In October 2022, at least 9.7 million Medibank customers had information including names, dates of birth, addresses and phone numbers compromised, some of which were published on the dark web.
But a joint operation conducted by the Australian Signals Directorate and the Australian Federal Police with other agencies and international partners was able to link a Russian citizen and cybercriminal for his role in the cyber attack.
The Australian government responded on Tuesday, imposing cyber sanction powers for the first time on Aleksandr Ermakov.
This means it will be a criminal offence to provide assets, overhaul, or use or deal with Ermakov’s assets, including through cryptocurrency wallets or ransomware payments – any breaches will be punishable with up to 10 years in prison.
Home affairs minister Clare O’Neil called the cybercriminals “cowards and scumbags who hide behind technology”.
“This is a very important day for cyber security in our country,” she said.
“It has helped us understand the enormous cost is a problem … and showed us something about the calibre of people we are dealing with.
There are a number of Russian cyber gangs at the heart of the threats Australians face, according to the government.
The sanctions imposed are part of Australia’s efforts to debilitate these organisations.
Many of them are dynamic and work in clusters, Australian Cyber Security Centre chief Abigail Bradshaw said, so naming and identifying cybercriminals will hurt their efforts.
Foreign affairs minister Penny Wong said the sanctions sent a message.
“There are costs and consequences for targeting Australia and targeting Australians,” she said.
“The sanctions are part of Australia’s efforts to ensure that we uphold the international rules-based order.”
Opposition cyber security spokesman James Paterson said the Coalition welcomed the sanctions but criticised the length of time between the data breach and the penalties being imposed.
“What the Albanese government has not explained is what has taken them so long,” he told Sky News.
“In December (2022), the Department of Foreign Affairs and Trade acknowledged that they provided advice to the minister to do their sanctions, and in May 2023, the Australian Signals Directorate admitted that they had provided technical assistance for an attribution for this to happen.”
Paterson said while it was unlikely Russia’s government would penalise Ermakov, work was needed to minimise the likelihood of further cyber attacks.
“Cyber sanctions are important though, because what we’re trying to do is shape international norms, we’re trying to put a cost to this behaviour,” he said.
“We cannot just click our fingers and make this go away.”
Australian Associated Press
Any feedback or news tips? Here’s where to contact the relevant team.