|Category: Adversary Intelligence||Industry: Transport & Logistics||Motivation: Financial||Region: Indonesia||Source*: A2|
- On 25 August 2022, CloudSEK’s contextual AI digital risk platform XVigil came across a post from Desorden claiming to have breached Indonesia's largest tollway operator, PT Jasamarga Tollway Operator (JMTO).
- Desorden, a hacker-for-hire group, is primarily involved in targeting Asian entities.
- 252 GB of data was exfiltrated from 5 servers of the affected entity.
- The leaked data includes the following internal and administrative information:
- Indonesian ID cards
- Tax cards (with the sensitive 15-digit uncensored NPWP number)
- Construction Business License
- Business Entity Certificate (that was not attributed to PT Jasamarga)
- Internal documents from January to February 2020, disclosing the following PII:
- National ID card number
- Cardholder’s photo
- Phone number and email address from business registration document
- Internal confidential communication (in physical form) from Jasamarga
- This is the first instance of the group’s attack against Indonesia since its resurgence from inactivity in June.
- The samples mentioned in the post were obtained from a file-sharing website.
- The group’s activities were constantly monitored, as cyberattacks were conducted against Asian countries like Thailand, in the past.
- All PDF metadata was wiped from the disclosed samples.
- The observed data was found to be originating from 2015 onwards with the most recent document belonging to March 2020.
- To further substantiate their claims of the attack against PT Jasamarga, the group updated their post on 24 August 2022, to include 3 article links, discussing the hack.
- The customer data was not affected by the breach.
- The affected server had been deactivated.
- The recovered data has been moved to a much more secure server.
- PT JMTO had closed application security vulnerabilities and collaborated with competent parties in conducting cyber security assessments in the system at PT JMTO.
- Jasa Marga will continue to evaluate and improve its cybersecurity system, not only for internal but also for external stakeholders.
- CloudSEK’s Threat Intelligence research team has observed a steady number of cyberattacks targeting Indonesia.
- According to forum discussions, the possible cause of these attacks is a weak security posture of companies' web-facing infrastructure.
- A notable and recent data breach was observed exposing 17 million customer records from PLN (Perusahaan Listrik Negara or Indonesian State Electricity Company).
|Threat Actor Profiling|
|Active since||June 2022|
|Reputation||High (No complaints, credible reputation)|
|History||This is the first time that the group has been observed targeting an Indonesian entity, since their resurgence. Previous victims of the group include:
|Point of Contact||TOX Messaging Service|
|Rating||A2 (A: Reliable; 2: Probably True)|