Critical infrastructure

Indonesia IT Ministry official resigns amid cyberattack fallout

After recent Indonesia’s most severe cyberattack, Samuel Abrijani Pangerapan, the director-general for applications and information at the Ministry of Communications and Information Technology, resigned, citing moral responsibility. The attack, which struck more than 280 government agencies, resulted in significant data loss and disrupted essential services ranging from airport operations to scholarship management. The hacker group responsible initially demanded a ransom of $8 million, which the government refused to pay. The hackers later apologised and provided a decryption key to unlock the stolen data.

Despite the decryption key’s release, the recovery process has been challenging. The Ministry of Communications and Information Technology reported that only 2% of the data had been saved by early efforts, with the rest presumed lost. President Joko Widodo responded by ordering an immediate cybersecurity audit and the implementation of robust backup strategies across all national data centres. The goal is to prevent similar incidents in the future, emphasising the need for comprehensive security measures.

Public dissatisfaction has grown in response to the government’s handling of the cyberattack. The attack impacted administrative services and caused significant disruptions at airports in Indonesia, where immigration systems were forced to operate manually due to the cyberattack’s effects on automated processes. The scale of the breach underscored existing vulnerabilities across government data management systems managed by PT Telkom Indonesia, whose subsidiary operated the compromised data centre.

Ransomware actors encrypted Indonesia’s national data centre

Hackers have encrypted systems at Indonesia’s national data centre with ransomware, causing disruptions in immigration checks at airports and various public services, according to the country’s communications ministry. The ministry reported that the Temporary National Data Centre (PDNS) systems were infected with Brain Cipher, a new variant of the LockBit 3.0 ransomware.

Communications Minister Budi Arie Setiadi informed that the hackers demanded $8 million for decryption but emphasised that the government would not comply. The attack targeted the Surabaya branch of the national data centre, not the Jakarta location.

The breach risks exposing data from state institutions and local governments. The cyberattack, which began last Thursday, disrupted services such as visa and residence permit processing, passport services, and immigration document management, according to Hinsa Siburian, head of the national cyber agency. The ransomware also impacted online enrollment for schools and universities, prompting an extension of the registration period, as local media reported. Overall, at least 210 local services were disrupted.

Although LockBit ransomware was used, it may have been deployed by a different group, as many use the leaked LockBit 3.0 builder, noted SANS Institute instructor Will Thomas. LockBit was a prolific ransomware operation until its extortion site was shut down in February, but it resurfaced three months later. Cybersecurity analyst Dominic Alvieri also pointed out that the Indonesian government hasn’t been listed on LockBit’s leak site, likely due to typical delays during negotiations. Previously, Indonesia’s data centre has been targeted by hackers, and in 2023, ThreatSec claimed to have breached its systems, stealing sensitive data, including criminal records.

USA scrutinise China Mobile, China Telecom, and China Unicom

The Biden administration is scrutinising China Mobile, China Telecom, and China Unicom over concerns that these firms could misuse their access to American data through their US cloud and internet businesses. The Commerce Department is leading the investigation, subpoenaing the state-backed companies and conducting risk analyses on China Mobile and China Telecom. These companies maintain a small US presence, providing services like cloud computing and routing internet traffic, giving them potential access to sensitive data.

The investigation aims to prevent these Chinese firms from exploiting their US presence to aid Beijing, aligning with Washington’s broader strategy to counteract potential threats to national security from Chinese technology companies. The US has previously barred these companies from providing telephone and broadband services. Authorities could block transactions that allow these firms to operate in data centres and manage internet traffic, potentially crippling their remaining US operations.

China’s embassy in Washington has criticised these actions, urging the US to cease suppressing Chinese companies. No evidence has been found that these firms intentionally provided US data to the Chinese government. However, concerns persist about their capabilities to access and potentially misuse data, primarily through Points of Presence (PoPs) and data centres in the US, which could pose significant security risks.

EU cybersecurity exercise organised to test energy sector’s cyber resilience

The 7th edition of Cyber Europe, organised by the European Union Agency for Cybersecurity (ENISA), tested the resilience of the EU energy sector, highlighting cybersecurity as an increasing threat to critical infrastructure. In 2023, over 200 cyber incidents targeted the energy sector, with more than half aimed specifically at Europe, underscoring the sector’s vulnerability due to its crucial role in the European economy.

Juhan Lepassaar, Executive Director of ENISA, highlighted the exercise’s role in enhancing preparedness and response capacities to protect critical infrastructure, essential for the single market’s stability.

According to ENISA’s Network and Information Security (NIS) Investments report, 32% of energy sector operators lack Security Operations Center (SOC) monitoring for critical Operation Technology (OT) processes, while 52% integrate OT and Information Technology (IT) under a single SOC.

