UK, US and Australia sanction Russian citizen over Medibank hack

Australia, the U.K. and the U.S. have imposed financial sanctions and travel bans on a Russian hacker over his alleged role in the 2022 attack on the health insurance provider Medibank.

Aleksandr Ermakov, 33, was allegedly involved in the unauthorized release and publication on the dark web of Medibank customer data following an October 2022 ransomware attack, according to the Australian Signals Directorate.

The hackers gained access to the personally identifying information of approximately 9.7 million current and former customers of the company.

After Australia announced the sanctions on Monday, the U.K. and the U.S., who were involved in the investigation of the Medibank hack, followed suit on Tuesday.

British authorities called this penalty their latest effort "to counter malicious cybercriminal activity emanating from Russia that seeks to undermine integrity and prosperity” of the U.K. and its allies.

The trilateral action between Australia, the U.K., and the U.S. — the first such coordinated effort — "underscores the collective resolve to hold these [Russian] criminals to account," according to a statement by the U.S. Department of Treasury.

“Russia continues to provide a safe haven to ransomware actors like Ermakov, enabling cyber actors to freely perpetrate ransomware attacks and other malicious cyber activities,” the statement said.

Under the sanctions, it is a criminal offense, punishable by up to ten years in prison and heavy fines, to provide assets to Ermakov — as well as to use or deal with his assets, including through cryptocurrency or ransomware payments — according to a statement by the Australian Minister for Foreign Affairs Penny Wong.

Ermakov, also known by his alias “Gustave Dore” and “blade_runner,” is believed to be part of the infamous Russian cybercrime group REvil — one of the most active ransomware gangs.

“This is the first time an Australian government has identified a cybercriminal and imposed cyber sanctions of this kind, and it will not be the last,” said Clare O’Neil, the Australian minister for home affairs and cybersecurity.

In a statement on Tuesday, O’Neil called the Medibank cyberattack “the single most devastating” in Australia. The stolen records included sensitive medical information, such as records on mental health, sexual health and drug use. Some stolen data was posted on the hackers' darknet website before it was taken offline.

“The Medibank breach showed the kind of people we are dealing with: scumbags and cowards who hide behind technology,” O’Neil said.

The Australian authorities have been investigating Medibank's attack for 18 months. They identified the perpetrators of the hack last November but didn't name them, describing the hackers as "a group of loosely affiliated cybercriminals" from Russia.

Public disclosure and sanctioning of Ermakov became possible with the enactment of Australia’s autonomous cyber sanctions framework, which applies financial penalties on individuals connected to significant cyberattacks.

“The use of these powers sends a clear message — there are costs and consequences for targeting Australia and Australians,” Wong said.

“Today is a warning to cybercriminals. If you commit cybercrime against Australians, we will never stop looking for you. We will unveil who you are and we will make sure you are held accountable,” O’Neil said.

The Russian government hasn't publicly responded to sanctions against Ermakov and his alleged involvement in the Medibank hack. Ermakov's current whereabouts are unknown.

In response to an email inquiry from Recorded Future News, Ermakov denied any wrongdoing. "I don’t understand how this applies to me at all, I don’t do anything like that," he said.

Additional reporting by Alexander Martin.