Indonesia’s LockBit Attack Exposes National Vulnerability

Indonesia’s government faced a nightmare when its national data centre was hit by a devastating cyber attack a few weeks ago. The incident, which crippled hundreds of government offices and caused chaos at Jakarta’s Soekarno-Hatta International Airport, revealed the nation’s vulnerability to digital threats. The hackers, using sophisticated ransomware from the notorious Russian group LockBit, demanded a USD $8 million ransom, plunging the country into a high-stakes crisis.

The attack’s impact was immediate and widespread. Long queues formed at immigration gates, and frustration grew among travellers as system failures caused by the ransomware known as Brain Cipher brought critical services to a standstill. “The attack affected 210 institutions at the national and local levels,” said Samuel Abrijani Pangerapan, Director General of Informatics Applications at the Indonesian Communications and Informatics Ministry. The hackers’ ransom demand and the subsequent encryption of government data left critical services in limbo.

Efforts to restore services began in earnest, with immigration services reportedly returning to normal by Monday morning. However, other services, including investment licensing, remained crippled. The government, steadfast in its refusal to pay the ransom, has been working tirelessly to decrypt and recover the hijacked data. “We have tried our best to carry out recovery while the National Cyber and Crypto Agency is currently carrying out forensics,” said Communication and Informatics Minister Budi Arie Setiadi.

Notorious Ransomware Group Targets Indonesia

LockBit’s reign of terror is well-documented. Known for targeting governments, major corporations, schools, and hospitals, the group has caused billions of dollars in damage globally. Last year, LockBit was responsible for a quarter of all ransomware attacks worldwide, extorting over USD $1 billion from thousands of victims. The group’s reach is extensive, with the United States, Britain, France, Germany, and China among the most affected countries.

The current attack on Indonesia underscores the persistent threat posed by LockBit. Hinsa Siburian, head of the National Cyber and Crypto Agency, confirmed the detection of LockBit 3.0 ransomware samples. This incident follows a series of ransomware attacks on Indonesian government agencies and companies since 2017, marking it as the most severe to date. Pratama Persadha, chairman of Indonesia’s Cybersecurity Research Institute, highlighted the attack’s extraordinary nature, stating, “The disruption to the national data centre and days-long needed to recover the system means this ransomware attack was extraordinary. It shows that our cyber infrastructure and its server systems were not being handled well.”

Indonesia Does Not Negotiate with Hackers

In the face of such adversity, Indonesia’s stance is clear: No ransom will be paid. “The attackers have held data hostage and offered a key for access in return for the USD $8 million ransom,” said Herlan Wijanarko, PT Telkom Indonesia’s Director of Network & IT Solutions. Despite the pressing circumstances, the government’s resolve remains firm. This decision aligns with the advice of cybersecurity experts who caution against paying ransoms, as it does not guarantee data decryption or non-disclosure of the stolen information.

Kelvin Lim, Senior Director of Security Engineering at Synopsys Software Integrity Group, elaborated on the tactics used by LockBit. “Threat actors using LockBit frequently use a double-extortion strategy in which they encrypt victims’ data and demand payment in exchange for not revealing the stolen information on their data leak site,” he said. He also warned of a third extortion approach, Distributed Denial-of-Service (DDoS) operations, which increases the pressure to pay. Lim advised against paying the ransom, emphasising that it might make the victims more susceptible to future attacks.

Humans Remain the Weakest Link

The ramifications of this attack extend beyond immediate disruptions. Anne Cutler, a cybersecurity expert at Keeper Security, stressed the importance of protecting critical infrastructure from cyberattacks. “Protecting critical infrastructure from cyber attacks is as important as protecting it from physical attacks because the consequences can be equally disastrous,” she noted. The tangible impact of the attack on Indonesia’s airport operations highlights how cyber threats can have immediate and significant consequences for the public.

Cutler also pointed out the human element in cybersecurity breaches. “Although the investigation is still underway into how threat actors were able to successfully deploy the LockBit ransomware, human error remains a significant weakness for organisations,” she said. Her insights are corroborated by the findings of Keeper Security’s 2024 Future of Defence Report, which revealed that 92% of IT and security leaders have seen an increase in cyber attacks year-over-year.

To bolster defences against such attacks, Cutler advocates for a zero-trust architecture with least-privilege access, ensuring employees only have access to what they need for their jobs. This, coupled with security event monitoring and privileged access management software, can significantly reduce the risk of breaches. “By integrating a zero-trust framework within their network infrastructure, government leaders can better identify and react to cyberattacks and minimise potential damage,” she emphasised.

Picking Up the Pieces and Preparing for the Next Attack

As Indonesia grapples with the aftermath of the cyber attack, the focus is on recovery and strengthening cybersecurity measures. The government’s decision not to pay the ransom underscores a commitment to resilience and a long-term strategy to improve cyber defences. Thomas Richards, Principal Security Consultant at Synopsys Software Integrity Group, remarked on the hacker group’s tactics, noting, “In the past when this hacker group has claimed to have information, they have provided at least a sample to prove they have the data.” The absence of such proof in this case might indicate the hackers’ bluff, but the threat remains real.

The lessons from this attack are clear: Robust cybersecurity measures are essential, and a proactive approach is necessary to safeguard against future threats. As the digital landscape continues to evolve, so too must the strategies to protect it. For Indonesia, this attack is a wake-up call and an opportunity to fortify its cyber infrastructure against the relentless tide of cyber threats.