Friday, July 12, 2024 | 21:46 WIB

Indonesia’s National Data Center Breach


PDN imposed a nationwide lockdown affecting 282 institutions,
causing disruption of immigration services in processing visa, passports, and residence permits

Jakarta, IO – The Immigration Directorate General’s IT systems at the Soekarno-Hatta International Airport were disrupted on Thursday (20/6), an occurrence which resulted in passengers being struck in long lines, as they could not clear Immigration. According to a post on the agency’s social media page, the disruption was caused by malfunctioning server at the National Data Center (PDN). This affected not only the immigration office at the airport, but all immigration offices across Indonesia. 

As we all know, PDN is a critical data infrastructure used by all government agencies. Thus, problems like this should not have happened. PDN should be protected by multi-layered security measures in the form of redundancy, both in terms of hardware such as servers and storage media, electricity supply from several different substations as well as uninterruptible power supply (UPS) and a reliable continuous internet connection from several independent internet service providers (ISP). 

Because PDN is currently in development, the Government is using a temporary National Data Center (PDNS) located in two cities. The one in Jakarta (PDNS 1) uses infrastructure owned by PT Indosat’s subsidiary Lintasartha while the one in Surabaya (PDNS 2) is powered by PT Telkom Indonesia. The immigration chaos was caused by disruption at PDNS 2. It also threw into disarray the tender process at the Institution for the Procurement of Government Goods and Services (LKPP). The scale and severity of the attack was only known later, when it was revealed that it impacted as many as 282 other government agencies at central and regional levels. It was the worst cyberattack experienced by the country in years. 

From the beginning, the Communication and Information System Security Research Center (CISSReC) hypothesized that the disruption was a ransomware attack like the one suffered by Bank Syariah Indonesia (BSI) last year, considering the “symptoms” of the disruption were almost the same, namely, a long downtime. This was based on information received that the problem originated with PDNS 2, which is classified as Tier 4 (highest performance, experiencing the least downtime) because it has backup in terms of power supply, cooling system, internet connection, servers, etc. With so many backup systems, Tier 4 data center can provide a Service Lever Agreement (SLA) of 99.995 percent, or only 4 hours of tolerable disruption per year. If the problem faced by PDN is a technical problem, it would not take that long. Electricity supply problems can be resolved immediately by switching over to a supply from another substation or a generator for temporary supply. Likewise, if the problem is an internet connection, such as a damaged fiber optic cable, it can still be resolved quickly using a point-to-point (PtP) radio system, which has a large bandwidth and does not take long to install. If it was hit by DDoS attack, the response time required should not be that long, because it can be easily resolved using anti-DDoS tools and a request to the ISP to increase bandwidth capacity. 

press conference
Communications and Information Deputy Minister Nezar Patria alongside National Cyber and Encryption Agency (BSSN) head Hinsa Siburia during a press briefing at the Communications and Information Ministry (Kominfo) following the ransomware attack on the National Data Center (PDN) server, Jakarta (24/6). (Source: KOMINFO.GO.ID)

Our hypothesis was confirmed when Immigration Director general Silmy Karim, in a TV interview, revealed that the immigration system stored at PDN was caused by a ransomware attack, but he was still reluctant to disclose the source of the information because it came from an internal official meeting. He only asked the public to wait for official information from the Government 

The Government held a press conference on Monday (24/6), explaining what had happened four days after the incident. The press briefing was presided over by National Cyber and Encryption Agency (BSSN) chief Hinsa Siburian. He explained that the disruption to the PDN system was caused by a ransomware attack called Brain Cipher, which is a variant or derivative of the Lockbit 3.0 ransomware that previously attacked BSI. The hackers demanded US$8 million (Rp131 billion) ransom to restore the data that had been locked out. 

The Government’s slow response was regrettable. According to the Personal Data Protection (PDP) Law for Electronic-Based Government System (SPBE), it should have announced it within three days, especially since the incident could have potentially caused personal data leaks. Even though it has yet to be confirmed that no data ends up on dark web leak sites, at least the Communications and Information Ministry (Kominfo) should have announced what happened to the public and why service recovery from government agencies that use PDN took so long. 

