Resty Woro Yuniar – In a rare admission, Indonesian authorities revealed that last week's catastrophic collapse of the country's immigration system was caused by hackers using new ransomware to attack a critical data centre.
The latest cyberattack, which crippled immigration services for days, has sparked calls for the government to be held accountable, with one expert questioning the safety of citizens' personal data processed by the state.
The hackers being the attack had issued a US$8 million ransom demand to return control of the servers to the Indonesian government, but communications and informatics minister Budi Arie Setiadi vowed "we will never pay".
His ministry confirmed that the attacks had disrupted services at 210 state institutions nationwide – though they declined to name the affected organisations.
Ariandi Putra, spokesman for the National Cyber and Crypto Agency, or BSSN, said in a statement on Tuesday that the attack was first detected on June 17 when the agency received a notification about "attempts to shut down Windows Defender" – pre-installed security software that helps identify viruses, spyware, and other malware.
Cyberattacks and massive data breaches are all too common in Indonesia, but critics argue that authorities routinely stay tight-lipped about such breaches in a bid to reassure the public that their personal information is safe.
On Monday, BSSN head Hinsa Siburian admitted that Indonesians' personal data "has been decrypted [by the hackers], so they're actually not safe".
Indonesia's immigration system and other public services became paralysed on Thursday morning by the cyberattacks on the Temporary National Data Centre facility in Surabaya.
People complained social media platform X about long queues at airport immigration desks as officials resorted to manually checking passenger passports.
"The immigration system is still down, a timely reminder why I will probably go mad if I have to deal with the Indonesian government on all aspects of my life," X user Septian Hartono said on Friday.
By Monday, the system was gradually being restored, according to Minister of Law and Human Rights Yasonna Laoly who said data was being moved to cloud storage run by Amazon Web Services.
"We were forced to migrate [the data to] AWS. This is an emergency solution as we are waiting for the restoration of the [National Data Centre]," he said.
Immigration services like passport issuance and visa processing had resumed normal operations as of Monday. However, other public systems, such as the electronic procurement registry and online enrolment for college tuition aid, reportedly remained inaccessible.
'State failure'
The cyberattack, which included "installing malicious files, deleting important file systems, and disabling running services" began at 00.54am on Thursday, BSSN Ariandi spokesman said on Tuesday.
The agency later discovered a file in its system called Brain Ciper Ransomware – a new mutation of the aggressive ransomware LockBit 3.0.
The eponymous LockBit 3.0 ransomware is commonly attributed to the ransomware group LockBit Gang, which is a cross-border, financially motivated collective that has routinely targeted Indonesia in 2023, according to Singapore-based cybersecurity firm Ensign InfoSecurity.
Security software firm Symantec said the group behind Brain Cipher employs double extortion, which involves exfiltrating sensitive data and encrypting it.
The sensitive data allegedly accessed by the attackers includes the Indonesia Automatic Fingerprint Identification System maintained by the country's police. This compromised data has been offered for sale on the data leak site BreachForums since June 22 for US$1,000, according to technology security firm Falcon Feeds, which monitors hacker forums.
BSSN spokesman Hinsa confirmed the authenticity of the biometric leak, but said the information being sold "was old data".
Wahyudi Djafar, executive director at the Jakarta-based Institute for Policy Research and Advocacy, said the incident had highlighted "the state's failure to protect citizens' personal data".
"Public trust in the government's plans for digital transformation of government services will decrease drastically," he said. "There is a possibility that the public will be afraid if their personal data is collected by state institutions. There is no guarantee of security for data processed by the government."
Wahyudi also questioned whether the Indonesian government had learned from past attacks and data breaches, as this was not the first time that public state bodies had been targeted by hackers.
"In almost all attacks that occur, there has never been a complete investigation and the government has never provided an accountable report to the public. We are also pessimistic that in this case we will have a complete investigation," he said.
On social media, Indonesians demanded accountability for the cyberattacks against a national data centre.
"Once again, the national data centre being breached by ransomware is a big scandal. The officials responsible must step down. Should we pay US$8 million? Just because we pay it does not necessarily mean that a decryptor is provided," Yanuar Nugroho said on X.
Another user, kogoromilenial, lamented that if Indonesia was "a proper country, cyberattacks like this ... [would be] considered a matter of state sovereignty and at least the relevant minister will be fired, or they will resign".
For now, BSSN spokesman Ariandi said it was examining the ransomware sample, "so we can form a mitigation plan to prevent similar incidents in the future".
The facility in Surabaya that was targeted by hackers is being used by the Indonesian government in an interim arrangement until the construction of a permanent data centre in the city of Cikarang, West Java is completed in August.
The Cikarang data centre, which carries a price tag of US$176.7 million and is primarily being funded by the French government, is a Tier IV facility – the most complex and robust of the four data centre tiers. It is being built to be completely fault-tolerant, with an expected annual downtime of only 26.3 minutes.