The weakness that saw Medibank hacker exposed

Posted by
Check your BMI

Exclusive: He was good. Very good, in fact.

But the Medibank hacker had a weakness: his ego.

And this helped cyber warriors in the Australian Signals Directorate (ASD) identify Aleksandr Ermakov as responsible for the nation's worst cyberhack, which saw private details of almost 10 million Australians leaked.

Acting Director-General Abi Bradshaw said the hacker had "some sloppy tradecraft".

toonsbymoonlight

READ MORE: Who is Aleksandr Ermakov, the Russian hacker sanctioned by Australia

"Ermakov had some sloppy tradecraft and at ASD, you can only make that mistake once if you're a criminal," ASD Acting Director-General Abi Bradshaw told 9News in an exclusive interview.

What aided ASD's investigation was that Medibank Private brought in expert help when it discovered its computer networks had been hacked.

ASD's response team, led by senior cyber spy "Joan", identified some particular methodologies in the hacker's attack on Medibank's networks and knew where to look to begin the hunt.

"Within days of the attack, we had a very strong confidence that he was operating out of Russia," Joan said.

The dark web is a hangout for cybercriminals selling all sorts of illicit and dangerous goods, from firearms to drugs, pornography and stolen data.

And sure enough, ASD found a couple of characters purporting to have the leaked Medibank data.

One was called "Tegyrios".

The other had the online moniker "Jacenreign".

On close inspection, ASD cyber spies, posing as potential buyers, confirmed that Tegyrios and Jacenreign indeed had the Medibank data.

But neither was the original hacker.

Joan explains how the ASD tracked down Ermakov.Dark web forums helped the ASD identify who had the leaked Medibank data.

Here is where Ermakov's ego tripped him up.

"There is an element of complacency for cybercriminals like Ermakov," Joan explains.

"They don't expect to get caught. So for somebody like us, we play on that, which is why we're able to find them in places that they may not expect us to be looking.

"Forums where they think that they've appropriately disguised themselves, or on social media where they think we can't identify them."

Joan is ASD's director of counter-cybercrime.

She has a PhD in criminology and was in charge of a team of forensic experts, psychologists, lawyers and computing experts.

The joint ASD-AFP Medibank investigation involved 90-100, many of whom are used to exploring the dark recesses of the online world.

"There are many spiders in the dark web and some of those spiders are ASD spiders, and part of our job is to hang out in those dark web forums," Bradshaw says.

"To imagine where cyber criminals may be lurking, to listen to their conversations, and to procure information in that way."

There were many dead ends in the Medibank investigations, Bradshaw says, but it was Ermakov's overconfidence that brought him unstuck.

Ermakov was using various aliases in an attempt to disguise his identity.

Jim Jones was one of Ermakov's online identities.

Others were "gustavador", "bladerunner" and "iaas_ermak".

But one thing he couldn't change was his methods.

And they allowed a triangulation of digital data, aided by the work of the Australian Federal Police and intelligence agencies in the UK and UK, including the FBI and GCHQ.

Various data points allowed ASD to slowly identify Ermakov as the Medibank hacker.

Bradshaw spoke to 9News National Affairs Editor Andrew Probyn.

Aiding the cyber spooks was his known association with the Russian ransomware group REvil, which was responsible for various cyberattacks across the globe, including the May 2021 sting on Colonial Pipeline and the cyberattack on software company Kaseya two months later.

JBS Meats in Australia was also affected in 2021 when REvil targeted its US parent company.

Ermakov, a 33-year-old Moscow resident, has been slapped with travel and financial sanctions by Australia but he has not been arrested.

That said, Ermakov's ability to trade stolen data has been curtailed now his anonymity has been blown.

Bradshaw says ASD's job tracking down his co-conspirators is not finished.

"Ermakov is only one part of this investigation and I can assure you that the dedicated officers of ASD and AFP are continuing this hunt," Bradshaw said.

9News asked Joan if Ermakov knew he'd been caught.

"I hope he does," she said.