Indonesia’s national data center has been compromised by a cyber attack, with the hackers asking for an $8 million ransom to bring systems back online.
The attack, which began last Thursday, continues to disrupt services for over 200 government agencies at both the national and regional levels, according to Samuel Abrijani Pangerapan, the director general of informatics applications with the Communications and Informatics Ministry.
Some government services have returned – including immigration services at airports and across the country – but efforts continue at restoring other services such as investment licensing, Pangerapan revealed on Monday.
The attackers have also held data hostage and demanded a $8 million ransom in exchange for key access a key for access. But the Indonesian government has refused to pay.
In a statement on Monday, Communication and Informatics Minister Budi Arie Setiadi told journalists that the government won’t pay the ransom.
“We have tried our best to carry out recovery while the National Cyber and Crypto Agency is currently carrying out forensics,” Setiadi added.
Pratama Persadha, Indonesia’s Cybersecurity Research Institute chairman, said the cyber attack was the most severe in a series of ransomware attacks that have hit Indonesian government agencies and companies since 2017.
“The disruption to the national data center and the days-long needed to recover the system means this ransomware attack was extraordinary,” Persadha said. “It shows that our cyber infrastructure and its server systems were not being handled well.”
LockBit detected in Indonesia data center cyber attack
Indonesia’s PT Telkom is working in collaboration with authorities at home and abroad to investigate and try to break the encryption that has made that data inaccessible.
The National Cyber and Crypto Agency, one of the agencies they are working with, said they had detected samples of the Lockbit 3.0 ransomware.
However, this does not confirm that the ransomware gang is behind the attack. According to Kelvin Lim, senior director at the Synopsys Software Integrity Group, a number of threat actors use the leaked LockBit 3.0 builder and claim it as their own.
"Threat actors using LockBit frequently use a double-extortion strategy in which they encrypt victims' data and demand payment in exchange for not revealing the stolen information on their data leak site (DLS).
“The usual payment requirements for victims are twofold: one for the decryption of their data and another to stop the leakage of their private data.”
LockBit was one of the most prolific hacker groups before the police shut down its extortion site in February. Just three months later, the cybercriminals appeared to have resurrected it, and have spent the months since engaging in PR and damage control.
“If it was the LockBit ransomware group, the attack could be another way of showing the group’s strength in the hope of maintaining the confidence of affiliates,” Suzan Sakarya, Senior Manager, of EMEIA Security Strategy at the cybersecurity firm Jamf, told EM360Tech.
“Indonesia has confirmed they won’t pay the $8 million, which is extremely positive,” she added. “Ransom payments are the lifeblood of groups such as LockBit, and how they fund future criminal activity. If they fail to gain a payment, their attack has ultimately failed.”
Critical infrastructure under attack
This is not the first time Indonesia’s national infrastructure has been targeted in a cyber attack. The country’s national data centre was previously attacked by ransomware in 2022 – but public services were not affected by that attack
The ministry’s COVID-19 app was also hacked in 2021, exposing the personal data and health status of 1.3 million people.
"Ransomware attacks can be devastating to a company or in this case a government agency. With systems inaccessible, critical government functions can be impacted which will in turn cause problems for citizens and users of those systems," said Thomas Richards, principal consultant at the Synopsys Software Integrity Group.
"LockBit is a very well-known cyber criminal organization that has been launching attacks against large business and governments, the new variant of their malware may make it difficult for incident responders to save the data if the ransom is not paid,” he added.
Anne Cutler, Cybersecurity Expert at Keeper Security, warned that the Indonesia national data center cyber attack was a stark reminder of protecting critical infrastructure from malicious actors.
"Protecting critical infrastructure from cyberattacks is as important as protecting it from physical attacks because the consequences can be equally disastrous. The recent cyber attack on Indonesia's national data centre serves as a reminder of this reality, Culter told EM360Tech.
“This attack may not only have potentially compromised sensitive government data but also put national security at risk.
“The tangible impact was evident, disrupting airport operations and highlighting how cyber attacks on critical infrastructure can have immediate and significant consequences for Indonesians,” added Cutler.
