Recover PDN with Outdated Backup Data?

JAKARTA - The Indonesian government seems to be becoming a target for hackers. After data centers from several Ministries/Institutions were previously suspected of being leaked, now it is the turn of data from the Ministry of Communication and Information.

The Brain Cipher ransomware group has also claimed responsibility for the attack, and reportedly demanded a ransom of US$8 million or the equivalent of IDR 131 billion.

Comparison of Brain Cipher and a Sample Created by the LockBit 3.0 Builder (sangfot)

With the large amount of public data managed on its servers, PDN is one of the agencies that is very vulnerable to cyber attacks. So must the ransom be paid?

IT expert from Digital Security Indonesia, Didik Irawan, said that following the hackers' wishes was not the only option. He argued that no one had confirmed that the stolen data could be returned perfectly.

Brain Cipher’s Incomplete Leak Site and Communication Page (Spc)

According to Didik, PDN was temporarily infiltrated by ransomware, this shows unpreparedness in management and risk management in cyber security. "The main weakness here actually lies in the Standard Operating Procedures in managing the data center. The absence of regular backups for handling government service data, in my opinion, is quite a joke that will be discussed for a long time in forums or discussions in IT circles," said IT expert Didik Irawan to VOI, Monday 1 July.

Didik said that the most appropriate step in resolving PDNS problems requires a comprehensive audit of all cyber governance at PDNS. Next, improve (patch) the audit findings, thirdly, implement cyber governance SOPs at PDN using a good IT governance approach.

"Until now, it is not clear where this ransomware infection came from, whether through internal (employee negligence) or internal sabotage (some ransomware offers profit sharing cooperation for its affiliates) or through external infection, so for a post mortem this incident needs to be made public through an investigation cyber security," said Didik Irawan.

"To prevent this incident from happening again, both internal and external protection is needed through proper SOP governance, meaning things like routine backups have become mandatory in the entire series of SOP governance," he added.

Government Promises to Restore PDN Services in July

The Coordinating Minister for Political, Legal & Security Affairs, Hadi Tjahyanto, announced that based on forensic results, there were internal users who were suspected of being careless in using passwords. This internal party was later deemed guilty of the LockBit 3.0 ransomware attack. Even the exact sentence is

"From the forensic results, we were able to find out which users always used their passwords and ultimately these very serious problems occurred," said Coordinating Minister for Political, Legal and Security Affairs Hadi Tjahyanto after chairing the Coordination Meeting, Monday, July 2.

Not only that, Hadi Tjahjanto is targeting Temporary PDN services to be restored by July 2024. He explained that the government's efforts include backing up PDNS 2 with a cold site.

Later, the cold site will be upgraded with a hot site in Batam which is a system that regulates the use of location backup data. Apart from that, the government continues to strive for layered data protection in PDNS 2 with a cloud that is monitored directly by BSSN.

"Every data center owner also has backups so there are at least three to four layers of backup, then we will also backup with cloud backup," said Hadi.

The government, he said, requires all ministries, institutions and agencies to back up or back up data to anticipate hacking. This is because data in several ministries and agencies can still be saved after the Temporary PDN hack if a backup is carried out.

If Only It Wasn't In A Hurry

Telematics and Multimedia Observer, Roy Suryo, said that this carelessness occurred apart from the fact that work procedures were not in accordance with standard operating procedures (SOP) that must be carried out at PDN. According to Roy, it should follow ISO-27001 and TIER-4 standards according to TIA (Telecommunication Industry Standard)-942 & IEC (International Electrotechnical Commission), namely Confidentiality, Integrity & Availability.

"It is also a result of 'social engineering' errors which may or may not have occurred to the staff or person in charge of the system at PDNs-2 Surabaya belonging to Telkomsygma," said Telematics and Multimedia Observer, Roy Suryo to VOI via written message, Tuesday, July 2.

National Data Center (Spc)

Roy also explained more technically, carelessness regarding using inappropriate passwords can occur due to many things, for example not complying with the confidentiality of existing User-Ids & passwords, logging in too often as "root" even though it is not necessary, forgetting to log out after carrying out maintenance or indeed being "trapped" following the lure of hackers who use games, online gambling or even pornographic sites that make them careless.

"This method in phishing cases is often used to deceive brainware elements, even though software and hardware have actually been attempted to have certain security standards," said Roy Suryo.

With the alleged negligence committed by insiders, Roy asked the government not to divert attention to a very large disaster to just one person. He reasoned that after all there would be no such embarrassing and worrying incident if there was no rush.

"I think this leak is due to the pursuit of the PDN-1 completion target (without temporary) in Deltamas Cikarang, which was supposed to be completed in October 2024, but was forced to be completed to be inaugurated on August 17, next month." he said.

Roy added that if everything went according to the original plan and concept, where there would be 4 PDNs: 1. Deltamas Cikarang, 2. Nongsa Batam, 3. Balikpapan IKN and 4. Labuan Bajo Manggarai, of course the deployment and implementation would not be rushed and unnecessary. Had to bother renting the PDNS-1 belonging to Lintasarta in Serpong and PDNs-2 belonging to Telkomsygma which finally had 2% of its data compromised.

"If I'm not mistaken, the rental price reaches hundreds of billions. This is what I always refer to as the need for a Budget Investigative Audit in addition to the IT Forensic Audit, because there could be irregularities due to pursuing something (personal ambition?) that is not clear but actually results in losses very large in the history of data in this republic," he said.

Roy explained that the data leak that is currently occurring will clearly not be able to recover 100 percent. The reason is, technically the only available data backups are in sub-districts and regional governments, both municipal and regency.

"And we can be sure that the existing data is obsolete (outdated) data. It is outdated here for at least the last 1-2 years before Presidential Decree No. 82/2023 concerning the Acceleration of Digital Transformation and Integration of National Services, even Presidential Decree No. 132/2022 which regulates architecture "National Electronic Based Government System (SPBE)," he said.

"Because the Presidential Decree which regulates SDI (One Indonesian Data) apart from ordering the integration of data into PDN also prohibits the allocation of regional servers including budgeting. In other words, the losses resulting from the paralysis of PDNS-2 are truly huge," he concluded.

Hacker's "Flattery" for Indonesia

Data from several agencies in Indonesia is also suspected of being leaked. These include the Strategic Intelligence Agency (BAIS), POLRI's Indonesian Automatic Fingerprint (INAFIS), data from BPJS Employment, and many more. Then, the hacker announced to ask the government for ransom via the official Brain Cipher website.

Brain Cipher Optional Configurations

Cyber ​​observer from, Alfons Tanujaya, has also confirmed that the announcement shared on the official Brain Cipher website is true.

"Brain Cipher issued a statement on its website which we can access, and that is the official website, we have checked that it is correct," said Alfons in his statement on Tuesday, July 2.

However, Alfons warned the government and all parties involved not to be quickly lulled by these promises. Because according to him, there is no definite date when the key will be given.

Because, based on observations, Brain Cipher only provides days, and does not reveal the date the decryption key will be provided. So, it cannot be guaranteed that the key will be given on Wednesday, July 3.