Jump to content

Another data breach from Indonesia: State owned elctricity company and Indonesian branch of big companies 347GB data breach (UPDATE: + 3 other breach)

UPDATE: Other three data breach, Indihome (20th August GMT+7) and police data (Yesterday, GMT+7)

 

Summary

Another data breach coming from Indonesia, this time it's state owned electricity company (Perusahaan Listrik Negara). Reportedly PLN have over 17M consumer data breached, that includes SSN, consumer ID and address, power meter number, and even KW/h number. In other breachforum post, Indonesian branch of big companies also have 347GB of their data leaked, separated into standard (companies with revenue under $50M) and big (revenue >$50M). Examples include Microsoft Indonesia branch, AT&T Indonesia branch, China State Construction Engineering Corporation, China Railway Group Ltd, McKinsey Indonesia branch, Huawei Tech Investment and Prudential Life Assurance. Leaked data includes numerous ID, license and certificates, transaction records, and more.

 

Quotes

Quote

Translated from Jagat Review:

The post entitled “347GB Confidential documents of 21.7K Indonesian Companies + Foreign Companies (branch)”, stated that the data came from Indonesian companies, as well as foreign companies with branches in Indonesia. Even some of the companies that are in it include big technology companies, such as Microsoft, Huawei Tech Investment, AT&T, and many more.

 

The leaked data contains important documents such as identity cards (KTP) and NPWP (Nomor Pokok Wajib Pajak/ Tax ID card) of directors and commissioners, company NPWP, and family cards (KK) of shareholders. Other documents are also included, such as passports of company management, deed of company establishment and deed of company change, letter of confirmation of taxable entrepreneur, company registration, business license, financial statements, profit and loss statements, transfer notes, checking accounts, annual notification letters (SPT). , certificate of domicile, bank reconciliation, and more. 

 

Data is divided into two folders, Big and Standard, based on company values. The data is sold at a price of 50 thousand USD. To convince buyers, an account called Toshikana on the dark forum shared data samples from each category. For the Big category, only show the company tax ID card. As for the standard, all company data was leaked.

 

Unfortunately, there is no information on where this data leak came from. There has also been no clarification from the relevant parties regarding this issue.

Quote

Translated from CNBC Indonesia:

Spokesman for the Ministry of Communication and Information (Kominfo) Dedy Permadi said that his team was still investigating and investigating further the alleged data leak of the State Electricity Company (PLN) users.

 

"After receiving the news, we immediately checked, so currently Kominfo is investigating the alleged data leak," said Dedy when met by the media at the Kominfo Office, Friday (19/8/2022). Dedy promised to provide further information if there were results or temporary findings from the alleged data leak. [...]

 

When asked about when the Ministry of Communication and Informatics will be able to provide further information and details on the alleged data leak, Dedy said that his party has not been able to estimate the time to announce it. Furthermore, he also said that Kominfo will also coordinate with relevant agencies such as PLN and National Cybersecurity and Cryptographic Agency.

Quote

From breachforums screenshots

image.png.dfec0e7bd646af6e6e24f4d5e9b80ca7.png

image.png.7381465978a5be22767a3a1f4726bf1c.png

My thoughts

I have zero hopes and expectations to be honest. If you saw the news about the entire PSE registration thingy you know cybersecurity in here is already that bad, that even state owned websites can be breached in just a few hours. No doubts it also going to even affects companies in Indonesia, and now here we are, again with data breach from not only state owned company but also Indonesian branch of big companies, and it even includes big tech names like Microsoft and AT&T. At this point not even Data Privacy law (that somehow even to this very second never gets passed) can save us I guess, it's just way too late

 

Sources

https://www.cnbcindonesia.com/tech/20220819121855-37-365025/data-pelanggan-pln-diduga-bocor-ini-kata-kominfo

https://www.jagatreview.com/2022/08/data-perusahaan-indonesia-bocor-di-situs-gelap/

Nuice Media:

 

Link to comment
Share on other sites

Link to post
Share on other sites

My country is at it again huh. Not surprising since cyber security here is just an afterthought here, especially on state owned websites. Many of them uses placeholder/default password and almost no one even bother to change it because it's a pain to remember them all. I know because I work as a civil servant and my work uses around 30 state owned websites with different username and password. Those username and password are usually shared on a whatsapp group for everyone to see too.

