Crippling Attack In The Middle Of The Night, Country Is In Danger

Photo Illustration by Andry Winarko VOI

JAKARTA - A cyber attack on the temporary National Data Center (PDNS) 2 based in Surabaya on June 20 2024 has paralyzed the public service system in a number of government agencies and institutions. The impact of the attack was first felt by immigration services at international airports throughout Indonesia.

National Data Center (Spc)

Initially, immigration suspected that the disruption to the immigration system was due to technical and network problems. It was discovered that access to services for the crossing suddenly could not be opened either by immigration officers or by passengers who wanted to access national immigration data. Immigration services such as making passports and others on that day suddenly stopped. Likewise, the airport crossing inspection service was not functioning, resulting in a buildup of passengers at a number of airports.

According to Silmy Karim, Director General of Immigration, his party admitted that they received a report that there was a disruption to the immigration service system, on Thursday morning at 4.30 WIB. Initially, the party suspected that the disturbance was technical and network related. His party contacted the Immigration IT Technical Directorate to handle this problem. According to him, immigration is a government institution that relies heavily on technology and has been transformed using digital technology. So all services rely on technology, if there is a disruption the migration service is immediately paralyzed.

Situation at Soetta Airport (Antara)

However, until 06.00 am Silmy, who checked with PDN, where the immigration service data system has been united under one roof in the National Data Center, there had been no confirmation. So he started ordering his officers to temporarily use manual services to serve passengers who had started to pile up at a number of airports, especially international airports which started their activities early in the morning. "To encourage the smoothness of manual services, I deployed helpers," said Silmy to journalists. at a press conference in Jakarta.

However, after 6 hours straight, there was still no improvement. There's also no information whatsoever. Later, PDN information was obtained from the National Data Center), there was a cyber attack at the National Data Center on a server in Surabaya, and this information was also obtained at the lower officer level. There is no official information from authorized officials yet. It is known that Indonesia currently has servers for the National Data Center in several locations. Apart from Surabaya, there is also one in Batam. Meanwhile two more in Karawang and at IKN are still under construction. So it was confirmed that there was interference with the national data system, on Thursday afternoon.

In the end, Silmy decided, with the permission of the Minister of Law and Human Rights as his superior, to migrate his data by renting a server elsewhere.

Silmy considers that immigration services cannot wait, especially crossing services. He understands very well that Ransome is a type of attack that requires a lot of time to repair. So he decided to immediately move the immigration service server to another location. Incidentally, the Director General of Immigration still has back up data in the immigration data center from the Immigration Data Center (Pusdakim) which they previously owned.

That is why the Director General of Immigration was the agency that recovered most quickly when PDN was paralyzed by hacker attacks. Where the results of the forensic audit recently revealed that PDN was attacked by Brain Chiper Ransome type malware which is still a malware derivative of Loc Bit 3.0.

Repeated Warnings That Weren't Heeded

According to the spokesperson for the National Cyber ​​and Crypto Agency (BSSN) Ariandi Putra, PDN stored on the Temporary PDN Server in Surabaya was confirmed to have experienced and been attacked by hackers on June 20 morning, at around 00.45 WIB. By Brain Chiper Ransome type malware which is the latest derivative of Loc bit 3.0.

Ariandi explained that from the results of the BSSN forensic audit, it was known that based on the timeline of the cyber attack, it started on June 17. There had been an attempt to deactivate the window defender installed on the server at PDN 2 Surabaya. Furthermore, on June 20 at 00.54 WIB, malicious activity was discovered entering the server system, there was an attempt to delete important data, followed by the failure of a number of important files.

At that time it was discovered that the Ransome attack had begun to infect a number of data, that's when the Ransomware attack was suspected to have entered. According to Ariandi, important files were deleted in the process. This was the starting point before the ransomware finally paralyzed by locking/encrypting several systems on the temporary PDN server in Surabaya.

One of the services that uses this National Data Center and was the first to report the Data Center not functioning was immigration. Because they use the data facility almost 24 hours.

According to Cyber ​​Security and Communications expert from CISSReC, Pratama Persada, ransomware is a weapon system used by hackers to attack cyberspace. The loc bit 3.0 group called Brain Chiper is said to be the latest variant of malware, which is resistant and has adapted to antivirus. It turns out that Brain Chiver also cannot be detected by antivirus/antimalware so it can enter without being detected. When entering, it is destructive if it enters the computer system, everything is encrypted, their encryption is classified as very high.

This type of loc bit is very productive in carrying out piracy in various bona fide entities, both business entities, especially large companies and other entities, such as governments. Recently they have been fond of attacking government entities with quite high ransom demands in crypto currency.

