- Data breach affecting an Indonesian telecom firm, PT Telekomunikasi Indonesia, and its subsidiaries.
- Tax cards, financial statements, and sensitive government documents exposed.
- Leaked documents could reveal business practices and IP.
- Compromised financial records can be used for social engineering attacks, identity thefts, and phishing attacks.
- Patch vulnerable endpoints.
- Update database instances to the latest versions.
- Implement a strong password policy.
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil uncovered a post on a cybercrime forum, announcing the data breach affecting an Indonesian telecom firm and its subsidiaries.
- The compromised telecom firm was PT Telekomunikasi Indonesia.
- 49 MB of classified documents were claimed to be exfiltrated, which included:
- Tax cards
- Financial statements
- Sensitive government documents
- List of subsidiaries affected in the breach include the following:
- PT Infomedia Nusantara
- PT Infrastruktur Telekomunikasi Indonesia
- Harbor Media
- PT Telkom Satelit Indonesia
- PT Metranet
- In order to substantiate their claims, a total of 65 sample documents were shared.
- The group also posted a threat claiming that they expected a reasonable reaction from the compromised entities, such as a confirmation of the breach as opposed to denial.
- In addition, the group issued a message urging all state and government companies to responsibly report data breaches in the present and the future.
- To avoid scams, the group uses the middleman service facilitated by the forum’s moderator Pompompurin.
[caption id="attachment_21527" align="alignnone" width="1333"]
The data breach announcement posted by the group on the cybercrime forum[/caption]
Information from a Sensitive Source
A sensitive source in contact with the threat actor has ascertained that:
- The group has shared a ZIP file containing the breached documents.
- All PDF metadata was wiped from the disclosed samples.
- The observed data was found to be originating from at least 2009.
- The group also left their email address in a TXT file within the document dump.
Also Read The Evolution of the Data Leak Extortion Ecosystem
Information from Cybercrime Forums
- CloudSEK’s Threat Intelligence research team has observed a steady number of cyberattacks targeting Indonesia.
- According to forum discussions, the possible cause of these attacks is a weak security posture of companies' web-facing infrastructure.
- A notable and recent data breach was observed exposing 17 million customer records from PLN (Perusahaan Listrik Negara or Indonesian State Electricity Company).
Threat Actor Activity and Rating
|Threat Actor Profiling
||Low (Multiple complaints and concerns on the forum)
||Reliability of the information provided by the group cannot be assessed at this time.
|Point of Contact
||Jabber and Email
||F4 (F: Reliability Unknown; 4: Doubtfully true)
Impact & Mitigation
- The exposed confidential details could reveal business practices and intellectual property.
- Reputational damage to the affected entity.
- This information can be aggregated further to be sold as leads/document leaks on cybercrime forums.
- Identity theft rampage and occurrence of document fraud.
- Implement a strong password policy.
- Enable MFA (multi-factor authentication) across service accounts.
- Patch vulnerable and exploitable endpoints.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
[caption id="attachment_21528" align="alignnone" width="1071"]
Message shared by the group addressing the State government[/caption]
[caption id="attachment_21529" align="alignnone" width="703"]
A sealed document made to an Indonesian citizen, from the Integrated Service implementation Unit in North Cipete Village[/caption]
[caption id="attachment_21530" align="alignnone" width="327"]
Tax Document - attributed to PT Infomedia Nusantara[/caption]
[caption id="attachment_21531" align="alignnone" width="1347"]
BNI Bank information - attributed to Infomedia Nusantara[/caption]
[caption id="attachment_21532" align="aligncenter" width="748"]
Document retrieved from PT Telekomunikasi Indonesia[/caption]
[caption id="attachment_21533" align="alignnone" width="1144"]
The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale[/caption]