Link to comment
Share on other sites

Link to post
Share on other sites

update on this from local news article. There were 21.726 total companies in the leakhttps://tekno.kompas.com/read/2022/08/20/09000027/data-ribuan-perusahaan-di-indonesia-bocor-dijual-di-darkweb

 

Quote

Translated from Kompas:

An independent cybersecurity researcher who is also a bug hunter, Afif Hidayatullah said that the data that Toshikana sold came from the General Law Administration website.

"If it's from the leaked online legal administration, https://ahu.go.id/," said Afif to KompasTekno, Friday (19/8/2022). According to him, based on samples from sellers, there were 21,726 companies from PT and CV that exist in Indonesia. "In fact, foundations are also included," said Afif.

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 8/20/2022 at 10:58 AM, RigidBody2D said:

My country is at it again huh. Not surprising since cyber security here is just an afterthought here, especially on state owned websites. Many of them uses placeholder/default password and almost no one even bother to change it because it's a pain to remember them all. I know because I work as a civil servant and my work uses around 30 state owned websites with different username and password. Those username and password are usually shared on a whatsapp group for everyone to see too.

oh it's even funny this time. They overdo their clown makeup by actually stating that they will REQUEST THE DAMN FORUM TO REGISTER UNDER THEIR ELECTRONIC SYSTEM PROVIDER DATABASE SO THEY CAN BLOCK IT. Sure, the post is now gone, but this is... *facepalm*: https://www.cnnindonesia.com/teknologi/20220821153146-192-837192/situs-hacker-pembocor-data-pln-tak-terdaftar-pse-kominfo-akan-blokir

 

Quote

"Yes, if for example there is [and] it is not registered, then it is blocked. You must block it, also don't block those who have been registered. You must check, audit and verify," he said, in Jakarta, Friday (19/8).

 

Previously, a BreachForums user (breached.to) named loliyta claimed to have 17 million PLN customer data while providing 10 samples. The contents include ID, customer ID, customer name, energy type, KWH, address, meter number, to meter type, as well as the name of the UPI unit.

 

As of Sunday (21/8), the lolyta upload is gone. "The specified thread does not exist," reads the site's description. Plate continued that his party is still in the process of verifying the site whose status is not registered in the Kominfo Electronic System Operator (PSE) system.

 

"If they (BreachForums) decided to register (to ESP), and blocked, it's going to be wild again, why is it blocked?" he said. "It's being verified now," Plate continued.

 

We thought them blocking the forum and be done with it back in the day is the peak stupidity. Perfect analogy for this is that, say if I have 60 bucks debt with someone, I asked for another 60 bucks and blocked that guy and thinking it's all done. GENIUS MOVE

 

Oh and it keeps getting better. Three other data leak, and they straight up in denial. This time it's National Intelligence, police data, and state owned ISP Indihome (Telkom) user browsing data from 2020:

- 26M Indihome (state owned ISP) user browsing data from 2020 leaked and available to download, two years after Indihome stated that they disabled browsing trackers for advertising, Telkom Indihome denies the leak: 

https://www.reuters.com/technology/indonesia-investigating-alleged-data-breaches-state-owned-firms-2022-08-22/

https://en.tempo.co/read/1625194/communication-ministry-studying-report-of-indihome-data-leak (Local news article)

 

Quote

Indonesia is investigating alleged personal data breaches at state-owned telecoms firm PT Telkom Indonesia's internet service IndiHome and state utility PT Perusahaan Listrik Negara (PLN), its communications ministry said on Sunday. Semuel Abrijani Pangerapan, a senior communications ministry official, said in a statement the ministry had summoned representatives from Telkom (TLKM.JK) and PLN (PLNEG.UL) and had sent recommendations on data protection to both firms. A Telkom spokesperson told Reuters on Monday that there was no breach of IndiHome customers' data.