On a separate occasion, Communications and Information Minister Budi Arie Setiadi unequivocally stated that the Government would not pay the ransom. When faced with a ransomware attack, paying the ransom is never the best solution, because it is not guaranteed that the hackers will give the key to unlock the encrypted files: sometimes they do not even have the key, because they take advantage of existing ransomware and modify it to create a new variant which they themselves cannot access. In addition, after the ransom is paid, there is possibility that they will ask for more money to buy back the data they stole before they encrypted the existing files. Making ransom payments will also create a precedent that will further motivate hackers to carry out similar attacks, because of the financial incentive. This will only lead to more attacks and more ransomware variants. There is no guarantee that the hackers will not attack again, especially if they are successful in creating a back door in the system that they have successfully hacked before. 

On the other hand, if the ransom is not paid, the Government will not get the key to open the encrypted files, although there are several ways to restore data, from backing up digital data that is still stored by the institutions. For example, the Immigration Directorate General managed to restore services using backup data that is stored on their server in Batam. The next method is to re-enter data that was originally stored in PDN using hardcopy data that is still stored by the institutions, although this method certainly takes a long time, especially if the size of the data is large, but this is a possibility. The most difficult option is to carry out cryptanalysis of encrypted files and look for password combinations, although this will require skill, time and large computing resources. 

Budi Arie Setiadi and BSSN Chief Hinsa Siburian
Communications and Information Minister Budi Arie Setiadi and BSSN Chief Hinsa Siburian in a hearing with House Committee I at Parliament, Senayan, South Jakarta (27/6). (Source: DPR RI)

At a working meeting with the House Committee I on Thursday (27/6), Budi and Hinsa presented the results from the digital forensics and explained the PDN design. According to the No. 1 officials at Kominfo and BSSN, PDN will be ideal if the implementation and management are done in accordance with its original design, which includes replication (information sharing) between PDNS 1 and PDNS 2 as well as a backup process from each PDNS at a “cold site” in Batam. This will ensure that once PDNS 2 experiences any problem, PDNS 1 will take over and the data on PDNS 2 will be restored from the cold site. However, in reality, this process is not running because the amount of data stored at cold site is only about 2 percent. It is also imperative that the infrastructure used accurately complies with the specifications of Tier 4 data center, in terms of electricity supply, cooling systems to physical security in the form of access and fire safety. 

Furthermore, the process of designing PDN was conducted behind closed doors by Kominfo without involving BSSN as the vanguard of cybersecurity, especially for the public sector. BSSN was also left out in the process of securing the two PDNSs currently in used. What Kominfo needs to do immediately to mitigate the situation is to carry out a full review and audit of the PDN design, both in terms of infrastructure and cybersecurity by involving other relevant stakeholders with expertise in cybersecurity, such as BSSN, State Intelligence Agency (BIN), National Police (Polri), National Armed Forces (TNI) as well as experts from the private sector and companies that own data centers, to ensure that the PDN is built according to the highest standard in terms of security and reliability.

Budi’s statement at the House hearing that the tenants have difficulty in backing up their data due to limited budget gives the impression that Kominfo is trying to wash its hands of the responsibility, because it should be the party held responsible for data backup, as it is tasked with managing the PDN. 

The data backup process in PDN should also be made mandatory rather than optional, and the backup process is to be carried out by the PDN manager, not the tenants. If the construction of PDN follows the original design, disruptions like this should not have occurred, due to data redundancy, with full replication and backup of their capacity enabled. 

Building a data center is indeed costly, but the Rp700 billion budget as mentioned by Finance Minister Sri Mulyani Indrawati should be more than enough to build a foolproof PDN system as per the design, especially as it still uses infrastructure owned by the private sector and state-owned enterprise. If the problem lies with the budget, what Kominfo can do is reduce the number of tenants, so that the budget can be used to properly build PDN. There is no need to increase the capacity of PDNSs to serve 282 agencies while reducing the backup capacity, with the excuse that the budget is diverted to procure main storage. 

The results of the initial investigation revealed that there was an attempt to deactivate Windows Defender, even though an enterprise server should not rely on the operating system’s built-in security program, because there are still many enterprise security tools, in terms of both hardware and software. Even though Windows Defender is perfectly fit for home or small business purposes, a data center with a Rp700 billion budget should not be using a default application. There are many ways to secure a server, starting from multi-layering security solutions, closing unnecessary ports, setting access, using multi-factor authentication (MFA), and so forth. 

