A severe cyber attack on Indonesia’s national data center disrupted government services over the weekend, mostly impacting the country’s airports and ferries as well as passport verification systems.
The culprits appear to be affiliates of the LockBit ransomware gang, and demanded a payment of $8 million. The government does not appear to have made the payment, but has gradually restored services amidst sometimes substantial delays for travelers.
National data center outages caused long queues at immigration desks, ferries
The majority of the passengers moving through customs and immigration at Indonesia’s airports use automated passport checking kiosks, which were shut down temporarily by the cyber attack. This caused long lines at immigration desks as travelers had to have their passports manually checked to move forward. Ferries in the country also saw lines that lasted for hours as computer booking systems were inoperable and employees were reduced to using pen and paper.
In total, the cyber attack impacted about 200 government agencies at both the national and regional levels. Travel and immigration saw the most dramatic impacts, but also received priority attention and have largely been restored at this point. Other services, such as financial licensing and student registration, may be out for a longer period of time as the national data center appears to be bringing systems back online without aid of a decryption key or cooperation from the attackers. PT Telkom Indonesia’s director of network & IT solutions Herlan Wijanarko also commented that the government is attempting to break the encryption placed on its devices by the attackers.
The national data center that was attacked is a temporary facility meant to be used only until the completion of a high security center in Cikarang, West Java that is presently under construction. That facility will carry a Tier IV rating and be the most secure in the country when it is operational.
It remains unclear if any personal data was compromised in the cyber attack. The public has reason for concern after over a year of major data breaches, however, beginning with a compromise of the official Covid-19 contact-tracing app in 2022 and continuing through a hack of the General Elections Commission’s database in late 2023.
Cyber attacks continue to haunt Indonesia
The attack on the national data center continues this chain of serious breaches that has seemed to pop up roughly once every half of a year, and has tended to involve millions of records of sensitive citizen data being leaked. This is also the second strike of this type for LockBit, which was responsible for an attack on Bank Syariah Indonesia (BSI) a little over a year ago. That cyber attack involved the leak of 15 million customer records. The 2022 breach of the Covid tracking app leaked at least 1.3 million records.
Lockbit 3.0, also known as “LockBit Black,” has been in use since mid-late 2022. A major campaign was recently observed unfolding in April, however, with the ransomware mass-mailed to millions of targets seemingly indiscriminately. That is not in keeping with its usual deployment by LockBit affiliates, who tend to target specific businesses with it in the hopes of hitting upon million-dollar payouts. Security researchers think that a 2023 build of LockBit 3.0 that was leaked is now being deployed by another actor making use of the Phorpiex botnet. The version used to attack Indonesia’s national data center is called “Brain Ciper” and is a very new version of LockBit 3.0 that remains under control of the gang.
This is not to say that the LockBit gang has been less active, however. The group has soared back into world news headlines by claiming to have hacked the US Federal Reserve, capturing 33 terabytes of data and threatening to leak “banking secrets” if negotiations were not started by June 25. LockBit has yet to provide any real proof of this cyber attack, however, and the Federal Reserve and FBI have yet to make any public comment. LockBit has a long history of credible attacks, but security researchers have noted that it has had an unusual amount of recycled and fake information on its leak site as of late.
Communications ministry official Semuel Abrijani Pangerapan said that the national data center attack is still being investigated and that a digital forensics team has been brought in, but more details about how the attack unfolded will have to wait. As the South China Morning Post noted, it is relatively rare for the Indonesian government to publicly admit that a damaging cyber attack has taken place. Security researchers have noted that the hackers have already begun offering some components of the stolen data for sale on the dark web, most notably police biometric data from the Automatic Fingerprint Identification System (offered for $1,000). A spokesperson for the country’s cybersecurity agency claimed that this data was outdated.
Anne Cutler, Cybersecurity expert, Keeper Security, notes that human error is the most likely explanation for the data breach: “Although the investigation is still underway into how threat actors were able to successfully deploy the Lockbit ransomware, human error remains a significant weakness for organisations, with the majority of breaches involving stolen credentials, phishing attacks, misuse or simple user error. When it comes to cybersecurity, organisations cannot afford to lose focus, as Keeper Security’s 2024 Future of Defence Report found an overwhelming 92% of IT and security leaders have seen an increase in cyber attacks year-over-year. No matter how a threat actor accesses a network, the next step is to make sure they are unable to go any further. That’s why organisations of all sizes should implement a zero-trust architecture with least-privilege access, ensuring employees only have access to what they need to do their jobs. Additionally, organisations should have security event monitoring in place. Privileged access management software can aid in controlling privileged accounts and sessions, managing secrets and handling employee passwords. By integrating a zero-trust framework within their network infrastructure, government leaders can better identify and react to cyber attacks and minimise potential damage.”
Kelvin Lim, Senior Director, Security Engineering, Synopsys Software Integrity Group, adds: “Threat actors using LockBit frequently use a double-extortion strategy in which they encrypt victims’ data and demand payment in exchange for not revealing the stolen information on their data leak site (DLS). The usual payment requirements for victims are twofold – One for the decryption of their data and another to stop the leakage of their private data. In addition, LockBit threat actors occasionally also deploy a third extortion approach called distributed denial-of-service (DDoS) operations, which target victims’ computers and increase the pressure to pay the ransom. The victims of ransomware attacks are advised against paying the ransom as paying the ransom does not ensure that threat actors won’t release your data or that the data will be decrypted. Threat actors can also consider you as a soft target and launch another attack in the future. The victim should instead focus their resources on recovery from the attack and improving their cyber security posture against future attacks.”
