Cyberattack on Indonesia's national data centre paralyses government services  

By Mochamad Azhar

A joint response team, comprising national communication and cyber agencies, are focusing on bringing the affected services back online and is also investigating the cyberattack on the Temporary National Data Centre (PDN). 

A joint team from the Ministry of Communications, the National Cyber and Crypto Agency, and the Indonesian National Police investigated the cyberattack on the country's national data centre. The ransomware attack has paralysed government digital services. Image: Ministry of Kominfo

Indonesia's Temporary National Data Centre (PDN) has been under cyber-attack since Thursday, June 20, crippling several critical government services including immigration services. 


National Cyber and Crypto Agency’s Head, Hinsa Siburian, said in a joint press conference in Jakarta on June 24 that the attack was the brain cipher ransomware, which is the latest variant of LockBit 3.0 ransomware.  


LockBit 3.0 is a sophisticated ransomware that can lock a system and encrypt data, so that it can be used by cybercriminals to blackmail victims. 


"We are still investigating the forensic evidence obtained ... this will be a lesson for us to strengthen mitigation so that similar incidents do not recur in the future," he added.

The government also emphasised that it would not pay the US$8 million ransom demanded by the attackers who threatened to sell the data contained in the PDN in the dark web. 

Hundreds of agencies affected 


Ministry of Kominfo’s Director-General of Informatics Applications, Semuel Pengerapan said the cyberattack on the government's digital infrastructure had caused service disruptions to hundreds of central and local state agencies. "There are so many affected, the details are up to 210 agencies. we are doing the migration as soon as possible."  


Immigration inspection services and auto gates at five immigration checkpoints went down on June 20, including those at Soekarno Hatta International Airport, Juanda International Airport, Kualanamu International Airport, Hang Nadim International Airport, and Batam and Nongsa International Ports.  


This forced immigration officers to conduct manual verification, causing passenger queues at immigration gates, especially at the most populous international airport at Soekarno Hatta.  


Besides immigration services, the cyber-attack also disrupted licensing services at the Coordinating Ministry for Maritime Affairs and Investment and digital services at the National Public Procurement Agency (LKPP). 


"Those services were successfully recovered, and the system operation is back to normal. Directorate of Immigration recovered after relocating its services, LKPP is now on, the Ministry of Maritime Affairs and Investment is also on, Kediri City is on. Others are still in process," said Semuel. 

Relocating the data centre to private cloud 


After the immigration system went down during the night of the attack, the Directorate General of Immigration immediately relocated its data centre to a private cloud service provider.  


The decision to move the data centre was made after the PDN recovery did not show positive progress on the first day of the disruption, officials said.  


"Generally, technical problems can be resolved in a matter of one to three hours. When it exceeded six hours, we concluded that there must be something bigger than just technical problems, maybe caused by cyber-attacks," said Director-General of Immigration, Silmy Karim, through a press release.  


He said that quick decisions are needed to mitigate cyberattacks, especially for institutions responsible for public services and involved in state security. "We could wait for the PDN to recover because the public interest must be prioritised," Silmy said. 


After moving its data centre, the immigration inspection lane started running normally on Saturday (June 22) evening. Meanwhile, auto gates, visa applications, and residence permit services were back to normal on Sunday (June 23) morning. 

Improving cybersecurity strategy 


This incident exposed the vulnerability of the country's digital infrastructure. Previously, Bank Syariah Indonesia was also attacked by a ransomware virus, disrupting its mobile banking services. 


Several cybersecurity experts highlighted that the Indonesian government must improve its cybersecurity strategy to prevent loss of public trust. 


CISSReC Cyber Security Institute’s Chairman, Pratama Persadha, revealed in that ransomware attacks have dangerous implications in the long run because they have the potential to leak personal data contained in government systems.  


"This attack should be a warning for the government to immediately improve security and ensure that every agency that uses PDN has a robust and standardised business continuity plan," said Pratama.


Cybersecurity company Tenable's Senior Vice President for Asia Pacific and Japan, Nigel Ng, in a public statement applauded the Indonesian government for refusing to pay the ransom demanded by the attackers as 'a strong message not to give in to cybercriminals'. 


However, this strategy needs to be complemented by continuous monitoring and real-time threat detection. This situation demonstrates the need for strong collaboration between government agencies and private companies. 


"Through shared expertise and coordinated efforts, we can improve our defences against persistent threats and build a more resilient digital infrastructure for the future."