Sensitive Documents Leaked from an Indonesian Telecom Firm & Its Subsidiaries

Summary

Category: Adversary Intelligence Industry: Telecommunications Motivation: Financial Region: Indonesia Source*: F4

Executive Summary

THREAT IMPACT MITIGATION
  • Data breach affecting an Indonesian telecom firm, PT Telekomunikasi Indonesia, and its subsidiaries.
  • Tax cards, financial statements, and sensitive government documents exposed.
  • Leaked documents could reveal business practices and IP.
  • Compromised financial records can be used for social engineering attacks, identity thefts, and phishing attacks.
  • Patch vulnerable endpoints.
  • Update database instances to the latest versions.
  • Implement a strong password policy.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil uncovered a post on a cybercrime forum, announcing the data breach affecting an Indonesian telecom firm and its subsidiaries.
  • The compromised telecom firm was PT Telekomunikasi Indonesia.
  • 49 MB of classified documents were claimed to be exfiltrated, which included:
    • Tax cards
    • Financial statements
    • Sensitive government documents
  • List of subsidiaries affected in the breach include the following:
    • PT Infomedia Nusantara
    • PT Infrastruktur Telekomunikasi Indonesia
    • Harbor Media
    • PT Telkom Satelit Indonesia
    • PT Metranet
  • In order to substantiate their claims, a total of 65 sample documents were shared.
  • The group also posted a threat claiming that they expected a reasonable reaction from the compromised entities, such as a confirmation of the breach as opposed to denial.
  • In addition, the group issued a message urging all state and government companies to responsibly report data breaches in the present and the future.
  • To avoid scams, the group uses the middleman service facilitated by the forum’s moderator Pompompurin.
The data breach announcement posted by the group on the cybercrime forum
The data breach announcement posted by the group on the cybercrime forum

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The group has shared a ZIP file containing the breached documents.
  • All PDF metadata was wiped from the disclosed samples.
  • The observed data was found to be originating from at least 2009.
  • The group also left their email address in a TXT file within the document dump.
Also Read The Evolution of the Data Leak Extortion Ecosystem

Information from Cybercrime Forums

  • CloudSEK’s Threat Intelligence research team has observed a steady number of cyberattacks targeting Indonesia.
  • According to forum discussions, the possible cause of these attacks is a weak security posture of companies' web-facing infrastructure.
  • A notable and recent data breach was observed exposing 17 million customer records from PLN (Perusahaan Listrik Negara or Indonesian State Electricity Company).

Threat Actor Activity and Rating

Threat Actor Profiling
Active since July 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Reliability of the information provided by the group cannot be assessed at this time.
Point of Contact Jabber and Email
Rating F4 (F: Reliability Unknown; 4: Doubtfully true)

Impact & Mitigation

Impact Mitigation
  • The exposed confidential details could reveal business practices and intellectual property.
  • Reputational damage to the affected entity.
  • This information can be aggregated further to be sold as leads/document leaks on cybercrime forums.
  • Identity theft rampage and occurrence of document fraud.
  • Implement a strong password policy.
  • Enable MFA (multi-factor authentication) across service accounts.
  • Patch vulnerable and exploitable endpoints.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

Message shared by the group addressing the State government
Message shared by the group addressing the State government
 
A sealed document made to an Indonesian citizen, from the Integrated Service implementation Unit in North Cipete Village
A sealed document made to an Indonesian citizen, from the Integrated Service implementation Unit in North Cipete Village
 
Tax Document - attributed to PT Infomedia Nusantara
Tax Document - attributed to PT Infomedia Nusantara
 
BNI Bank information - attributed to Infomedia Nusantara
BNI Bank information - attributed to Infomedia Nusantara
 
Document retrieved from PT Telekomunikasi Indonesia
Document retrieved from PT Telekomunikasi Indonesia
 
The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale
The threat actor’s advertisement of the Indonesian State Electricity Company data, putting 17 million citizens’ data on sale
 

Table of Contents

Request an easy and customized demo for free