Brain Chiper Ransome, a new Ransome that encrypts the victim's files and will ask for ransom, in the form of bitcoin. In the case of the hacking of the National Data Center, the hackers demanded a ransom of US$ 8 million, or the equivalent of 131 billion (exchange rate 16,457), Minister of Communication and Information Budi Ari admitted to journalists. However, until yesterday the Ministry of Communication and Information refused to provide the ransom.

From information from many sources, it is known that this type of Ransome has been traced to many cases of attacks, including in March 2024 they stole data from the company Crinetics Pharmaceuticals, demanding a ransom of 4 million US dollars. In October 2023 Brain chipper Ransomware also stole 1.13 terabytes of data belonging to Oe Federal Credit Union, detected by the Noescape group. In February 2023 Chiper Ramsower stole personal data belonging to Virginia Union University students and alumni.

lock bit 3.0 (Spc)

Ransomware variant Lock Bit 3.0. is suspected to be ransomware which was the perpetrator of the data breach of 1.5 TB of customer data at Bank Syariah Indonesia (BSI), including 15 million user data and passwords for internal access and services, in May last year. Ransome is thought to come from a group from eastern Europe, and the former Soviet Republic and Russia.

The Lock Bit ransomware, formerly known as the “ABCD” ransomware, was detected as active in September 2019. They operate in the United States, China, India, Indonesia and Ukraine as well as in countries throughout Europe including France, England and Germany. They are recorded as having attacked the Argentine electricity company Albanesi Group, a chemical business owned by SRF and more than 200 CEFCO stores in the southern states of the United States.

According to Sukamta, a member of Commission III of the DPR from the PKS faction, said this cyber attack was a national disaster. "This is not the first case and we have been warned many times, including by the party who would carry out the attack. We have heard rumors from various parties that there will be an attack by various parties, but there has been no anticipatory effort from the Indonesian government," said Sukamta, to the media.

Minister of Communication and Information, Budi Ari, in a working meeting before members of Commission III of the DPR explained the consequences of the cyber attack on PDN Temporary 2, saying that a total of 239 agencies and institutions were affected; with details of 30 ministries/institutions, 15 provincial governments, 158 district governments, 48 ​​city governments.

Meanwhile, only 48 agencies/institutions and regional governments were declared unaffected. Meanwhile, the institutions that were declared to have recovered from the incident were: Director General of Immigration and the city of Kediri, Ministry of Maritime Affairs and Fisheries and Ministry of Religion. However, 200 agencies declared their data lost or damaged, only 44 agencies could recover it. Minister of Communication and Information Budi Ari targets that by mid-August 2024, PDN is expected to recover.

In the Temporary PDN hacking case, Digital Forensics Expert, Rubi Alamsyah, assessed that there were two errors in the management of the PDN. First, there is no security monitoring optimization, so there is undetected intrusion and data locking. Second, there is no backup system, it seems PDNS is not secure by design.

However, Ruby Alamsyah still believes that the perpetrators do not have the data in PDN, according to him, it seems that the perpetrators have not had time to copy the data, so it is suspected that they do not have the data. We hope that the perpetrator only locked and encrypted and did not have time to copy the data. "Because data of that size requires quite a long time to move it, but the concept is only to hold the data hostage/lock it. It is thought that the perpetrators only sent the malware randomly to various places, whoever opened the email/web got the virus infection."

According to Rubi, up to this moment he is still confident that the data was not accessed by the perpetrator. Rubi, who has handled many cases of victims of Ransome malware attacks, can understand the behavior of cybercrime. So far they have been honest, if they are redeemed then they are lucky, or if not, they will release the data.

data center (antara)

A Number of Public Services Affected

However, even though there is no willingness to pay the ransom to the hacker, the community certainly suffered losses from the attack. One of the services that is certain to be disrupted is the Ministry of Education, Culture, Research and Technology (Kemendikbud Ristek). The Integrated Services Unit (ULT) of the Ministry of Education and Culture, Research and Technology, on its official Instagram @ult.kemdikbud stated that 47 Kemendikbudristek service domains were affected by PDN disruption, including the Electronic Procurement System (SPSE).

Other services at the Ministry of Education and Culture, Research and Technology have had problems, such as the loss of data for around 800 thousand KIPK recipients, because there was no backup. BPI (Indonesian Education Scholarship) registration was forced to be postponed: while the schedule for starting study abroad was not postponed. Indonesian Education Scholarship, it is possible for scholarship recipients to be late in disbursement, this is very disturbing for students who live abroad with living costs several times higher, then disbursement is late,

The impact was also felt on the Srikandi service for national archiving which is known to still not be accessible. And New Student Admissions (PPDB) data services in various regions are still disrupted

This impact is not only on institutional agencies, the Ministry as tenants who are victims of hacking by this ransome. The impact of the hack also had an impact on the position of related institutions such as Kominfo and BSSN, which is also the president's concern. So the president asked BPKP to immediately conduct an audit of PDN management.