The ransomware attack exposed the Government’s unpreparedness to manage large amounts of data. There was also possible human negligence which caused the malware to infect the PDN system. The Government’s response was less than satisfactory, most notably the delay in releasing an announcement. This has inevitably sparked accusations of a coverup. Something also felt off at the press conference, because it was led by BSSN while the agency in charge of PDN is actually Kominfo. Again, the public could not be blamed for thinking that it was designed to deflect the blame from Kominfo to BSSN. 

To date, it is not yet known exactly what existing vulnerabilities were exploited by the hackers. Another potential loophole is negligence on the part of the staff who accidentally install malware which is usually embedded in pirated software or through pornographic websites. Other possibilities include an “insider attack” by saboteurs. Another scenario is a staffer with access to the server room being lured to plug in a flash disk that contain ransomware. Sometimes hackers also deliberately leave flash disks in public places in the hope that someone curious enough will pick them up and insert them into their computer to check their contents. 

Kominfo’s slow response was unacceptable, as it is in the public interest to know that a cyberattack has happened because it concerns their personal data. Government data is one of the main targets for hackers, due to the large and critical nature of the data being stored. In additional to financial gain, which serves as a primary motivator for many hackers, cyberattacks that target Government systems could also be an act of espionage to steal confidential data for sinister purposes, posing a potential threat to national security. 

The main cause of the vulnerability of government systems can be attributed to low awareness among the human resources/personnel with regard to cybersecurity, especially those with critical roles or authorities who can access the system, either from within the organization for operational purposes or by third-party contractors who help set up the systems. If we look at the cybersecurity system, we cannot only study the infrastructure, but must also pay attention to other critical aspects, such as cybersecurity training for employees. It is not uncommon that a breach often starts from an employee’s computer or an employee’s credential data being compromised by a phishing attack. Even though an institution already has a most upto-date and sophisticated system, the point of vulnerability will still exist if the employees themselves lack the knowledge or awareness of cyberattack modus operandi. The fact that humans are the weak link in critical data infrastructure should be a wakeup call to all organizational leaders. 

To ward off cyberattacks, security measures must be given priority from the start of the system development, to ensure that there are no security holes in the API (Application Programming Interface), or malicious code that is inadvertently inserted, due to the use of SDK (Software Development Kit), and there are no bugs or programming errors that could be exploited by hackers. Data stored on the server must also be secured using strong encryption, to prevent hackers from accessing the contents of stolen files. 

Additionally, the cybersecurity systems to be used must also be given careful consideration, because they will become the main target of the hackers. PDN management must not only rely on the cybersecurity tools they have, because there are still many things that need to be done, such as having data backups stored in offline data vaults to prevent the main server and backup servers from being hit by ransomware attacks, constant updates of the application to close known security holes, using a multi-layered security approach by combining various technologies and security methods, implementing BCM (Business Continuity Management) and repeated simulation of BCM procedures aimed at reducing the down time. Equally important is a protocol to regularly and continuously assess the vulnerabilities and security gaps in the systems. 

Read: The Oldest Cave Painting In The World Found In South Sulawesi

The Government should also enhance the role of BSSN, so it can better protect government-owned sites, particularly those with domain extension and because hackers know that these sites often have weak cybersecurity awareness, making them easy to penetrate. The Government also needs to consider imposing sanctions on administrators of government and academic sites that are hit by hackers, especially those that result in the leaking of personal data, whether in the form of administrative sanctions such as warnings or even demotion because they can be considered negligent. 

One valuable lesson that should also give a wake-up call to other agencies is that even though there is Satu Data Indonesia regulation where government agencies are required to store the data and applications they have in PDN, each agency should also keep backups of their data and applications on storage devices at each agency’s premises and those should not be connected to a network, not used for anything other than for data backup. This will reduce the chance of cyberattacks due to negligence. What is problematic is that after the presidential decree concerning Satu Data Indonesia was issued, agencies were not allowed to purchase servers and had to store their applications and data in PDN. Thus, further regulations or policies are needed, to strengthen and synchronize preventive measures.


Latest article

Related Articles