Indonesia’s Largest Tollway Operator PT Jasamarga Breached by the Desorden Group

Summary

Desorden announces a cyberattack against Indonesia’s PT Jasamarga Tollway Operator. 252 GB data was exfiltrated from 5 servers.
Category: Adversary Intelligence Industry: Transport & Logistics Motivation: Financial Region: Indonesia Source*: A2

Executive Summary

THREAT IMPACT MITIGATION
  • Desorden announces a cyberattack against Indonesia’s PT Jasamarga Tollway Operator.
  • 252 GB data was exfiltrated from 5 servers.
  • Access could reveal business practices and IP.
  • PII can be exploited to conduct social engineering attacks, phishing, identity thefts, etc.
  • Follow standard backup policies.
  • Monitor for anomalies in user accounts.
  • Implement a strong password policy.

Analysis and Attribution

Information from the Post

  • On 25 August 2022, CloudSEK’s contextual AI digital risk platform XVigil came across a post from Desorden claiming to have breached Indonesia's largest tollway operator, PT Jasamarga Tollway Operator (JMTO).
  • Desorden, a hacker-for-hire group, is primarily involved in targeting Asian entities.
  • 252 GB of data was exfiltrated from 5 servers of the affected entity.
  • The leaked data includes the following internal and administrative information:
    • Indonesian ID cards
    • Tax cards (with the sensitive 15-digit uncensored NPWP number)
    • Construction Business License
    • Business Entity Certificate (that was not attributed to PT Jasamarga)
    • Internal documents from January to February 2020, disclosing the following PII:
      • National ID card number
      • Cardholder’s photo
      • Signature
      • Phone number and email address from business registration document
      • Internal confidential communication (in physical form) from Jasamarga
Screenshot of the group’s announcement of the cyberattack against PT Jasamarga
Screenshot of the group’s announcement of the cyberattack against PT Jasamarga
 

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • This is the first instance of the group’s attack against Indonesia since its resurgence from inactivity in June.
  • The samples mentioned in the post were obtained from a file-sharing website.
  • The group’s activities were constantly monitored, as cyberattacks were conducted against Asian countries like Thailand, in the past.
  • All PDF metadata was wiped from the disclosed samples.
  • The observed data was found to be originating from 2015 onwards with the most recent document belonging to March 2020.
Also Read 16M User PII Records from Swachhata Platform, India allegedly breached by LeakBase

Updates Since the Breach

  • To further substantiate their claims of the attack against PT Jasamarga, the group updated their post on 24 August 2022, to include 3 article links, discussing the hack.

Press Release

On 25 August 2022, PT Jasamarga released a company response to the hack, stating that:
  • The customer data was not affected by the breach.
  • The affected server had been deactivated.
  • The recovered data has been moved to a much more secure server.
  • PT JMTO had closed application security vulnerabilities and collaborated with competent parties in conducting cyber security assessments in the system at PT JMTO.
  • Jasa Marga will continue to evaluate and improve its cybersecurity system, not only for internal but also for external stakeholders.

Information from Cybercrime Forums

  • CloudSEK’s Threat Intelligence research team has observed a steady number of cyberattacks targeting Indonesia.
  • According to forum discussions, the possible cause of these attacks is a weak security posture of companies' web-facing infrastructure.
  • A notable and recent data breach was observed exposing 17 million customer records from PLN (Perusahaan Listrik Negara or Indonesian State Electricity Company).
Also Read Threat Group ‘Desorden’ Actively Targeting Asian Conglomerates

Threat Actor Activity and Rating

Threat Actor Profiling
Active since June 2022
Reputation High (No complaints, credible reputation)
Current Status Active
History This is the first time that the group has been observed targeting an Indonesian entity, since their resurgence. Previous victims of the group include:
  • Polyolefin Singapore
  • Frasers Property & Union Auction Public Company Ltd, Thailand
  • Has provided reliable information in the past
Point of Contact TOX Messaging Service
Rating A2 (A: Reliable; 2: Probably True)

Impact & Mitigation

Impact Mitigation
  • The exposed confidential details could reveal business practices and intellectual property.
  • The leaked information can cause damage to the company's reputation and credibility.
  • Compromised database contains sensitive PII which can be used to conduct attacks such as:
    • Social engineering
    • Phishing
    • Identity theft
  • Monitor for anomalies on online accounts.
  • Implement a strong password policy.
  • Enable MFA (multi-factor authentication) across service accounts.
  • Patch vulnerable and exploitable endpoints.
  • Follow standard backup policies and have multiple backups to restore operations in a seamless manner.
  • Monitor cybercrime forums for the latest tactics employed by threat actors

References

Appendix

Press Release from PT Jasamarga - acknowledging the cyberattack
Press Release from PT Jasamarga - acknowledging the cyberattack
 
Physical document attributed to Jasamarga Tollway Operators
Physical document attributed to Jasamarga Tollway Operators
 
Indonesian ID Card that was retrieved as part of the document sample
Indonesian ID Card that was retrieved as part of the document sample
 
Indonesian Business Entity Certificate
Indonesian Business Entity Certificate
 
The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale
The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale
 

Source: Twitter
Source: Twitter
 

Table of Contents

Request an easy and customized demo for free