Ransomware attack behind massive disruption in Indonesia’s national data centre

The data failure at the facility in Surabaya, East Java, was first reported on Thursday, June 20, and impacted databases managed by more than 200 central government and regional institutions.

Ruth Dea Juwita and Radhiyya Indra

Ruth Dea Juwita and Radhiyya Indra

The Jakarta Post

mika-baumeister-J5yoGZLdpSI-unsplash.jpg

Thematic image. Last week's breach at the National Data Center disrupted immigration processing and other public services. PHOTO: UNSPLASH

June 25, 2024

JAKARTA – The government announced on Monday that a cyberattack using a new variant of ransomware was responsible for data disruptions at two temporary National Data Center (PDN) facilities last week that crippled immigration processing at airports and disrupted other public services, adding that the attackers had demanded US$8 million in ransom.

The data failure at the facility in Surabaya, East Java, was first reported on Thursday morning and impacted databases managed by more than 200 central government and regional institutions.

As of Monday, the government was still trying to restore the affected public services across the country, although all immigration services, including passport and visa-on-arrival processing, were running normally.

National Cyber and Crypto Agency (BSSN) head Hinsa Siburian said digital forensic investigators found that unnamed attackers had used a new variant of existing malicious software Lockbit 3.0.

“The ransomware’s name is Brain Cipher. It is an updated, new variant of the LockBit 3.0 ransomware,” Hinsa told a press briefing on Monday at the Communications and Information Ministry.

LockBit 3.0 is ransomware that blocks user access to computer systems and is often used by hacker group LockBit to digitally extort its victims.

Many of the details of the case remain uncertain, including who was responsible for the attack and what the motives were.

The Communications and Information Ministry has been temporarily storing data at the two facilities in Surabaya and Jakarta while new data centers are being built to integrate data from government bodies at the central and regional levels. The temporary facilities are operated by Telkomsigma, a subsidiary of publicly listed state-owned telecommunications company PT Telkom Indonesia.

The attackers, Telkom director for network and IT solutions Herlan Wijanarko said, had asked for $8 million in ransom.

But the ministry’s informatics applications director general, Semuel Abrijani Pangerapan, said the government “cannot not reveal much about the case because the forensic investigation is not finished yet”.

While he did not say whether the cyberattack was connected to an another alleged data breach targeting state-owned sharia bank Bank Syariah Indonesia (BSI) last year, Semuel noted that the ransomware used in the two incidents was “similar but different in terms of variants”.

The LockBit group claimed at the time to have stolen the BSI data using LockBit 3.0.

The Thursday incident also happened around the same time the BSSN found that data, allegedly stolen from the National Police’s Indonesia Automatic Fingerprint Identification System (INAFIS), was being offered for sale on the dark web.

But the BSSN said the fingerprint data incident had nothing to do with the cyberattack on the national data center and that the police had determined that there had no breach in their system.

Concerns remain

A total of 210 databases of central and regional government agencies were impacted by the attack, including the immigration system at Soekarno-Hatta International Airport in Tangerang, Banten, which went down on Thursday, forcing immigration officers to perform manual checks and resulting in long waits for travelers.

The immigration and the Maritime Affairs and Investment Ministry had restored their services by Monday. The system for the city of Kediri was also back online, Semuel said, but plenty of others were still in the recovery process.

“We’re in the process of migrating data for the remaining affected institutions. The recovery process hinges on swift coordination between government agencies and their cloud service providers,” he said.

Cybersecurity expert Ardi Sutedja said the government had failed to ensure the highest security standards for national digital infrastructure.

“Seeing the incident’s scale, this is not just a technical disruption anymore, it’s a massive disaster,” Ardi told The Jakarta Post.

He said the days-long recovery was a cause for concern because a standard recovery for a digital incident should be no more than 24 hours.

“Many aspects need to be evaluated, from the planning of the national data center to its human resources,” he said.

scroll to top