Medibank data hack: The respectable life of suspected hacker Aleksandr Ermakov

ExclusiveTechnologyCybersecurity

The Australian Financial Review has uncovered more details about the life of Aleksandr Ermakov, the Russian who held the personal medical details of millions of Aussies to ransom.

Feb 19, 2024 – 10.00am

Subscribe to gift this article

Gift 5 articles to anyone you choose each month when you subscribe.

Subscribe now

Already a subscriber?

The Russian hacker accused of stealing the medical records of millions of Australians in the Medibank attack once held a legitimate day job in corporate reputation control. By night, he allegedly turned those skills to extortion, hacking a nation from his modest Moscow apartment.

An investigation has uncovered a decade-long trail of Aleksandr Ermakov’s online activity.

Aleksandr Ermakov, the man sanctioned by the Australian government over the Medibank hack is snapped at a Moscow business networking event in 2016.

The junior executive pursued introductions and exchanged business cards at networking events, noting his “upper-intermediate” English skills and an aptitude for forging relationships.

The Medibank hack shocked Australia in late 2022 when personal information of about 9.7 million current and former customers was stolen. After attempts to elicit a ransom payment failed, citizens’ data was publicly posted, including medical records of those who were treated for drug and alcohol addiction, mental health conditions and had abortions.

While the Australian government named and sanctioned Ermakov for his links to the Medibank hack when three of its most senior ministers fronted a press conference in January, it gave little details about his background. Now it can be revealed that he had a career in social work and digital strategy, and a home just a 20-minute drive from the Kremlin.

Details of Ermakov’s life can be pieced together by tracking his often anonymous online presence with his own personal data, which has ironically been compromised in earlier cyberattacks and leaked online.

An anonymous resume, first posted on a Russian equivalent to LinkedIn called HeadHunter, details the career of a 33-year-old male Moscow resident born on May 16, 1990, the same date of birth published in the sanctions against him.

It can be confirmed as Ermakov’s resume because HeadHunter’s account registration records were hacked and posted online in 2018, and the account that owns the resume matches an email address for Mr Ermakov listed in the government’s sanctions notice.

The resume says Ermakov graduated with an economics degree from Moscow State University of Technology and Management in 2014, after his first career experience in payroll, contracts, and accounting at the state-owned social welfare organisation the State Budgetary Institution Territorial Centre of Social Service began two years earlier.

This agency describes itself as supporting the elderly, disabled and families, including through psychology services.

He listed responsibilities including “overseeing calculations and deadlines for contractual obligations,” experience that may have been put to use if he was part of the attempts to negotiate and extort a ransom out of Medibank, something that has not been confirmed by the government.

Describing his tasks on his resume, Ermakov spoke of “Developing products that will be for people” and “bringing benefits and feeling joy from it”.

“I easily make contact with new people,” he adds.

Contacting Ermakov in 2024 is not so easy, however. It is unclear how his life has changed since his unmasking, but he has not responded to repeated SMS and WhatsApp messages from The Australian Financial Review.

A social media profile, including some of the pictures published by the Department of Home Affairs at the time of Mr Ermakov’s unmasking.

His phone number was verified with three online sources from data breaches: his leaked HeadHunter registration, a leaked 2020 e-commerce blockchain service, a leaked 2021 medical record, plus two social media accounts.

A Russian social media OK profile from 2015, features one of the three photos the Australian government published in January, and a Facebook account bears two.

Two years after his social welfare role, in 2014, his career pivoted to technology, and he became a “digital manager” for a now-defunct sportswear company called Swoosh’es.

His responsibilities included overseeing “promotion on the internet based on the principle of word-of-mouth” and “social media”, his CV also lists responsibility for advertising, analytics, search engine optimisation, and internet traffic monitoring.

Mr Ermakov engages in business pleasantries at a networking event.

In an interesting hint at his growing understanding of the potential damages caused to a firm’s reputation by online data breaches, Ermakov oversaw the “development and implementation of a comprehensive strategy for managing [its] online reputation”, with his CV claiming that he has “upper-intermediate B2 English proficiency”, and that he is “stress-resistant”.

A more recent and longer-term job, according to his CV, was as a corporate sales manager at a wholesaler of household goods named Trade House Skikea. It is still listed as his current role since 2014, but the company was liquidated last year.

Meet and greet

Ermakov sought corporate connections through Business Family, a Russian entrepreneurial networking society. Previously unreported photos show him attending social events at up-market Moscow bars between June and September 2016.

The Moscow apartment block where Mr Ermakov is known to have lived.

Described as an organisation “for finding business partners, clients, friends, or simply enjoying pleasant conversations among interesting people”, the Financial Review has confirmed his Business Family account is registered using the same mobile number obtained online as well as the email address published in Australian sanctions.

His living arrangements show little evidence of a life enriched by the spoils of cybercrime. His residence was tracked to a Soviet-era, 1965-built apartment complex, just a 20-minute drive from the Kremlin. It was from this unassuming base that he allegedly perpetrated the largest cyber ransom attack in Australian history.

The mid-market suburban Moscow district has a mix of residential and commercial properties, with a neighbouring two-bedroom apartment now advertised for the equivalent of $350,000.

Health data

In a foreshadowing of the kind of exposure Ermakov would help inflict on Australians, the Financial Review saw leaked data available from a Russian pathology clinic at which Ermakov became a patient in April 2021, the same year the clinic was hacked. This includes his passport details, health insurance details and address.

A Snapchat profile registered to Mr Ermakov exists, but has so far ignored friendship requests.

The data lists the same mobile number, as well as the email address, middle name, and date of birth released in the sanctions notice.

Unlike Ermakov is alleged to have done, the Financial Review will not publish such sensitive information or any details of the clinic and its medical specialty.

In a further attempt to contact Ermakov, a friend request was sent to a Snapchat account registered with his mobile number. The request remains unaccepted.

Other than one call that lasted two seconds, Ermakov did not answer or return calls to his number.