Exclusive: Siberian nightlife has its opportunities.
Just ask Australian cyber-spies, who used a vodka-soaked night in a seedy bar to smash a multi-million-dollar business run by dodgy Russians warehousing stolen data.
It wasn’t just any old data, mind you.
It was a treasure trove of the most sensitive information for millions of Australians that had been pilfered from private health insurer Medibank Private in August 2022.
All 520 gigabytes of it: names, birth dates, addresses, phone numbers, email, Medicare numbers, passport details and extremely personal health information in 9.7 million records; a wealth of blackmail material to be exploited.
And there it was, sitting on servers operated by five Russians in the obscure industrial town of Barnaul on the West Siberian Plain, three hours drive from the Kazakhstan border, just waiting for the willing buyer.
Cyber spies with the Australian Signals Directorate already knew who had stolen the Medibank data.
His name is Aleksandr Ermakov, a Moscow-based hacker who has since been arrested by Russian authorities for other crimes.
But the biggest task for ASD was to identify where on Earth Ermakov was keeping it.
“A lot of people think that (cybercrime) is always just one guy in a hoodie in a basement,” says Georgina Fuller, ASD’s director of counter-cybercrime.
“They don’t realise that these kinds of actors are actually supported by a really thriving ecosystem of illicit businesses that are set up to enable them to commit their crime.”
Thankfully, Ermakov had been a bit sloppy with his tradecraft.
Like any money-hungry criminal who’d had a few lucrative successes, he had become arrogant, even cocksure, that he wouldn’t be caught.
He thought he was too good.
But ASD triangulated his various aliases on the dark web and his connections.
This, in turn, led the Canberra-based agency to suspect Ermakov had contracted a Barnaul company called ZServers to store the Medibank data.
Indeed, ZServers was already on the radar of Australia’s Five Eyes intelligence partners for having some grubby customers.
It claimed to have been operating since 2011 and offered various hosting services to the cybercriminal underworld, including “Brute” for forced entry into secure systems, “Scan” for assessing vulnerabilities and “Cracking Allowed”, for penetration and theft.
Its marketing was successful too, judging by the voluminous amounts of cryptocurrency sloshing its way.
Aleksandr Bolshakov, 30, was the boss, the ASD ascertained.
He had two lieutenants, Aleksandr Mishin, also 30, and Ilya Sidorov, 32.
Completing ZServers’ five-member team was Igor Odintsov, 30, and Bolshakov’s younger brother Dmitriy, a gun-loving 23-year-old weightlifter who appeared to offer more brawn than brains to the shady operation.
ZServers’ boast was that its data storage was impenetrable to law enforcement.
That’s not uncommon for businesses on the dark side of the internet claiming to be a “Bulletproof Hosting Provider”.
“It’s only marketing. They’re no more secure than any other service that’s operating in this illicit environment,” Fuller said.
Fuller’s team began to meticulously study the five Russians, using cyberintelligence analysts to prod and probe the company’s systems, while linguists and behavioural psychologists worked together to profile the players.
The ASD wanted to learn everything about the Russians’ relationships and their social and work networks, gradually unpicking how ZServers operated as a unit and as a business.
“That process takes weeks, months, and in this case, sometimes years,” Fuller said.
“But the point is that by the end of it, we’re very, very certain that we’ve got the right people, and we understand everything about them.
“We know where their weak points are, we know where they’re most vulnerable.
“Our goal here is to understand where they’re vulnerable, what they like to do, how they like to live, in order for us to best match our disruption effort (and) what’s going to hit them the hardest.”
The Bolshakov brothers and their three criminal mates had turned ZServers into a millionaires’ factory.
In the past year alone, the company generated $2 million in revenue, hosting all sorts of cybercrime activity, from phishing campaigns, ransomware, money laundering and criminal communications.
Among its customers have been the BlackCat ransomware group and malware maker LockBit.
If you have received a dodgy text message in the past couple of years, there’s a fair chance it has been sent via the Russian computer servers in a place called Barnaul, which is closer to Mongolia, China and the Kazakh capital Astana than it is to Moscow.
If there was a crooked dollar to be made, ZServers would likely be involved.
But here’s the thing about cybercrooks: as much as they like to make money, they like to spend it too.
“Well, they don’t call it ‘shyber’ crime,” Fuller explained.
“They live openly and out there. They’re making their profits, and they’re living a really good life in Russia.
“They like to go to places that are warm, and they like to have a good time.
“They’re buying new toys, boats, all sorts of things, and all of it’s based on the profits of cybercrime.”
The ZServer gang is no different.
Over the years they’ve flaunted their wealth.
Sidorov bought a fast boat or two and posted pictures of skiing and outdoor adventure; Dmitriy Bolshakov, the wannabe standover man, posed with weaponry.
But all five gang members had a weakness: overconfidence.
And why not? Their business was geared at being under the radar.
Even for the most egregious and daring hack like the Medibank plunder, ZServers only charged $US50 a month for a dedicated server.
That’s peanuts for a criminal outfit hoping to extract millions of dollars in blackmail.
So-called “Bulletproof Hosters” make their money in volume, not big-ticket clients.
No wonder they believed they’ll get away with it: rather than risk a lot of money at any one time, the business model was to take relatively little but lots of times.
“They think that they’re invulnerable,” Fuller said.
“They think that this business won’t be looked at because it’s two steps, three steps removed from the actual crime.”
ASD Director-General Abigail Bradshaw said ZServers are the enablers for myriad cybercrimes; take them out and hundreds of criminals are taken down with them.
“In order to make sure that we’re not playing a game of Whack-a-Mole, we’re actually moving up into the critical infrastructure,” Bradshaw said.
“We’ve been on the tail of what we call bulletproof hosters for some time now, studying how these operators operate.
“They offer two things: anonymity and the notion that they are somehow bulletproof to law enforcement or other intelligence agencies.
“If they are ‘bulletproof’, ASD is their kryptonite.”
Having studied the Barnaul gang, ASD learned a lot about their social habits.
And the agency decided to strike when the five Russians were expected to be out boozing.
ASD cut off the Russians’ access to their cloud and hard servers and set about deleting the data.
ZServers is just one of ASD’s offensive cyber targets.
“Over the last 12 months, our operators have been busy on a variety of bulletproof hosters,” Bradshaw said.
“We have deleted around 250 terabytes of information that’s been stolen from Australian networks, from the United States, from the United Kingdom, from victims all over the world.”
Their anonymity blown by a painstaking two-and-a-half year ASD operation, the five Russians and their company have been slapped with international sanctions.
They risk arrest if they travel abroad and their ability to operate online has been significantly impaired.
Defence Minister Richard Marles said the ability to destroy stolen data on ZServers’ systems was critical because it prevented its proliferation, its marketing and being monetised on the black market.
“These actors market themselves on the basis of being both anonymous and bulletproof, and they are neither,” Marles said.
“Alexander Bolshakov is now out in the public along with his four associates, and everyone now knows that ZServers is the enabler for the attacks.
“That’s because of the incredible work that’s been done by ASD, but in combination with our partners at NSA in America and the GCHQ in the UK.”
Fuller said cybercriminals would be surprised by ASD’s extraordinary skills.
Asked if she believes the Russians know they’ve been caught, she said: “I reckon they know now, and I’m looking forward to their reaction.”
