Medibank hacker linked to Russian hacking syndicate REvil – ABC News
Medibank hacker linked to Russian hacking syndicate REvil
Australian authorities have confirmed that Aleksandr Gennadievich Ermakov — the mysterious Russian hacker involved in the 2022 Medibank breach — is a member of hacking syndicate REvil.
REvil is one of the most notorious cybercrime gangs in Russia and has long been suspected to be the perpetrator of the Medibank breach.
While the details released about Ermakov so far are scarce, his ties to the Russian gang are telling about the nature of the attack.
Two Australian cybersecurity experts agree Ermakov was unlikely to have been working alone, despite him being the only one identified by authorities.
REvil sells hacking tools to inexperienced hackers in return for a share in the spoils.
It is one of several high-profile hacker gangs in Russia that operate like business franchises, where they supply the infrastructure needed for breaching company databases, and then either exfiltrating or encrypting the data.
They also offer end-to-end hacking services, says Mohiuddin Ahmed, a senior lecturer of computing and security at Edith Cowan University.
"For example, there is a price tag for hacking into certain critical infrastructure in Australia," he says.
The most visible part of the hacking infrastructure offered by REvil is the website used for facilitating the ransom payment itself, which operates like a support site.
"These sites are designed to deal with situations like, 'How do we help Grandma pay her ransom demand in Bitcoin?'," explains Troy Hunt, a cybersecurity and data breach expert.
"Fortunately, the friendly operator is there to help you all the way through."
REvil was reportedly behind a ransomware attack on Australian food producer JBS Foods, and received a $14 million ransom for its efforts.
The mercenary attitude and focus on maximising profit is an indication of the gangs' self-professed apolitical stance.
LockBit — which is the most prolific ransomware gang in the world and is also based in Russia — released a statement in 2022 saying "for us, it is just business".
"We are only interested in money for our harmless and useful work," it said.
From April 1, 2022, to March 31, 2023, LockBit made up 18 per cent of total reported Australian ransomware incidents, according to an advisory released by the Australian Signals Directorate (ASD).
In November 2022, one of REvil's sites started redirecting to the one that had posted the stolen Medibank data, according to the Australian Financial Review (AFR).
At the time, cybersecurity experts told AFR this transitory piece of evidence narrowed the perpetrators to either REvil or someone with access to their severs.
Attributing blame in these situations is complicated by how few "clear, distinct lines" exist between members Russia's hacking gangs," he says.
"[Ermakov] may well be someone who's moved between different groups," says Mr Hunt.
"We all go through different careers in our life."
It's one of many parallels between how legitimate businesses and these hacking syndicates operate.
According to advice from ASD, some gangs support the "deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits", and attempt to attract attention to their products through publicity stunts.
While there would be others — including other members of REvil — involved in the Medibank breach, Ermakov being named likely means he played a "pivotal role", says Mr Hunt.
There could be a "significant amount" of information that law enforcement is yet to release about the perpetrators of the Medibank breach, he says.
"It's not like its this one lone wolf who's written this whole thing and has been solely responsible for both the malware and the infection of Medibank."
The government publicly names the 33-year-old Russian citizen and "cyber criminal" it says is behind the the data breach but doesn't go into specifics about his role in the attack.
Dr Ahmed believes that a single identity was likely released due to the difficulty attributing cybercrime to individuals.
"Proving that someone is linked to a particular cybercrime — that takes a lot of evidence," he says.
Authorities confirmed that investigations into other individuals linked to the attack are ongoing.
"It has been a painstaking effort to get to the point of naming this individual," said Deputy Prime Minister Richard Marles at the press conference where Ermakov was first named.
Yevgeniy Polyanin, another member of REvil, was identified by the FBI in 2021 as the culprit of multiple cyber attacks on American companies.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)