Indonesia Data Center Hack Threatens Transformation Efforts

Indonesia’s digital transformation journey to centralize thousands of public services has hit a snag. A ransomware attack on a major data center has paralyzed hundreds of government agencies and raised questions about the government’s ability to protect citizens’ data security and privacy.

See Also: VMware Carbon Black App Control

The government said Monday that cybercriminals launched a ransomware attack on a major state-owned data center and successfully encrypted stored data. The attack affected hundreds of government services, including immigration processing, and resulted in long lines at Jakarta International Airport over the weekend.

The data center, known as the Temporary National Data Center or PDNS 2, plays a critical role in the government’s e-governance initiative, which aims to integrate all central and state digital services into a unified system designed to enhance interoperability and speed up service delivery.

Critics including Wahyudi Djafar, executive director at the Jakarta-based Institute for Policy Research and Advocacy, locally known as ELSAM, said the attack shows the government should have performed security assessment of the national data centers and that since an incident has occurred, it should ensure regular security monitoring and audits to anticipate future risks and threats.

“Accountability for resolving this incident will greatly determine the continuation of the digital transformation process of government services, especially with regard to public trust, related to the processing of citizens’ personal data, which will be the basis for providing public services,” Djafar said. “Resolving this incident will also be an important factor influencing the operationalization of PDN infrastructure, which is currently being built by the government.”

The Ministry of Communication and Information Technology in a partnership with IT services company Telkomsigma operates two national data centers in Tangerang and Surabaya and a reserve data center in Batam that hosts data backups. The government plans to open another hyperscale national data center in Cikarang, West Java, in September to integrate data from as many as 2,700 smaller data centers and servers.

Indonesia’s national cybersecurity agency, BSSN, said Monday that a ransomware group named “Brain Cipher” used a LockBit 3.0 variant on June 20 to target the national data center in Surabaya and encrypted all hosted data.

A forensic analysis of the incident revealed that the threat actors began probing the data center’s systems on June 17 and over the next three days, disabled Windows Defender and critical storage files before deploying the ransomware.

Deputy Minister of Communication and Information Technology Nezar Patria said the ransomware actors encrypted all the data hosted in the data center, forcing authorities to begin restoration efforts and secure several ministries and institutions that had backup servers. IT personnel from the ministry used the backup data center in Batam to begin restoration efforts.

According to the ministry, the compromised data center hosts as many as 285 government ministries, agencies and departments. By Wednesday, authorities succeeded in restoring only three services – immigration, event licensing services and a government portal for procuring goods and services. Semuel A. Pangerapan, director general of application and informatics at the ministry, said efforts are underway to restore the remaining 282 PDNS 2 tenants.

“We must not lose, or we must not back down just because of this incident. Of course, we have to learn a lot> we have to create a system that covers all possibilities of the same incidents happening again,” Patria said. Minister of Communication and Information Technology Budi Arie Setiadi said the ransomware group demanded an $8 million ransom in exchange for a decryption key.

The ransomware incident casts a shadow over the government’s recent push to transform digitized public services by integrating tens of thousands of government applications into a handful of super applications (see: Indonesia to Create ‘Super Apps’ to Run Government Services).

President Joko Widodo in May directed key ministries to stop releasing new applications and integrate data from over 27,000 central and state agencies into nine super apps designed to integrate data and services related to education, health, social assistance, digital payments, digital identity, online driver’s licenses, crowd permits and state apparatus services.

Andang Nugroho, president of ISC2’s Jakarta chapter, told Information Security Media Group that the planned integration of government digital services is a welcome move as a highly siloed approach in the past prevented interoperability and complicated data governance. But even highly-structured government platforms have gaping security holes that urgently need to be fixed, he said.

He said the LKPP, a single-window government portal to centralize procurement, was important to the government’s e-governance initiative but faltered as a result of the ransomware attack. The government plans to use three or four modern data centers to host data for the entire population but must raise the stakes to keep them secure from attacks.

Nugroho said the government chose state-owned technology company Peruri to develop and administer the nine super applications, but he believes the work is outside of the agency’s core competence. Peruri is the official Indonesian printer and minter of bank notes and also prints secure documents such as bank checks, passports, postage stamps, certificates and identity cards.

Nugroho said the government must find ways to quickly shore up its pool of cybersecurity personnel to monitor and secure high-risk data centers, applications and other digital assets. Indonesia suffers from a critical lack of cybersecurity personnel. Nugroho said in October that the country had less than 150 CISSP- and CSSP-certified cybersecurity leaders across government and private sectors.

Indonesian authorities said the ransomware attack is a solitary incident and that they take stringent measures to secure government applications and data from unauthorized access. “Indeed, this incident always happens. In this world, it always happens. Therefore, we will strengthen our efforts to protect the confidentiality of the state, society and public services so that they are not disturbed,” said Vice President K.H. Ma’ruf Amin.

Local daily The Jakarta Post reported Wednesday that threat actors allegedly stole data records from the National Police’s Automatic Fingerprint Identification System and put them up for sale on a dark web portal. BSSN said the data breach possibly involved old police data but did not say if it was connected to the ransomware attack on the Surabaya data center.

In May 2023, the LockBit ransomware group stole about 1.5 terabytes of data, including personal and financial information of about 15 million customers and employees, from Bank Syariah Indonesia, the country’s largest Islamic bank. The group later published the stolen data on a dark web site (see: LockBit Leaks 1.5TB of Data Stolen From Indonesia’s BSI Bank).

Government Needs Accountability

Frequent cyberattacks targeting government and financial institutions over the past year coincided with the government enacting its first personal data protection law to make businesses comply with globally accepted data privacy and protection rules and to streamline cross-border data transfers.

Experts believe the new data protection law was a step in the right direction but the government must take steps to ensure regulatory compliance and place a premium on the security and privacy of citizens’ data.

Though the government promptly disclosed the security incident and detailed the nature of the attack and its restoration efforts, Djafar of ELSAM said the government must comply with the Personal Data Protection Law and immediately notify the public about the security failures that led to the incident, the volume of citizens’ personal data accessed by third parties, and efforts to handle and recover from the incident.

He said BSSN must carry out comprehensive cybersecurity audits of vital information infrastructure that host and process strategic data and citizens’ personal data, and the Ministry of Communication and Information Technology must fulfill its obligation under the PDP Law to provide data subjects with the details of the incident.

“The government guarantees that there is an effective recovery mechanism for the public regarding cybersecurity incidents that occur, including those related to failures in protecting personal data, as well as failures in providing public services,” Djafar said.