Photo: Mick Tsikas/AAP
Australia has used its new cyber sanctions powers for the first time against a Russian citizen, Aleksandr Ermakov, in relation to the Medibank Private data breach.
Magnitsky-style sanctions laws introduced in Australia in late 2021 include a world-leading measure to allow Australian travel bans and asset freezes for those allegedly involved in “significant” cyber attacks “.
Australia, like many countries, has adopted sanctions laws named after the corruption whistleblower Sergei Magnitsky. These measures usually target individuals alleged to be involved in serious corruption or human rights violations. But Australian laws also allow for sanctions to punish alleged malicious cyber activity.
The Australian government announced on Tuesday that it was imposing sanctions under the new law on 33-year-old Russian citizen Aleksandr Gennadievich Ermakov.
Related: Russian Medibank hackers could be first targets of Australian sanctions against cyber attackers
In a statement, the government said police and intelligence agencies worked with international partners to link Ermakov “to the compromise of the Private Medibank network” in 2022.
He said that this decision, punishable by up to 10 years in prison and heavy fines, provides assets to Aleksandr Ermakov, or uses or deals with his assets, including through a cryptocurrency wallet or ransomware payments”.
About 9.7 million customer records were taken in the Medibank Private data breach, including dates of birth and Medicare numbers.
The records included sensitive medical information such as procedures required by policyholders related to termination of pregnancy and miscarriage. Some records were published on the dark web.
Australia’s federal police commissioner, Reece Kershaw, had already said he had information that hackers in Russia were allegedly responsible for the Medibank data breach.
The story continues
The foreign affairs minister, Penny Wong, signed the sanctions decision on Monday. The sanctions notice said Ermakov, who was born in Russia on May 16, 1990, was also known as Alexander Ermakov, GustaveDore, aiiis_ermak, blade_runner or JimJones.
“This listing demonstrates Australia’s continued commitment to deterring and responding robustly to malicious and significant cyber incidents,” said an explanatory statement accompanying the sanctions announcement.
“The listing acts in our national interest to impose costs on, influence and deter those responsible for malicious cyber activity.”
At a media conference in Canberra on Tuesday, officials answered questions about what practical impact the cyber sanctions would have on the alleged hacker.
The head of the Australian Cyber Security Center at the Australian Signals Directorate, Abigail Bradshaw, said: “We have a lot of information about Mr Ermakov through our analysis … [Anonymity] It is a selling quality, and hence a designation [him] and identify [him] and our confidence in our technical analysis will certainly harm Mr. Ermakov’s cyber business.”
The deputy prime minister, Richard Marles, said Australia was the first person in the world to nominate Ermakov and that he would have a “very significant impact”.
“The Australian Signals Directorate and the Australian federal police have worked tirelessly over the past 18 months to root them out. [allegedly] responsible for the cyber attack on Medibank Private and for ensuring that Australians are protected from malicious cyber activity,” Marles said.
Wong said the government expected the sanctions measure to have “financial consequences” for Ermakov.
Home Affairs Minister Clare O’Neil also issued “strong advice” to businesses not to pay ransoms to alleged cybercriminals, saying this did not guarantee the recovery of sensitive data but “makes Australia a target more attractive to criminal groups”. .
The Coalition’s home affairs spokesman, James Paterson, who called for the cyber sanctions to be used against the Medibank hackers in late 2022, welcomed the move but said it was “not clear why it has been taken so long”.
“This is a challenging issue. We can just click our fingers and make this go away,” Paterson told Sky News on Tuesday.
“If like-minded countries around the world help shape these norms by putting a cost on this behavior, it won’t make it stop but it will make it less likely if we do nothing.”
Professor Nigel Phair, a cyber security expert from Monash University, said it was difficult to assign cyber criminals.
“Although this person (or probably anyone else) will probably not be caught, it puts sand in the gears of the [alleged] cybercriminals by degrading their efforts to work with others in future criminal proceedings,” said Phair.