BIN And 10 Indonesian Ministries Websites Hacked, Police Reaction Seems Normal

Head of the National Police Public Relations Division, Inspector General Raden Prabowo Argo Yuwono (photo: doc. Antara)

JAKARTA – An Advanced Persistent Group (APT) known as HoneyMyte aka Mustang Panda has attacked various sites in a number of Southeast Asian countries. Now they have also entered Indonesia. The website of the State Intelligence Agency (BIN) was targeted by a group that reportedly uses Chinese as their main language of communication.

The Indonesian National Police (Polri) has coordinated with the Ministry of Communication and Information (Kominfo) to investigate the alleged data breach of 10 ministries and institutions by hackers from mainland Asia.

"Yes, it is coordinated with the ministry," said the Head of the Public Relations Division of the National Police, Inspector General Raden Prabowo Argo Yuwono to the media Monday, September 13, 2021.

Argo has not explained in more detail whether the Indonesian National Police has mitigated cases of alleged data breaches in ten ministries and institutions by hackers. Currently, only the communication stage. "Coordinated," he said.

The Insikt Group report, as quoted by The Record on Sunday, September 12, 2021, quickly reported that BIN and 9 Indonesian government ministries/agencies had been infiltrated by hackers or hackers who were said to be from China.

Mustang Panda has been known as a hacker group from China that used to carry out spying activities on the internet. Apart from Indonesia, Myanmar and the Philippines are now the targets of their operations.

According to Kaspersky observers they usually get into the system via spear-phishing emails with a download link on Dropbox. Once the feed link is clicked, it will download a RAR archive disguised as a Word document containing a malicious payload.

Once downloaded on the system, the malware tries to infect other hosts by spreading via removable USB drives. If the drive is found, the malware creates a hidden directory on the drive, where it then moves all of the victim's files, along with the malicious executable.

Kaspersky experts also attribute the activities of LuminousMoth, which is closely linked to the HoneyMyte threat group, a long-established Chinese-speaking hacker, with high confidence.

Meanwhile, Mustang Panda, according to Insikt Group, has started carrying out hacking activities since April 2021. They detected the PlugX malware command and control (C&C) server, operated by the Mustang Panda group, communicating with hosts on the Indonesian government network.

"These communications were later traced back to at least March. The point of intrusion and the method of delivery of the malware remains unclear," the Insikt Group report said.

Insikt Group researchers have also notified Indonesian authorities about the infiltration in June-July 2021. However, Indonesian officials, according to Insikt Group, did not respond to the report.

BIN, the most sensitive target in the case, also did not respond to comments sent by The Record in July and August 2021.

However, a source told Insikt Group that related parties have taken a number of steps to identify and clean up the system that was hacked earlier.

However, a few days after the information from the source emerged, researchers from Insikt Group believe they can still detect that the internal network that was previously breached is still connected to the Mustang Panda server.