first time against a Russian citizen, Aleksandr Ermakov, in connection with the Medibank Private data breach.
Magnitsky-style sanctions laws that were introduced in Australia in late 2021 include a world-leading measure to allow the imposition of Australian travel bans and asset freezes on those allegedly involved in “significant” cyber-attacks.
Australia, like numerous countries, have adopted sanctions laws named after the late corruption whistleblower Sergei Magnitsky. These measures generally target individuals alleged to be linked to serious corruption or violations of human rights. But Australia’s laws also allow sanctions to punish allegedly malicious cyber activity.
The Australian government announced on Tuesday that it was imposing sanctions under the new law on Russian citizen Aleksandr Gennadievich Ermakov, 33.
In a statement, the government said police and intelligence agencies had worked with international partners to link Ermakov “to the compromise of the Medibank Private network” in 2022.
It said this decision “makes it a criminal offence, punishable by up to 10 years’ imprisonment and heavy fines, to provide assets to Aleksandr Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments”.
About 9.7 million customer records were taken in the Medibank Private data breach, including dates of birth and Medicare numbers.
The records included sensitive medical information such as procedures claimed by policyholders related to the termination of pregnancy and miscarriages. Some records were published on the dark web.
The Australian federal police commissioner, Reece Kershaw, had previously said he was in possession of intelligence that hackers in Russia were allegedly responsible for the Medibank data breach.
The sanctions decision was signed by the foreign affairs minister, Penny Wong, on Monday. The sanctions notice said Ermakov, born in Russia on 16 May 1990, was also known as Alexander Ermakov, GustaveDore, aiiis_ermak, blade_runner or JimJones.
“This listing demonstrates Australia’s ongoing commitment to deterring and responding robustly to malicious and significant cyber incidents,” said an explanatory statement attached to the sanctions notice.
“The listing acts in our national interest to impose costs on, influence and deter those responsible for malicious cyber activity.”
At a media conference in Canberra on Tuesday, officials responded to questions about what practical impact the cyber sanctions would have on the alleged hacker.
The head of the Australian Cyber Security Centre at the Australian Signals Directorate, Abigail Bradshaw, said: “We know a lot about Mr Ermakov through our analysis ... [Anonymity] is a selling quality, and so naming [him] and identifying [him] with the confidence that we have from our technical analysis will, most certainly, do harm to Mr Ermakov’s cyber business.”
The deputy prime minister, Richard Marles, said Australia was the first to name Ermakov globally and this would have a “very significant impact” on him.
“The Australian Signals Directorate and the Australian federal police have worked tirelessly over the past 18 months to unmask those [allegedly] responsible for the cyber-attack on Medibank Private and to ensure Australians are protected from malicious cyber activity,” Marles said.
Wong said the government expected the sanctions measure would have “financial consequences” for Ermakov.
The minister for home affairs, Clare O’Neil, also issued “strong advice” to businesses not to pay ransoms to alleged cyber criminals, saying this did not guarantee sensitive data would be recovered but “makes Australia a more attractive target for criminal groups”.
The Coalition’s home affairs spokesperson, James Paterson, who called for the cyber sanctions to be used against the Medibank hackers in late 2022, welcomed the move but said it was “not clear why it’s taken so long”.
“This is a challenging issue. We cannot just click our fingers and make this go away,” Paterson told Sky News on Tuesday.
“If countries around the world who are like-minded help shape these norms by putting a cost on this behaviour, it won’t guarantee that it stops but it does make it less likely than if we do nothing.”
Prof Nigel Phair, a cybersecurity expert from Monash University, said attribution of cyber criminals was difficult.
“While it most likely won’t result in the arrest of this individual (or probably any others), it puts sand in the gears of [alleged] cyber criminals by degrading their efforts to work with others in future criminal pursuits,” Phair said.
