Hundreds of Government agencies in Indonesia have been disrupted after hacking group, Lockbit, used an advanced piece of malicious software called Lockbit 3.0 to breach cyber defences.
Immigration checkpoints stopped working and manual checks had to be undertaken, leading to long queues at airports across the nation. The head of the Immigration service moved its data centre other than a private cloud server after the system went down.
“Generally, technical problems can be resolved in a matter of one to three hours. When it exceeded six hours, we concluded that there must be something bigger than just technical problems, maybe caused by cyberattacks,” said Silmy Karim, Director-General of Immigration.
The Head of the National Cyber and Crypto Agency, Hinsa Siburian, held a press conference on 24 June to discuss the attack and its repercussions.
“We are still investigating the forensic evidence obtained … this will be a lesson for us to strengthen mitigation so that similar incidents do not recur in the future,” said Siburian.
Soon after the attack, cyber criminals demanded an £6.3 million ($8 million) ransom in return for the stolen data. The Indonesia Government refused to pay the ransom, with efforts now being made to break the locked data. While some services have returned to normal, such as airport immigration, others remain impacted.
This is far from the first successful cyberattack on Indonesia, with a number of hackers targeting the country over the past few years. In 2022, ransomware attackers targeted the country’s central bank, however no public services were impacted.
The year before, personal health information from 1.3 million people were exposed due to a weakness in the Indonesian health ministry’s COVID phone application. Some leading cybersecurity experts in Indonesia have called for more comprehensive cybersecurity systems to be put in place to ensure this form of attack does not happen again.
Who is LockBit?
LockBit operates on a ransomware-as-a-service business model. It sells its malicious software to affiliates, enabling them to execute cyberattacks.
The group is also responsible for the malicious malware of the same name. LockBit attackers typically threaten organisations with operational disruption, extortion, and data theft and illegal publication.
“LockBit is a very well known cyber criminal organisation that has been launching attacks against large business and governments, the new variant of their malware may make it difficult for incident responders to save the data if the ransom is not paid,” said Thomas Richards, Principal Consultant at application security testing company, Synopsys Software Integrity Group.
In February, LockBit was disrupted by the UK’s National Crime Agency (NCA) along with the Federal Bureau of Investigation (FBI), and Europol.
Operation Cronos resulted in the NCA seizing control of LockBit’s main administration platform, ‘compromising their entire criminal enterprise’. Affiliates utilise this platform to coordinate attacks and manage their dark web leak site, where they threaten to publish stolen data. Later that month, LockBit said it had restored its servers and was back online.
In November, LockBit was suspected to be behind an attack on ICBC Financial Services critical systems, including corporate email and trading platforms.
Protecting Critical Infrastructure
Anne Cutler, Cybersecurity Expert at password management company, Keeper Security, said ‘protecting critical infrastructure from cyberattacks is as important as protecting it from physical attacks, because the consequences can be equally disastrous’.
“The recent cyber attack on Indonesia’s national data centre serves as a reminder of this reality. This attack may not only have potentially compromised sensitive Government data, but also put national security at risk,” added Cutler.
Cutler highlighted that human error remains a significant weakness for organisation, with the majority of breaches involving stolen credentials, phishing attacks, misuse, or simple user error.
Cutler stressed that organisations should adopt a zero-trust architecture with least-privilege access. This ensures employees only access what is necessary for their roles. Security event monitoring should also be implemented with Privileged access management software to help control accounts, manage secrets, and handle employee passwords effectively.
“By integrating a zero-trust framework within their network infrastructure, government leaders can better identify and react to cyber attacks and minimise potential damage,” said Cutler.
