Siberian nightlife can offer unexpected opportunities, as shown by a case involving Australian cyber spies. They took advantage of local criminals indulging in a vodka-fueled night to dismantle a multimillion-dollar operation run by Russian criminals who had been storing stolen data.
This was not just any data. It included a massive trove of sensitive health information from millions of Australians, including details about mental and sexual health conditions, taken from the insurer Medibank in August 2022. The stolen information, totaling 520 gigabytes and encompassing 9.7 million records with personal data such as names, birthdates, addresses, Medicare numbers, and passport details, was found on servers run by five Russians in a remote industrial town on the West Siberian Plain, about three hours from the Kazakhstan border.
The Australian Signals Directorate (ASD), the nation’s cyber intelligence agency, was already aware of the identity of the thief: Aleksandr Ermakov, a Moscow-based hacker. Ermakov had been arrested by Russian authorities for other ransomware-related crimes, in which victims’ data is stolen and then extorted for payment to retrieve or delete it.
The real challenge for the ASD was pinpointing where Ermakov had stored the stolen data.
“People often imagine cybercrime as just a lone hacker in a basement,” says Georgina Fuller, head of counter-cybercrime efforts at the ASD. “But what many don’t realize is that these criminals are backed by a complex ecosystem of illicit businesses that enable their operations.”
For Ermakov, this ecosystem included an obscure company named ZServers, based in Barnaul, a Siberian city that’s closer to Mongolia than Moscow. ZServers had advertised its services on dark web forums, boasting of operations dating back to 2011, and provided hosting solutions designed for criminal activities. These included tools like “Brute” for forced system access, “Scan” for vulnerability assessments, and “Cracking Allowed” for bypassing security measures.
ZServers also marketed itself as offering “bulletproof hosting” – a service supposedly impervious to law enforcement actions, thanks to its location in a jurisdiction that does not cooperate with Western authorities. This claim was backed up by substantial payments in cryptocurrency, which the ASD believes the company received.
At the helm of ZServers was Aleksandr Bolshakov, 30, alongside two other key figures, Aleksandr Mishin (also 30) and Ilya Sidorov (32). The rest of the team consisted of Igor Odintsov, 30, and Bolshakov’s younger brother Dmitriy, a 23-year-old weightlifter with an affinity for firearms. Intelligence agencies from the Five Eyes nations (Australia, the US, UK, Canada, and New Zealand) were aware of ZServers’ shady dealings before the Medibank hack, but the Australian Signals Directorate honed in on it after the breach due to Ermakov’s carelessness in covering his digital traces.
Through careful analysis and tracking of Ermakov’s online connections, the ASD suspected that he had used ZServers to store the stolen data. Fuller noted that ZServers’ claim of providing “impenetrable” hosting was, in fact, just marketing fluff. “They were no more secure than other illicit services,” she said.
To track down the criminals, the ASD used not only technical analysis but also linguistics and behavioral profiling. This process took months, but by the end, the agency had a complete understanding of the five men behind ZServers, their vulnerabilities, and where to strike.
ZServers had become a thriving business, raking in over $2 million in revenue in the past year alone by hosting criminal activities, including phishing campaigns, ransomware operations, money laundering, and more. Among its clients were notorious cybercriminal groups like BlackCat and LockBit, the latter known for massive attacks on ports, banks, and global retail chains. If you’ve received a suspicious text message recently, it may have been sent through ZServers.
Despite their illegal activities, the ZServers crew lived openly, flaunting their wealth. Sidorov posted pictures of his speedboat adventures, while Bolshakov frequently shared photos of himself with weapons. Once the ASD had gathered enough intelligence, they decided to act when the criminals were expected to be out drinking, reducing their ability to respond swiftly. The agency deleted the stolen data and, in a coordinated effort with the US and the UK, publicly revealed the identities of the ZServers team, imposing sanctions on them.
While the men face international arrest warrants if they leave Russia, they have not been sanctioned within the country.
Medibank, meanwhile, has been offering support to affected customers and is currently defending itself against a civil claim from Australia’s privacy regulator for failing to protect sensitive data.
Despite ZServers’ belief that they were operating under the radar, the Australian Signals Directorate has taken action, deleting 250 terabytes of stolen data held by bulletproof hosting services. As ASD director-general Abigail Bradshaw explained, it’s crucial to target companies like ZServers that enable online crime, ensuring that the fight against cybercriminals isn’t a game of “whack-a-mole.”
Defense Minister Richard Marles praised the directorate’s efforts, noting that cybercriminals who claim to be anonymous and invulnerable are neither.