This year’s Cyber Europe exercise focused on a scenario involving cyber threats to EU energy infrastructure amidst geopolitical tensions. Over two days, stakeholders from 30 national cybersecurity agencies and numerous EU bodies collaborated, developing crisis management skills and coordinating responses to simulated cyber incidents. The exercise, one of Europe’s largest, involved over thousand experts across various domains, facilitated by ENISA, which celebrates its 20th anniversary in 2024.

Japan’s space agency hit by series of cyberattacks, no sensitive data breached, officials confirm

Japan’s Chief Cabinet Secretary Yoshimasa Hayashi confirmed that Japan’s space agency, JAXA, has been targeted by several cyberattacks since late last year. The agency has been investigating the breaches, shutting down affected networks, and verifying that no classified information related to rocket and satellite operations or national security was compromised.

Hayashi also confirmed that hackers are located outside Japan and emphasised Japan’s commitment to enhancing its cybersecurity defences. Amidst increasing military developments in response to China’s growing power, Japan aims to develop a counterstrike capability, though experts believe Tokyo will still rely heavily on the United States for launching long-range missiles.

Defense Minister Minoru Kihara assured the public that the attacks have not impacted his ministry but stated that he is closely monitoring JAXA’s ongoing investigation. As part of the investigation, a portion of the affected JAXA network was temporarily shut down.

JAXA, which develops and launches satellites and is involved in advanced missions like asteroid exploration and potential lunar human exploration, has faced multiple cyber incidents since 2016. That year, it was among 200 Japanese companies and research institutes allegedly targeted by Chinese-speaking military hackers. Last year, unknown hackers also attempted to breach JAXA’s network server but failed to access information critical to the operation of rockets and satellites.

In February 2024, Japan’s cyber official Kazutaka Nakamizo highlighted the increasing cyber threats to the country’s critical infrastructure, particularly from China. However, he did not specify which attacks were believed to be linked to Beijing.

Biden administration bans Kaspersky software sales and sanctions the company’s executives

The Biden administration is set to ban the sale of Kaspersky’s products in the US, citing national security concerns over the firm’s ties to the Russian government. The ban is aimed at mitigating the risks of Russian cyberattacks, as the renowned software’s privileged access to computer systems could allow it to steal sensitive information or install malware. The new rule, which leverages powers created during the Trump administration, will also add Kaspersky to a trade restriction list, barring US suppliers from selling to the company.

These restrictions, effective from 29 September, will halt new US business for Kaspersky 30 days after the announcement and prohibit downloads, resales, and licensing of the product. The decision follows a long history of regulatory scrutiny, including a 2017 Department of Homeland Security ban on Kaspersky products from federal networks due to alleged ties with Russian intelligence. Efforts by Kaspersky to propose mitigating measures were deemed insufficient to address these risks.

Furthermore, the U.S. Treasury Department sanctioned twelve executives and senior leaders from Kaspersky on Friday, marking another punitive measure against the cybersecurity company. The Office of Foreign Assets Control (OFAC) targeted the company’s chief operating officer, top legal counsel, head of human resources, and leader of research and development, among others. However, the company itself, its parent and subsidiary companies, and its CEO, Eugene Kaspersky, were not sanctioned.

This action follows a final determination by the Commerce Department to ban the Moscow-based company from operating in the U.S., citing national security risks and concerns about threats to critical infrastructure.

Why does it matter?

Another reaction from the authorities stresses the administration’s strategy to counter potential cyber threats amid the ongoing conflict in Ukraine. And while the impact of the entity blacklisting on Kaspersky’s operations remains to be seen, it appears now that it could significantly affect the company’s supply chain and reputation. Kaspersky, which operates in over 200 countries, has previously denied all accusations and, in response to these restrictive measures, has been operating a networks of Transparency Centers under its Global Transparency Initiative (GTI) where the company provides its source code for an external examination.

Philippine Maritime Authority hit by system breach

The Maritime Industry Authority (MARINA) in Philippines, a government agency responsible for integrating the development, promotion, and regulation of the maritime industry in the country, acknowledged on Monday that its online platforms encountered a security breach during the weekend. The breach impacted four of MARINA’s systems, prompting an immediate response from the agency to ensure the security of its data.

Upon detecting the attack, MARINA swiftly deployed personnel to its central office in Manila’s Port Area on Sunday. The agency highlighted its quick actions in implementing protective measures. Presently, MARINA’s IT team is working in conjunction with the Department of Information and Communications Technology-Cybercrime Investigation and Coordinating Center (DICT-CICC) to probe the breach and mitigate potential risks to sensitive information.

While MARINA did not disclose the specific systems affected or the extent of the breach, these systems handle crucial data such as vessel registrations, seafarers’ information documents, and record books. As the regulatory body overseeing maritime activities, MARINA aims to have its systems fully operational by Tuesday to resume normal processing of applications.

