Transport & Logistics
- Desorden announces a cyberattack against Indonesia’s PT Jasamarga Tollway Operator.
- 252 GB data was exfiltrated from 5 servers.
- Access could reveal business practices and IP.
- PII can be exploited to conduct social engineering attacks, phishing, identity thefts, etc.
- Follow standard backup policies.
- Monitor for anomalies in user accounts.
- Implement a strong password policy.
Analysis and Attribution
Information from the Post
- On 25 August 2022, CloudSEK’s contextual AI digital risk platform XVigil came across a post from Desorden claiming to have breached Indonesia's largest tollway operator, PT Jasamarga Tollway Operator (JMTO).
- Desorden, a hacker-for-hire group, is primarily involved in targeting Asian entities.
- 252 GB of data was exfiltrated from 5 servers of the affected entity.
- The leaked data includes the following internal and administrative information:
- Indonesian ID cards
- Tax cards (with the sensitive 15-digit uncensored NPWP number)
- Construction Business License
- Business Entity Certificate (that was not attributed to PT Jasamarga)
- Internal documents from January to February 2020, disclosing the following PII:
- National ID card number
- Cardholder’s photo
- Phone number and email address from business registration document
- Internal confidential communication (in physical form) from Jasamarga
[caption id="attachment_21484" align="alignnone" width="1612"]
Screenshot of the group’s announcement of the cyberattack against PT Jasamarga[/caption]
Information from a Sensitive Source
A sensitive source in contact with the threat actor has ascertained that:
- This is the first instance of the group’s attack against Indonesia since its resurgence from inactivity in June.
- The samples mentioned in the post were obtained from a file-sharing website.
- The group’s activities were constantly monitored, as cyberattacks were conducted against Asian countries like Thailand, in the past.
- All PDF metadata was wiped from the disclosed samples.
- The observed data was found to be originating from 2015 onwards with the most recent document belonging to March 2020.
Also Read 16M User PII Records from Swachhata Platform, India allegedly breached by LeakBase
Updates Since the Breach
- To further substantiate their claims of the attack against PT Jasamarga, the group updated their post on 24 August 2022, to include 3 article links, discussing the hack.
On 25 August 2022, PT Jasamarga released a company response to the hack, stating that:
- The customer data was not affected by the breach.
- The affected server had been deactivated.
- The recovered data has been moved to a much more secure server.
- PT JMTO had closed application security vulnerabilities and collaborated with competent parties in conducting cyber security assessments in the system at PT JMTO.
- Jasa Marga will continue to evaluate and improve its cybersecurity system, not only for internal but also for external stakeholders.
Information from Cybercrime Forums
- CloudSEK’s Threat Intelligence research team has observed a steady number of cyberattacks targeting Indonesia.
- According to forum discussions, the possible cause of these attacks is a weak security posture of companies' web-facing infrastructure.
- A notable and recent data breach was observed exposing 17 million customer records from PLN (Perusahaan Listrik Negara or Indonesian State Electricity Company).
Also Read Threat Group ‘Desorden’ Actively Targeting Asian Conglomerates
Threat Actor Activity and Rating
|Threat Actor Profiling
||High (No complaints, credible reputation)
||This is the first time that the group has been observed targeting an Indonesian entity, since their resurgence. Previous victims of the group include:
- Polyolefin Singapore
- Frasers Property & Union Auction Public Company Ltd, Thailand
- Has provided reliable information in the past
|Point of Contact
||TOX Messaging Service
||A2 (A: Reliable; 2: Probably True)
Impact & Mitigation
- The exposed confidential details could reveal business practices and intellectual property.
- The leaked information can cause damage to the company's reputation and credibility.
- Compromised database contains sensitive PII which can be used to conduct attacks such as:
- Social engineering
- Identity theft
- Monitor for anomalies on online accounts.
- Implement a strong password policy.
- Enable MFA (multi-factor authentication) across service accounts.
- Patch vulnerable and exploitable endpoints.
- Follow standard backup policies and have multiple backups to restore operations in a seamless manner.
- Monitor cybercrime forums for the latest tactics employed by threat actors
[caption id="attachment_21485" align="alignnone" width="1154"]
Press Release from PT Jasamarga - acknowledging the cyberattack[/caption]
[caption id="attachment_21486" align="alignnone" width="1243"]
Physical document attributed to Jasamarga Tollway Operators[/caption]
[caption id="attachment_21487" align="alignnone" width="405"]
Indonesian ID Card that was retrieved as part of the document sample[/caption]
[caption id="attachment_21488" align="alignnone" width="1356"]
Indonesian Business Entity Certificate[/caption]
[caption id="attachment_21489" align="alignnone" width="1144"]
The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale[/caption]
[caption id="attachment_21490" align="alignnone" width="1894"]