On Jan. 23, 2024, the Australian government announced with high confidence that a 33-year-old Russian man, Aleksandr Gennadievich Ermakov, was an intricate part of a cyberattack against Medibank Private Ltd., one of the country’s largest health insurers. The October 2022 attack stole millions of records containing personal information and sensitive medical data from Medibank’s systems, which were later released publicly as part of an extortion attempt. The attack caused a furore due to its gross moral offensiveness. The attackers selected the most sensitive health records for release first, purposefully targeting vulnerable people. Australian Home Affairs and Cyber Security Minister Clare O’Neil said in a news conference about Ermakov that the Medibank attackers “are cowards and they are scumbags.” The incident, as well as a large data breach and extortion attempt affecting telecommunications operator Optus just weeks before in September 2022, triggered government inquiries and legislative changes that focused on how personal data can be better secured, how organizations can better defend themselves and how the government can hack back at professional cybercriminal gangs, particularly those in safe haven countries such as Russia.
[Image: Screenshot 2024 01 25 at 2 00 42 pm - Aleksandr Ermakov, 33, of Russia. He lives in Moscow and remains at large. (Source: Australian Department of Foreign Affairs and Trade)]
Difficult Investigation
Ermakov’s identity was uncovered by the Australian Signals Directorate (ASD) and the Australian Federal Police (AFP). According to a Jan. 23, 2024, exclusive interview with Australia’s Channel 9, ASD Acting Director-General Abi Bradshaw said the investigation met dead ends at times. But the ASD drew on help from other Five Eyes intelligence partners (the NSA, FBI and GCHQ in the U.K.) as well as data from private industry including Microsoft, which wrote about its role here. Bradshaw says Microsoft's data reinforced the government's confidence in Ermakov’s real-world identification. Also critical was Medibank’s sharing of indicators of compromise (IoCs) within hours after the attack. Bradshaw says Ermakov had a long history in the cybercrime business and a range of affiliations with other well-known cybercriminals, but also had "sloppy tradecraft” — a reference to how careless cybercriminals can be.
For the first time, Australia imposed an autonomous sanctions regime created in December 2021 specifically for significant cyber incidents against Ermakov. As a result, Ermakov is now subject to a travel ban as well as targeted financial sanctions. Australia released Ermakov’s online nicknames (blade_runner, GustaveDore, JimJones, aiiis_ermak). The U.S. and U.K. imposed sanctions on Ermakov and released additional online identifiers for him (GistaveDore, ae.ermak@yandex.ru). These identifiers appear in our historical adversary intelligence, and we’ve also connected these identifiers with other ones, including GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI and shtaziIT. These identifiers are linked to a wide range of cybercriminal activity, including network intrusions, malware development and ransomware attacks.
Intel 471 has collected adversary intelligence over several years about Ermakov that confirms Bradshaw’s view of his extensive involvement in cybercrime. Ermakov had a robust presence on cybercriminal forums and an active role in the cybercrime-as-a-service economy, both as a buyer and provider and also as a ransomware operator and affiliate. It also appears that Ermakov was involved with a software development company that specialized in both legitimate and criminal software development. Additionally, open source intelligence (OSINT) indicates that Ermakov publicly claims he is a psychologist. We could not confirm this claim. Ermakov’s Telegram handle, aiiis_ermak, shows he joined several Telegram groups that appear to be related to psychology. Another data source that showed a curriculum vitae (CV) indicated he was interested in jobs related to digital management but did not mention psychology.
What follows is some of the notable activity we observed about the identifiers associated with Ermakov.
Threat Actor: JimJones
Australia identified JimJones as one of Ermakov’s identifiers. Intel 471 observed that JimJones joined a Russian-language underground cybercriminal forum known as Exploit in November 2019. JimJones provided an ID for the Jabber instant messaging service, blade_runner@exploit.im, and the Telegram username @gustavedore. On the forum, JimJones focused on promoting a malware development service and an information technology (IT) company called Shtazi IT. The shtazi[dot]ru domain name was registered June 2, 2020, using a privacy protection service. Through the course of open source research, we identified dozens of publicly available posts promoting the Shtazi IT company’s services and seeking investors for projects. Two other online nicknames used by Ermakov were SHTAZI and shtaziIT. The Shtazi IT website remains online today.
[Image: Shtazi screenshot - The website for Shtazi IT captured Jan. 24, 2023.]
On Sept. 2, 2020, JimJones advertised a malware development service on the Exploit forum and sought investors for ransomware development. The actor claimed to run a team of developers and allegedly had developed a code base for a ransomware application. Buyers were required to pay US $5,000 directly for coding services and then another US $20,000 in escrow. JimJones offered to provide source code and support, claiming that the code would be a “ready-to-use” ransomware program. Under an additional term of the deal, JimJones would get 5% of the ransoms paid. This arrangement is typically known as a ransomware-as-a-service (RaaS).
[Image: 520 - A translation of the advertisement written by JimJones Sept. 2, 2020, and posted on the Exploit cybercrime forum.]
Between December 2019 and August 2020, we observed a range of significant posts by JimJones on the Exploit forum revolving around malware, spamming, ransomware and intrusions:
— Dec. 3, 2019: Announced a malware development service and provided the Jabber ID gustavedore@thesecure.biz and Telegram username @GustaveDore for communication. The actor offered to develop projects targeting social media, parsers, account-checking and brute-forcing tools, as well as click bots and spamming tools.
— Jan. 5, 2020: Offered to provide a spamming service.
— May 25, 2020: Offered software development services and claimed to be capable of coding in the Hypertext Preprocessor (PHP) and Python programming languages.