This security incident adds to a string of cyberattacks targeting Philippine government entities. In May, the Philippine National Police (PNP) halted its online services following breaches that impacted its Logistics Data Information Management System and the Firearms and Explosives Office. Furthermore, in October 2023, a ransomware attack compromised the data of over 13 million members of the Philippine Health Insurance Corp.

National Cyber Director stresses the need for unified cybersecurity requirements in the US

The head of the US Office of the National Cyber Director (ONCD), Harry Coker, has urged the US Congress to harmonise cross-sector baseline cybersecurity requirements in regulated industries, following years of federal and international guidance. Coker highlighted that the lack of regulatory harmonisation poses significant challenges to both cybersecurity outcomes and business competitiveness, as reported by organisations representing the majority of critical infrastructure sectors.

Harry Coker, a Navy veteran and former executive director of the NSA (2017-2019), was confirmed by the US Senate as ONCD director in December 2023, following the resignation of former ONCD Director Chris Inglis in February 2023.

In August 2023, the Office of the National Cyber Director (ONCD) sought private sector input on the state of cybersecurity regulation. Feedback was received from 11 of the 16 critical infrastructure sectors, encompassing over 15,000 businesses, states, and other organizations in the US. The summary of these responses revealed several challenges, including the absence of reciprocity between state and federal regulators and international partners. Regulatory inconsistencies that create barriers to entry, especially for small and mid-sized businesses have also been mentioned among key issues for industry. Furthermore, organizations expressed confusion about which federal agencies are responsible for regulating the defence industrial base, noting that it is unclear which federal agency acts as the clearinghouse for cyber-related regulations and requirements.

In response to the feedback, Coker announced that ONCD has initiated new harmonisation projects, including a pilot reciprocity framework within a critical infrastructure subsector. The pilot project aims to provide valuable insights for designing a comprehensive cybersecurity regulatory approach. Coker emphasized the need for Congress’s assistance to bring all relevant government agencies together to develop a cross-sector framework for harmonisation and reciprocity of baseline cybersecurity requirements. ONCD has not yet provided further details about the pilot project or other ongoing initiatives aimed at driving regulatory harmonisation.

US lawmakers press Microsoft president on China links and cyber breaches

At Thursday’s House of Representatives Homeland Security panel, Microsoft President Brad Smith addressed tough questions about the tech giant’s security measures and connections to China. The scrutiny follows a significant breach last summer when China-linked hackers accessed 60,000 US State Department emails by infiltrating Microsoft’s systems. Additionally, earlier this year, Russia-linked cybercriminals spied on emails of Microsoft’s senior staff, further intensifying concerns.

Lawmakers criticised Microsoft for failing to prevent these cyberattacks, which exposed federal networks to significant risk. They highlighted a report by the Cyber Safety Review Board (CSRB) that condemned Microsoft for lack of transparency regarding the China hack, labelling it preventable. Smith acknowledged the report’s findings and stated that Microsoft acted on most of its recommendations. He emphasised the growing threat posed by nations like China, Russia, North Korea, and Iran, which are increasingly sophisticated and aggressive in their cyberattacks.

During the hearing, Smith defended Microsoft’s role, saying that the US State Department’s discovery of the hack demonstrated the collaborative nature of cybersecurity. However, Congressman Bennie Thompson expressed dissatisfaction, stressing that Microsoft is responsible for detecting such breaches. Given its substantial investments there, panel members also inquired about Microsoft’s operations in China. Smith noted that the company earns around 1.5% of its revenue from China and is working to reduce its engineering presence in the country.

Despite facing significant criticism over the past year, some panel members, including Republican Congresswoman Marjorie Taylor Greene, commended Smith for accepting responsibility. In response to the CSRB’s findings, Microsoft has pledged to prioritise security above all else, launching a new cybersecurity initiative in November to bolster its defences and ensure greater transparency moving forward.

Dutch authorities reveal extensive Chinese cyber-espionage operation

The Dutch military intelligence and security service (MIVD) has raised alarms over a global Chinese cyber-espionage campaign, that successfully targeted ‘a significant number of victims’, including Western governments, international organisations and the defense industry. The Netherlands’ National Cyber Security Centre (NCSC) provided the details of this operation in the warning sharing how state-sponsored hackers exploited a vulnerability in FortiGate devices for ‘at least two months before Fortinet announced the vulnerability.’

This vulnerability, identified as CVE-2022-42475, was leveraged during a ‘zero-day period’ to compromise around 14,000 devices in Netherlands. In particular, the warning says that the had successfully breached the internal computer network of the Dutch Ministry of Defence. After gaining access, the hackers deployed a remote access trojan (RAT) named COATHANGER to perform reconnaissance and exfiltrate user account information from the Active Directory server. It, however, remains unclear how many of these systems were infected with the COATHANGER malware. The MIVD warned that identifying and removing these infections is particularly challenging.

“The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims,” the report cautioned, emphasizing the ongoing threat posed by this extensive cyber-espionage campaign.