Data centre ransomware breach impacts over 200 Indonesian agencies

How did this happen? And could this happen elsewhere?

Data centre ransomware breach impacts over 200 Indonesian agencies
Photo Credit: Unsplash/Aeira Atelier. South Jakarta City

Why did the cyberattack on Indonesia's national data centre cripple multiple government services?

Indonesia's Temporary National Data Centre (PDN) was compromised by a cyberattack on June 20 that took down government services, including immigration services.

How did this happen? And could this happen elsewhere?

Ransomware attack

In a press conference on June 24, government officials revealed that the PDN was infected by the LockBit 3.0 ransomware.

The outcome was severe and included days-long disruptions to multiple public services in Indonesia.

  • Impacted 230 public agencies, including ministries.
  • Government refused to pay US$8 million ransom.
  • State auditor ordered to examine data centres.

Data not backed up

Some services such as immigration services were able to restart services shortly after auto gates and immigration inspection services at 5 checkpoints went down.

Unfortunately, a lack of proper data backups meant that restoration is proceeding at a snail's pace for others.

  • Backup facilities were apparently available.
  • But 98% of data stored in 1 of 2 DCs not backed up.
  • This was blamed on budget constraints.

Ransomware 101

Ransomware works by maliciously encrypting data, rendering it inaccessible without the correct decryption key.

This happens very, very quickly on modern systems - LockBit is among the fastest and takes just 5 minutes for 100,000 files.

I wrote about ransomware previously.

  • Some ransomware do target backups. So backups might or might not have helped.
  • Another problem with ransomware is double extortion or the targeting of individuals affected by the breach for more money.

An issue of governance

According to Hinsa Siburian, an official who chairs the BSSN cyber security agency in Indonesia, the main issues can be attributed to governance and the lack of backup.

Why governance?

This wasn't mentioned in reports but is clear to me: For the ransomware to affect the entire data centre, it must have come in via an administrator account with access to all systems.

It didn't help that Indonesian government systems were centralised in the PDN, where this single mistake by a careless administrator ended up impacting hundreds of millions.

Could this happen elsewhere? The confluence of governance issues, pervasive centralisation, and lack of backups suggest that it is unlikely.

However, unlikely is not the same as impossible. For now, this is a sombre reminder that we must constantly be on our guard when it comes to cybersecurity.