— June 15, 2020: Announced an advertisement thread for the actor’s IT company dubbed Shtazi IT at shtazi[dot]ru.
— June 30, 2020: Announced a malware development service in the C++ programming language. The actor claimed to operate a team of three coders.
— July 29, 2020: Offered to develop a ransomware affiliate program and claimed the malware would be written in the C++ programming language and meet each customer’s requirements.
— Aug. 8, 2020: Sought to hire penetration testers to conduct attacks on corporate networks and provided the blade_runner@exploit.im and blade_runner@jabber.hot-chilli.net Jabber IDs.
As stated before, Ermakov has been linked to many online identifiers. In September 2020, the threat actor invited other coders to a Telegram channel, which revealed another identifier that is very close to his real name. The Telegram channel was launched by the username @Alexandr_Ermak with a name alias of Alexandr Ermak. Alexandr Ermak regularly shared software and malware requirement specifications within the group, which suggested he might be one of the masterminds behind the project. At the time, we assessed that Alexandr Ermak might be JimJones’ real name or yet another alias the actor used to run the semi-legitimate software development business. The Telegram profile photo for the @Alexandr_Ermak account appears to match the photos of Ermakov released by Australia’s Department of Foreign Affairs and Trade.
[Image: Teleprofile - The Telegram profile for Alexandr Ermak.]
Later in 2020, we observed JimJones become heavily involved in ransomware and specifically look to hire unethical penetration testers. Penetration testers are security professionals that specialize in finding weaknesses in networks so organizations can repair them. JimJones, however, was looking for unethical penetration testers who would supply login credentials for vulnerable organizations so that ransomware attacks could be launched. JimJones also sought people who could install ransomware for a cut of the ransom. Below is another advertisement posted by JimJones on the Exploit forum Aug. 8, 2020.
[Image: 5 ransom - An advertisement translated from Russian posted by JimJones Aug. 8, 2022.]
By November 2020, our analysts had assessed that JimJones was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang. This is a crucial retrospective clue as to one mysterious aspect around where on the internet the Medibank data was published.
On Oct. 13, 2022, Medibank disclosed a cybersecurity incident. A forensic investigation showed the attackers compromised Medibank’s systems and demanded around US $10 million to not publicly release the data. As recommended by the Australian government and law enforcement, Medibank didn't pay the ransom. The initial access vector was traced to stolen login credentials for a third-party IT services provider. Medibank said the stolen access credentials were used and bypassed a misconfigured firewall. The attackers then were able to obtain other system credentials and move laterally into its network.
[Image: Blogxxscreen 2 - A screenshot of the data leak blog that formerly belonged to REvil but was used by Ermakov’s group to leak Medibank data.]
Curiously, the data was released on a blog that had one time been controlled by the REvil ransomware group. REvil was a RaaS group that provided malware and infrastructure to affiliates, who carried out attacks and paid an affiliate fee to the gang. The group was responsible for some of the largest attacks on record, including a massive supply chain attack that exploited software company Kaseya’s remote monitoring and management software, JBS Foods and the state of Texas.
For context, data leak blogs are usually hosted on a hidden Tor service to obscure their true hosting. The blogs are used to pressure ransomware victims into paying. By the time of the Medibank attack, the REvil group had dissolved after the series of high-profile attacks mentioned before and disruption by law enforcement. The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time. This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.
Assessment
Australian law enforcement and intelligence agencies, which have special legal powers and capabilities, identified Ermakov. This is why until Jan. 23, 2024, there remained only speculation and hunches about the origin of the Medibank attack. The technical data related to it remained in closed law enforcement and national security circles. But the naming of Ermakov along with his online nicknames has allowed us to go back and show a detailed, historical profile of the threat actor behind this attack. It also illuminates how this attack happened based on the tactics, techniques and procedures (TTPs) used by this threat actor.
The initial access vector used against Medibank was a set of leaked credentials from a third-party contractor. This is a type of identity and access management compromise that is a frequent cause of intrusions. We see threat actors collecting and selling login credentials on a vast scale in underground markets. These credentials may be posted for as little as a day before the data is bought by other actors and then exploited for data theft, ransomware, fraud and more. To stay ahead of this, it’s critical for organizations to monitor these offerings on markets and in new data dumps. By using cyber threat intelligence (CTI) to understand if threat actors are selling credentials, it’s possible to monitor those accounts and reset passwords before malicious actors gain access to systems.
We know that Ermakov and his group sought to hire people to steal and obtain login credentials. It is not out of the realm of possibility that this may have been how these third-party contractor credentials were obtained. We also now know that Ermakov was an affiliate of the REvil ransomware group. It is still not clear why Ermakov’s group came to control the former data leak blog for REvil. But it is clear that his group ran in the same circles, and in retrospect, completes a part of that puzzle.
Fighting organized cybercriminal groups residing in safe haven countries is difficult. But naming-and-shaming and sanctioning makes it hard for these actors to live normal lives or travel. It's an important tool and one that we must use if extradition and prosecution is not possible. However, it’s important to keep in mind that some ransomware actors have continued their activity even after they’ve been publicly identified. This person and group of associates remain an active, dangerous threat actor group, so Australian organizations should remain vigilant.
This was an egregious incident that caused anxiety and worry for a nation. But Ermakov didn't obtain a ransom. The stigma of this attack will follow him. This naming-and-shaming shows other ransomware actors they could be publicly identified, which for some may be a deterrent. For more information on the kinds of threat intelligence Intel 471 collects on ransomware groups and how it can help in defense, please contact us.