Indonesia denies report of Chinese hacking group breaching intelligence agency servers

Insikt Group says malware has infiltrated the systems of at least 10 Indonesian ministries and agencies.
PHOTO: Pexels

Indonesia ’s national intelligence agency has denied a report claiming its servers were breached by a suspected Chinese state-sponsored hacking group, but says it is still investigating whether other government agencies have been affected.

Insikt Group, the threat research division of United States-based cybersecurity firm Recorded Future, last week said malware had infiltrated the systems of at least 10 Indonesian ministries and agencies, including the intelligence agency, Badan Intelijen Negara (BIN).

It made the discovery in April and notified Indonesian authorities about the intrusions in June and July, it said, adding that the malware was operated by a Chinese group called Mustang Panda.

Mustang Panda has been known to have targeted governments and telcos in Southeast Asia.

An article published on Recorded Future’s news site, The Record, said Indonesian authorities had not responded to Insikt’s notification, though it added that a source said the government had taken steps to identify and clean the infected systems.

Even after this, however, Insikt researchers confirmed that hosts inside Indonesian government networks were still communicating with the Mustang Panda malware servers.

In a Tuesday statement, BIN spokesperson Wawan Hari Purwanto told This Week in Asia Insikt’s claim was a “rumour” and that BIN’s servers “remain secure”.

“Now, BIN is continuing to investigate [the claim] and coordinating with stakeholders regarding the truth behind the information that BIN’s and other government ministries’ or agencies’ servers were hacked,” he said. “However, to this day, BIN’s servers remain secure and under control and they were not hacked.”

According to Wawan, BIN routinely inspects its systems to ensure their functionality. He added that attempted cyberattacks on BIN’s servers are “normal, considering BIN’s [duty] to maintain the sovereignty of Indonesia and to secure the interest of the Indonesian people”.

“I hope people do not easily trust the information being spread [in the community] and continue to check, recheck, and cross check that information,” he said.

Recorded Future did not immediately respond to request for comment. It is unclear whether the attacks are ongoing.

Read Also
Indonesia probes suspected data breach on Covid-19 app
Indonesia probes suspected data breach on Covid-19 app

The company is not contracted by the Indonesian government to monitor its networks, but it is common for private cybersecurity firms to detect malware and other advanced persistent threats in a foreign government’s networks and other information technology systems.

In July, for example, US-based cybersecurity firm vpnMentor found the exposed data of over 1 million users of Indonesia’s now-defunct test-and-trace app for travellers, e-HAC, while Boston-based Cybereason in August said it had identified intrusions by Chinese cyber espionage groups targeting major telecoms providers across Southeast Asia.

Hinsa Siburian, the head of Indonesia’s National Cyber and Crypto Agency (BSSN), on Monday told reporters he was aware of Insikt’s statement and the agency was looking into it, though he stressed that it was “still an allegation”.

Pratama Persadha, chairman of the Communication and Information System Security Research Centre (CISSREC), a Jakarta-based non profit, said BIN’s servers could not be easily penetrated.

“They already have a good information security standard when things like this happen,” Pratama said, adding that BIN operated a so-called cyber honeypot, a decoy computer system set up for the sole purpose of attracting cyberattacks.

It is unclear whether the other agencies, which Insikt did not name, had taken similar measures.

Insikt’s statement comes on the heels of a series of recent data-security failures in Indonesia’s government-managed networks, including the exposed e-HAC data and the information of over 270 million Indonesians stored by the country’s health care and social security agency BPJS Kesehatan.

In the e-HAC case, Indonesia’s health ministry initially ignored vpnMentor’s notification that its server was not secure.

Pratama – who has profiled several cybersecurity threat actors, including Mustang Panda – said the group was largely made up of Chinese actors and had created its own ransomware called Thanos.

“This ransomware can access data and credential logins on [personal computer] devices and then send them to a command-and-control server, allowing the hacker to control the target’s operating system,” he said. “Thanos has 43 different configurations that can fool firewalls and antivirus [software], so it is very dangerous.”

However, Pratama said, Insikt’s statement that it had found malware in the servers of BIN and other government agencies would remain an allegation unless there was proof data had been stolen.

“If [Mustang Group] shared the hacked data, only then we can conclude that there was indeed a data breach. But if this is [state-backed] espionage, then the proof will be more difficult to attain, as the motive is not economy or popularity,” he said.

“I think Mustang Panda can be classified as a state-sponsored actor as they use [advanced persistent threats] that require large resources. Their targets are mostly high-profile [institutions].”

In June, a Slovak security firm found a back door Trojan – which gives users remote control over a device – allegedly planted by Mustang Panda in the website of the Myanmar president’s office.

In March, security firm McAfee said in a report that Mustang Panda had allegedly targeted telecoms companies in Southeast Asia, Europe and the US via a phishing site disguised as Huawei’s careers page. McAfee said there was no evidence that Chinese tech giant Huawei was knowingly involved in the campaign.

René Pattiradjawane, president of the Centre for Chinese Studies-Indonesia and a fellow at the EastWest Institute, said if the attacks were confirmed and the perpetrator was indeed a Chinese state-sponsored actor, Jakarta should seek clarification from Beijing as a way to prevent a falling-out between the countries.

Read Also
Indonesia's Tokopedia e-commerce platform probes alleged data leak of 91 million users
Indonesia's Tokopedia e-commerce platform probes alleged data leak of 91 million users

“If China is confirmed to be behind all this, the Indonesian foreign and defence ministries should nicely ask Beijing three questions: ‘What do they want from us? Why do you treat us like that? And whether [Beijing] wants us to be their enemy or friend’,” René said, though he added there was no proof Mustang Panda was backed by the Chinese government.

He pointed out that Jakarta had filed a “loud protest” with Canberra in 2013 when American whistle-blower Edward Snowden shed light on Australia’s espionage efforts in 2009, including tapping then Indonesian president Susilo Bambang Yudhoyono’s mobile phone for 15 days.

Both René and Pratama speculated that long-standing tensions over the South China Sea , a sticking point in Indonesia and China’s bilateral ties, could be a motive for the intrusion.

In a parliamentary hearing on Monday, Rear Admiral Suprianto Irawan – the secretary of Indonesia’s Maritime Security Agency, or Bakamla – said Chinese coastguard vessels were interrupting or shadowing the work of Indonesian-flagged drilling rigs operating in the North Natuna Sea.

Such vessels have in recent months been repeatedly spotted near Tuna block, an oil and gas working area in the Natuna Sea. Indonesia is not a claimant in the South China Sea dispute, but it has clashed with Beijing over vessel intrusions into its exclusive economic zone in waters around the Natuna islands, which overlap with China’s nine-dash line territorial claim.

Suprianto added that there might be “hundreds, if not thousands” of Chinese or Vietnamese vessels that had entered the Natuna waters undetected.

This article was first published in South China Morning Post.