Indonesia’s Largest Tollway Operator PT Jasamarga Breached by the Desorden Group

Desorden announces a cyberattack against Indonesia’s PT Jasamarga Tollway Operator. 252 GB data was exfiltrated from 5 servers.
Updated on
April 19, 2023
Published on
October 30, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Transport & Logistics Motivation: Financial Region: Indonesia Source*: A2

Executive Summary

THREAT IMPACT MITIGATION
  • Desorden announces a cyberattack against Indonesia’s PT Jasamarga Tollway Operator.
  • 252 GB data was exfiltrated from 5 servers.
  • Access could reveal business practices and IP.
  • PII can be exploited to conduct social engineering attacks, phishing, identity thefts, etc.
  • Follow standard backup policies.
  • Monitor for anomalies in user accounts.
  • Implement a strong password policy.

Analysis and Attribution

Information from the Post

  • On 25 August 2022, CloudSEK’s contextual AI digital risk platform XVigil came across a post from Desorden claiming to have breached Indonesia's largest tollway operator, PT Jasamarga Tollway Operator (JMTO).
  • Desorden, a hacker-for-hire group, is primarily involved in targeting Asian entities.
  • 252 GB of data was exfiltrated from 5 servers of the affected entity.
  • The leaked data includes the following internal and administrative information:
    • Indonesian ID cards
    • Tax cards (with the sensitive 15-digit uncensored NPWP number)
    • Construction Business License
    • Business Entity Certificate (that was not attributed to PT Jasamarga)
    • Internal documents from January to February 2020, disclosing the following PII:
      • National ID card number
      • Cardholder’s photo
      • Signature
      • Phone number and email address from business registration document
      • Internal confidential communication (in physical form) from Jasamarga
[caption id="attachment_21484" align="alignnone" width="1612"]Screenshot of the group’s announcement of the cyberattack against PT Jasamarga Screenshot of the group’s announcement of the cyberattack against PT Jasamarga[/caption]  

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • This is the first instance of the group’s attack against Indonesia since its resurgence from inactivity in June.
  • The samples mentioned in the post were obtained from a file-sharing website.
  • The group’s activities were constantly monitored, as cyberattacks were conducted against Asian countries like Thailand, in the past.
  • All PDF metadata was wiped from the disclosed samples.
  • The observed data was found to be originating from 2015 onwards with the most recent document belonging to March 2020.
Also Read 16M User PII Records from Swachhata Platform, India allegedly breached by LeakBase

Updates Since the Breach

  • To further substantiate their claims of the attack against PT Jasamarga, the group updated their post on 24 August 2022, to include 3 article links, discussing the hack.

Press Release

On 25 August 2022, PT Jasamarga released a company response to the hack, stating that:
  • The customer data was not affected by the breach.
  • The affected server had been deactivated.
  • The recovered data has been moved to a much more secure server.
  • PT JMTO had closed application security vulnerabilities and collaborated with competent parties in conducting cyber security assessments in the system at PT JMTO.
  • Jasa Marga will continue to evaluate and improve its cybersecurity system, not only for internal but also for external stakeholders.

Information from Cybercrime Forums

  • CloudSEK’s Threat Intelligence research team has observed a steady number of cyberattacks targeting Indonesia.
  • According to forum discussions, the possible cause of these attacks is a weak security posture of companies' web-facing infrastructure.
  • A notable and recent data breach was observed exposing 17 million customer records from PLN (Perusahaan Listrik Negara or Indonesian State Electricity Company).
Also Read Threat Group ‘Desorden’ Actively Targeting Asian Conglomerates

Threat Actor Activity and Rating

Threat Actor Profiling
Active since June 2022
Reputation High (No complaints, credible reputation)
Current Status Active
History This is the first time that the group has been observed targeting an Indonesian entity, since their resurgence. Previous victims of the group include:
  • Polyolefin Singapore
  • Frasers Property & Union Auction Public Company Ltd, Thailand
  • Has provided reliable information in the past
Point of Contact TOX Messaging Service
Rating A2 (A: Reliable; 2: Probably True)

Impact & Mitigation

Impact Mitigation
  • The exposed confidential details could reveal business practices and intellectual property.
  • The leaked information can cause damage to the company's reputation and credibility.
  • Compromised database contains sensitive PII which can be used to conduct attacks such as:
    • Social engineering
    • Phishing
    • Identity theft
  • Monitor for anomalies on online accounts.
  • Implement a strong password policy.
  • Enable MFA (multi-factor authentication) across service accounts.
  • Patch vulnerable and exploitable endpoints.
  • Follow standard backup policies and have multiple backups to restore operations in a seamless manner.
  • Monitor cybercrime forums for the latest tactics employed by threat actors

References

Appendix

[caption id="attachment_21485" align="alignnone" width="1154"]Press Release from PT Jasamarga - acknowledging the cyberattack Press Release from PT Jasamarga - acknowledging the cyberattack[/caption]   [caption id="attachment_21486" align="alignnone" width="1243"]Physical document attributed to Jasamarga Tollway Operators Physical document attributed to Jasamarga Tollway Operators[/caption]   [caption id="attachment_21487" align="alignnone" width="405"]Indonesian ID Card that was retrieved as part of the document sample Indonesian ID Card that was retrieved as part of the document sample[/caption]   [caption id="attachment_21488" align="alignnone" width="1356"]Indonesian Business Entity Certificate Indonesian Business Entity Certificate[/caption]   [caption id="attachment_21489" align="alignnone" width="1144"]The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale[/caption]  

[caption id="attachment_21490" align="alignnone" width="1894"]Source: Twitter Source: Twitter[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations