Criminals have attacked a national Indonesian data centre, causing major disruptions to public services and holding the country’s government to a $12 million ($US8 million) ransom.
Indonesian news agency Antara first reported an issue at the ‘Temporary National Data Centre 2’ (known as PDNS 2) on Monday after major disruptions to the nation’s immigration services.
As queues piled up at airport arrival and departure gates over the weekend, government officials identified an underlying “disruption” at PDNS 2 and scrambled to “prevent wider impacts” while gradually restoring components of the immigration system over two days.
At first the data centre disruption was described as a vague “technical problem”, but by Monday the Indonesian government confirmed it was caused by a ransomware-related cyber attack.
“We are thoroughly investigating the forensic evidence obtained with all the limitations of the evidence,” said Hinsa Siburian, head of Indonesia’s National Cyber and Crypto Agency (BSSN).
According to Antara, Siburian noted the “evidence is encrypted”, likely referring to data which has been impacted by the ransomware attack.
Some 56 ministries and institutions in Indonesia have used PDNS 2 (according to data from 2021), including the country’s agency for national disaster management, its ministries for economy and home affairs, and its national border management agency.
The Law and Human Rights Ministry, which handles immigration services, said it first attempted to restore the services at the temporary data centre by using backup data from the original data centre in Batam Island.
The ministry noted services were impacted at immigration offices, passport service units, “work units” and checkpoints at airports and ports – seemingly between 20 June and 24 June – while lasting issues were also reported for student admissions.
To pay or not to pay?
Budi Arie Setiadi, Indonesia’s Minister of Communication and Informatics, said the “ransomware virus attack” at PDNS 2 was still being evaluated, with the country’s primary cyber security agency, BSSN, conducting forensics.
Setiadi explained the hackers were demanding a ransom, though the government was staunchly refusing to comply.
“We will not [pay],” said Setiadi.
Siburian meanwhile explained the attackers used the “latest development of the LockBit 3.0 ransomware”, a ransomware strain which typically sees hackers encrypt a victim’s data, then both threaten to leak it and offer to decrypt it while demanding a payment.
Thomas Richards, principal security consultant at Synopsys Software Integrity Group, said refusing to pay a ransom could make it more difficult for incident responders to save any impacted data.
“Ransomware attacks can be devastating to a company, or in this case a government agency,” said Richards.
“With systems inaccessible, critical government functions can be impacted which will in turn cause problems for citizens and users of those systems.”
On the other hand, Synopsys senior director of security engineering, Kelvin Lim, said paying the ransom “does not ensure that threat actors won't release your data or that the data will be decrypted”.
“Threat actors can also consider you as a soft target and launch another attack in the future,” said Lim.
“The victim should instead focus their resources on recovery from the attack and improving their cyber security posture against future attacks.”
Setiadi did not comment on how much data had been compromised, though he reportedly offered assurance that the Indonesian government would continue to protect public data.
Semuel Abrijani Pangerapan from the Ministry of Communication and Informatics said his ministry had “succeeded in carrying out quarantine or isolation in the infected areas”.
New ‘Brain Cipher’ criminals start big
According to cyber security analyst Dominic Alvieri, the data centre attack can be attributed to ‘Brain Cipher’, a new-coming ransom gang which reportedly makes use of phishing to lead into its ransomware attacks.
The group has been widely misreported as the latest iteration of LockBit — the popular Russia-linked ransom gang which last year hit leading UK mail delivery service, Royal Mail — but no known connections have been made between LockBit and Brain Cipher’s current members.
Instead, Brain Cipher is one of many ransom gangs to make use of LockBit’s proprietary ransomware, in this case using the gang’s most recent variant, version 3.0, to head up its attack against Indonesia’s PDNS 2.