‘I think Indonesia’s cybersecurity is run by 14-year olds’: Hackers

September 2, 2022

JAKARTA – Hackers behind recent data breaches disclose their modus operandi and goals.

Data breaches have been recurring events in Indonesia over the past few years, with the private data of millions of internet users being leaked again and again, whether from government institutions or private corporations.

The most recent breaches were revealed in an online forum called breached.to, where millions of data entries were either sold or distributed for free within a short span of under three weeks from Aug. 15 to 31.

“Indonesia’s cybersecurity is really awful, I think it’s run by 14-year-olds,” said Xerxes (a pseudonym), one of the hackers who claimed to come from Europe.

The 21-year-old hacker said he had cracked the security of an unknown trading and business-to-business (B2B) marketplace platform, from which he stole nearly 500,000 users’ data, and more than 1 million company user databases and documents.

Based on IBM’s Threat Intelligence Index 2022, ransomware accounted for 21 percent of total attacks in 2021 and Interpol ranked Indonesia first in Southeast Asia with 1.3 million cases of ransomware, according to the ASEAN Cyberthreat Assessment in 2021.

Xerxes revealed that he undertook the hacking of a few Indonesian companies (that he declined to disclose) last December and discovered the vulnerability by accident, from whence he managed to gain direct access to the Structured Query Language (SQL) of the sites.

Another incognito hacker who claimed to come from the United States and communicated using the nickname “gimmci”, said “I saw many vulnerabilities in Indonesian sites. […] I’m not saying it’s [that] weak, but, in fact, even government sites can still be hacked,” gimmci said.

The 19-year-old hacker did not disclose which specific sites he hacked, but gimmci claimed that he was holding more than 130,000 Indonesian databases consisting of ID card photos, family card pictures, tax IDs and much more, which he garnered illegally from a job-hunting platform.

While no one has been able to confirm the validity of the claims, Pei Yuen Wong, CTO of IBM Security ASEANZK (Australia, Southeast Asia, New Zealand and Korea), said the leaked data gimmci was selling looked legitimate.

“The hacker was able to list examples and details of the fields in the databases, so it is quite likely that the data is valid,” Wong said.

“I’m doing dorking and just adding Indonesian domains,” gimmci said, referring to Google dorking, a hacking method using Google search techniques to map out information that is not available in public search results.

Gimmci told the Post that he managed to crack the security of the particular platform simply by uploading malware known as “webshell” in image form to gain remote access points to the site before executing a database dump, and he claimed this method worked for some Indonesian government websites as effectively.

In that regard, Wong explained that instead of using a browser to access a website, hackers typically use various hacking tools to scan targeted websites for vulnerabilities before injecting them with webshell.

“When any such vulnerabilities are discovered, [a hacker] uses what is known as webshell to gain backdoor access directly to the web server software as if the hacker is a legitimate system administrator of the website. Acting as a system administrator, the hacker can then download entire databases of customers’ data and transfer these databases to their own PCs connected to the web server,” said Wong.

“My motivation is money, of course. This is not the only job I do, but I love this job, it’s a hobby for me. I usually only sell the data of Indonesia and [similar] tier 2 and tier 3 countries, and the people who buy [the data] often use them to defraud the people involved in the leak,” Xerxes said.

Confirming what Xerxes said, Wong said selling data to criminals for illegal purposes did happen, sometimes leaving the victim company unaware of the breach.

“Some hackers will inform the victim company in question to extort a ransom payment, without which they then proceed to sell the data away. […] Unfortunately, when a breach like this happens, especially if they were conducted by unscrupulous hackers, the company would be at the mercy of the hackers regardless of whether they pay or not, as some hackers aim to maximize the profit,” Wong said.

Wong explained that in the cybercriminal underground habitat, there is a “vibrant ecosystem of perpetrators who play different roles,” including, but not limited to, hackers, sellers, researchers and human resource personnel whose role is to find skilled people to join the ranks of hackers.

Gimmci revealed that hacking was also his main line of work, as his professional day job is in the cybersecurity sector, while Xerxes, on the other hand, did not reveal his occupation.

“I’ve breached a lot of data in the past and about three of them have been talked about a lot. I don’t want to give details about [those three because] I don’t want them to remember me again. I usually use tier 1 [countries such as] USA, United Kingdom, Germany and France data because these people’s money is valuable and I sell the data,” Xerxes said.

“I think people like me have an important place in the ecosystem of the digital world. After all, without [hackers] like me, cybersecurity professionals can’t make money, right? Think about it,” he added.

The recent alleged data leaks from breached.to were of great magnitude as they involved many major organizations such as PLN, IndiHome, Gojek, Sinarmas, at least five government institutions, 21,700 Indonesian and foreign companies operating in Indonesia, and, allegedly, 1.3 billion phone and ID numbers from the Communications and Information Ministry database.

“Our investigation shows that there was no IndiHome customer data breach, and we have reported this to [the Communications and Information Ministry]. We guarantee that all of our customers’ data are secured and safeguarded by integrated cybersecurity in accordance with the laws and regulations in place,” Pujo Pramono, vice president of corporate communications at Telkom Indonesia, told the Post on Aug. 24.

While Sinarmas and PLN did not reply when asked for comment, Telkom claimed that the data from the IndiHome breach was invalid as it was fabricated by the seller of the leak. Meanwhile, Gojek said the leak allegation was false.

“Our information security team in parallel with our data protection officer immediately conducted an in-depth security check following first reports of a leak and no evidence of a leak was found. Allegations of a data leak on our system are wholly unsubstantiated,” said Audrey Petriny, Gojek’s deputy chief corporate affairs.

“Every electronic service provider [ESP] is responsible for guaranteeing private data protection. For that, every ESP must have a technology system that can stand against cyberattacks,” Communications and Information Minister Johnny G. Plate told the Post, responding to the hackers’ claims.

The National Cyber and Crypto Agency (BSSN) claimed in an official letter to the Post that it was building a cybersecurity ecosystem based on three aspects: “people, process and technology”.

The agency said it would establish what it called a National Security Operation Center (NSOC) to “conduct 24-hour surveillance to identify potential threats, as well as set up a Computer Security Incident Response Team (CSRIT) to respond to and handle any cyber incidents”.

As reported by the Post, the forum threads on the Gojek and PLN leaks have been taken down by the creators themselves due to unknown reasons. However, breached.to’s owner (who asked not to be identified), explained there were two main reasons as to why a thread creator would take down a post.

“Both [Gojek and PLN] posts were deleted by the original creators, I assume because they sold it. I’m not sure if they sold it, but they did delete the threads themselves. The only other time people delete a post is because they don’t want to sell it anymore,” they explained.