Three federal ministers have fronted the press to reveal the identity of the person behind 2022’s Medibank hack, which saw the personal data of 9.7 million Australians leaked on the dark web.

Deputy Prime Minister Richard Marles, Home Affairs Minister Clare O’Neil, and Foreign Minister Penny Wong made the announcement in Canberra on Tuesday (23 January) morning, confirming that a Russian individual named Aleksandr Ermakov was the person responsible for the attack.

In addition to sharing the hacker’s identity, the government also announced it would be using – for the first time – the ability to sanction an individual under Australia’s new cyber laws.

“I can confirm that thanks to the hard work of the Australian Signals Directorate and the AFP, we have linked Russian citizen and cybercriminal Aleksandr Ermakov to the attack,” Foreign Minister Wong said at a press conference.

“Australia has used cyber sanctions powers for the very first time on a Russian individual for his role in the breach of the Medibank Private network.”

According to the official sanctions notice, Ermakov is 24 years old and known under several aliases: GustaveDore, aiiis_ermak, blade_runner, and JimJones.

Australian Cyber Security Centre boss Abigail Bradshaw said that naming Ermakov would strike a blow to the hacker’s ability to “trade in anonymity”.

VIEW ALL

“It is a selling quality, and so naming and identifying with the confidence that we have from our technical analysis will, most certainly, do harm to [Ermakov’s] cyber business,” Bradshaw said.

In a separate statement, Foreign Minister Wong went into more detail.

“The Australian government has imposed a targeted financial sanction and a travel ban on Aleksandr Ermakov,” Foreign Minister Wong said. “This sanction makes it a criminal offence, punishable by up to 10 years’ imprisonment and heavy fines, to provide assets to Aleksandr Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.”

Foreign Minister Wong also said that “other leads” were being pursued as the investigation remains ongoing.

The Medibank hack was one of a string of high-profile attacks that placed cyber security front and centre in the minds of many Australians in 2022. It saw the personal details and medical records of about 9.7 million people compromised, some of which were published online.

At the time, a ransomware group called REvil was being investigated by the AFP, and the group had even been in contact with Medibank during negotiations on ransom payments. The group was demanding $15.6 million to not publish the data.

Lawyers Weekly has extensively covered the fallout from the hack. You can read that coverage here.

Aside from the reputational costs, Medibank is facing several class actions, as well as a $250 million penalty levied by the Australian Prudential Regulation Authority (APRA). Medibank itself has forecast the total cost for the hack to end up at $35 million in 2024.