In a concerning development, Indonesia’s Temporary National Data Centre (PDNS) has been under siege by a ransomware attack for the past week, prompting the National Cyber and Encryption Agency (BSSN) to launch an intensive response. BSSN Chief Hinsa Siburian revealed that the perpetrators are believed to have used a new variant of ransomware to target the government servers, which manage data for ministries, institutions, and regional governments nationwide.
“We can confirm that the incident at the temporary data centre is a cyber attack in the form of ransomware known as Brain Cipher,” Hinsa stated following a press conference at the Ministry of Communication and Information Technology on Monday, June 24, 2024.
Hinsa explained that the BSSN’s forensic team was able to identify the type of ransomware after examining several data samples. “This knowledge is crucial for us to anticipate similar attacks in other areas,” he said. “We will promptly share this information with other institutions and colleagues as a lesson learned for mitigating potential future incidents.”
Attack Started on June 17
BSSN spokesperson Ariandi Putra stated that disruptions to the PDNS began on June 17. “The BSSN discovered attempts to disable the Windows Defender security feature starting from June 17, 2024, at 11:15 PM WIB, which allowed the malicious activity to proceed,” Ariandi said in a statement on Monday, June 24, 2024.
Ariandi explained that the ransomware worked by disabling Windows Defender to allow the installation of harmful files on the system. The ransomware then began to infiltrate on June 17, and suspicious activity was detected on June 20, 2024, at 12:54 AM.
This suspicious activity included allowing malicious files to be installed on the system, deleting important files, and shutting down running services. Files related to storage, such as VSS, Hyper V Volume, VirtualDisk, and Veaam vPower NFS, were disabled and could not function.
“Specifically, Windows Defender was successfully disabled on June 20, 2024, at 12:55 AM, rendering it inoperable,” Ariandi stated.
Ransomware Attack Confirmed
The cyber incident targeting the PDNS has been confirmed as a ransomware attack using a variant of LockBit 3.0. Hinsa noted that this type of ransomware is constantly being developed by hackers, and the variant used in this attack is new to Indonesia.
“Currently, the BSSN, the Ministry of Communication and Information Technology, the Cybercrime Unit of the National Police, and Telkom Sigma are continuing to investigate the forensic evidence thoroughly,” Hinsa said at the Ministry of Communication and Information Technology building.
“We have identified the type of attack, and our task is to resolve it. The latest report indicates that immigration services, which were affected, are now operating normally,” Hinsa clarified.
The LockBit 3.0 ransomware is not a new topic in Indonesia’s cyber landscape. According to a report in Koran Tempo on May 17 of the previous year, the LockBit 3.0 hacker group claimed to have carried out a ransomware attack on Bank Syariah Indonesia (BSI).
LockBit is known as an active and dangerous hacker group, believed to operate in Eastern Europe. Several large companies in various countries have fallen victim to their ransomware attacks, including the major French defence company Thales Group.
210 Institutions Affected
The Director General of Informatics Applications at the Ministry of Communication and Information Technology, Semuel Abrijani Pangerapan, revealed that the cyber attack on the PDNS server affected 210 central and regional institutions in Indonesia.
“We are currently migrating the data. This process could be expedited with better coordination between tenants and service providers,” Semuel said at the Ministry of Communication and Information Technology office in Central Jakarta on Monday, June 24, 2024.
Some institutions have already resumed operations, including the Directorate General of Immigration at the Ministry of Law and Human Rights and the Coordinating Ministry for Maritime Affairs and Investment. “The city of Kediri is also back online, and others are in the process of recovery,” Semuel added.
Semuel acknowledged that the cyber attack on the PDNS has disrupted public services, with the Directorate General of Immigration being the most affected due to its direct interaction with the public. “There were 210 institutions affected, and the details are extensive. The Ministry of Public Works and Housing was also hit and is currently undergoing data migration,” he said.
Hackers Demand Rp131 Billion Ransom
The perpetrators of the attack are reported to have demanded a ransom of USD 8 million, or approximately Rp131 billion at the exchange rate of Rp16,399, from the Indonesian government. The hackers stated that this amount was the ransom for the return of 210 data sets.
“There is indeed a path to their website. We are following their demand for a ransom of USD 8 million,” said the Director of Network and IT Solutions at Telkom Sigma, Herlan Wijanarko, at the Ministry of Communication and Information Technology office in Central Jakarta on Monday, June 24, 2023.
Deputy Minister of Communication, Nezar Patria, indicated that the perpetrators are likely from abroad. Nezar has not confirmed whether the government will comply with the USD 8 million payment demand.
“Not yet. We are currently focusing on isolating the affected data,” he said. Nezar stated that there is no threat of data deletion at this time. “It’s just that some data has been encrypted, so we cannot access it,” he explained.
Impact on Businesses and Data Safety
The attack has raised concerns about the safety of data held by Indonesian businesses and individuals. Companies are advised to review their cybersecurity measures and ensure they have robust backups in place. Individuals should be vigilant about phishing scams and avoid clicking on suspicious links or attachments.
The attack on the national data centre is a stark reminder of the growing threat of cybercrime. It highlights the need for increased investment in cybersecurity and the importance of international cooperation in tackling this global issue.