Quote

So far, it has been caught stealing users' browsing history through a collaboration between Telkom and its subsidiary in the field of advertising, Metranet.

After 26 million stolen data was leaked, the next accurate move was denial. (2nd secgron tweet translation)

Quote

Periksa Data cybersecurity expert Teguh Aprianto on Sunday Tweeted about an alleged major leak or data breach on Indihome customer personal data. Indihome is one of the major internet service providers in Indonesia and a subsidiary of state-owned communication firm Telkom, which has millions of customers. 

 

"In 2020, we managed to press @IndiHome to turn off their tracker which has been used to steal customers' browsing history. Now 26 million stolen browsing histories are leaked and shared for free. It turned out their names and NIK (citizen identification number)," he tweeted on August 21, 2022.

 

Responding to his Tweet about an alleged leak, the Ministry of Communication and Informatics (Kominfo) and the National Cyber and Encryption Agency (BSSN) immediately responded to the possibility that a leak has taken place. (Tempo English ver. and first secgron tweet translation)

- More than 188.000+ police data along with 180 National Intelligence data leaked and apparently it's been posted since April 14th. Original foundings from Twitter user Vidyanbanizian already deleted, but the post still exists. BIN denies the leak: https://www.kompas.com/tren/read/2022/08/21/180500565/data-badan-intelijen-negara-disebut-bocor-di-medsos-ini-kata-bin?page=all (Local news article)

Quote

A tweet that informed about the website of the State Intelligence Agency (BIN) is said to have experienced a data leak on social media. One of these information was uploaded by the @Vidyanbanizian account, Sunday (21/8/2022).

 

The tweet also displayed a photo of an account named Strovian, a God User who allegedly managed to find details of personal data belonging to BIN. It is stated that the amount of data that was leaked or known to certain individuals occurred in April 2022. According to information from the photos listed, that person could see more than 180 files or documents from reports, business strategies, list of agent names, and others. Then, the details of the rosters consist of: Name, Rank, Unit, and Location.

 

When confirmed, BIN Spokesman Wawan Hari Purwanto said that the news of the leak of personal data belonging to BIN which went viral on social media was not true. "The data of the BIN website so far is safe, there are no leaks," said Wawan when contacted by Kompas.com, Sunday (21/8/2022). He explained that currently BIN data consisting of personal data, agents, projects, and others remains securely encrypted. In addition, he also said that all personal and agent data were pseudonyms. "All personal data and agents are not real names," he said again. "So the news of the BIN data leak is a hoax," he continued.

 

Quote

image.thumb.png.dec4db6d664b4db291a3cfc928d65f6d.png

image.thumb.png.57e6bb05741eb3d95dc2783bbae189ac.png

image.thumb.png.a7b5aeac89b69a7184bb608bbb0fb15e.png

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 8/19/2022 at 7:12 PM, Rauten said:

Isn't Indonesia supposed to...

Yup, it is; they are the hosts for a G20 summit on November.

That could be fun.

All the big names there does make this breach sound like state sponsored.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

APTs are getting more and more bold with their moves these last 12-18 months. Typically attacks on Critical and National Infrastructure were only seen with state sponsored threat actors, but these days even your smaller groups are making headway.

 

The ransomeware group Cl0p managed to compromise a UK water supplier's IT and OT networks, even getting as far as accessing SCADA and HMI equipment (source). The funny part is, we tend to think most of these compromises are done by sophisticated hacks and exploits that we always read about. The reality is that the majority of initial entry was made through the tried and tested phishing attack method.

 

A lot of companies focus far too much on their frontline defences. Implementing nonsense "AI driven" firewalls and IDS systems, ZeroTrust and whatever other SoC buzzword is popular that week. Yet they spend too little time educating staff on how to spot a phishing email, or to operate a basic "trust but verify policy".

 

This won't be the last time we'll hear about a CNI being compromised. The expectation right now in the cybersec world is that there will be a hack on some country's CNI that'll cause so much damage and interruption that it'll "warrant" (subjective) the response of physical warfare/conflict in retaliation. 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×