Spate of cyberattacks in Indonesia shines spotlight on complacency, public education


JAKARTA: Many Indonesian journalists were waiting for an online press conference by the National Agency for Disaster Management (BNPB) to begin last week, but its Youtube channel showed a foreigner giving a live presentation on cryptocurrency.

Puzzled by this, reporters sought an explanation from the agency’s spokesperson, only to be informed that BNPB’s Youtube channel has been hacked.

The incident was among 1.4 billion Internet traffic anomalies or cyberattacks in Indonesia this year, said Mr Anton Setiyawan, spokesman of the National Cyber and Crypto Agency (BSSN).

“Traffic anomalies are something we can technically classify as cyberattacks because they are something abnormal. Like scanning and sending malware, that is an attack," Mr Setiyawan explained to CNA on Thursday (Dec 16).

He noted that cyberattacks in Indonesia have significantly increased this year. The number of traffic anomalies stood at around 495 million in 2020.

Mr Setiyawan and other experts interviewed by CNA noted that there has been a spate of cyberattacks on government agencies and corporations recently. 

When asked about the root causes, they said that complacency, low digital literacy and lack of human capacity may be among the major factors involved.

Stringent measures must be taken immediately to prevent further cases, they also said.

<!--[if gte vml 1]> <!--[endif]-->Two hackers were arrested over an international scam that saw the theft of about US$60 million in COVID-19 aid, in Surabaya, Indonesia. (Photo: AFP/Str)


Apart from the BNPB incident last week, the public was also concerned when it was reported that the personal data of thousands of police officers were allegedly stolen by a hacker last month.

A now-suspended Twitter account, claiming to be run by a hacker believed to be from Brazil, announced that data on 28,000 officers was stolen.

When asked by CNA, national police spokesman Inspector General Dedi Prasetyo said that the case is currently being handled by its cybercrime unit. 

In late October, BSSN’s website was also hacked, said Mr Setiyawan.

“It was one of our subdomains and we immediately evaluated it. Yes, in several parts we were careless. We should have really taken care of everything.”

He added: “This had a tremendous effect on BSSN not in terms of data leakage and physical loss but in terms of reputation.”

No data was taken as the subdomain did not contain anything important, Mr Setiyawan said. However, the hacker defaced the appearance of the website. 

It appeared that the hacker was based in Brazil who wanted to retaliate against Indonesian hackers who previously launched similar attacks, according to the spokesman.

Meanwhile, data of about 1.3 million people in a health ministry’s COVID-19 app was leaked in August. 

The month before, data of thousands of customers of insurance provider BRI Life was leaked and sold online, said the company.  

The biggest data breach this year reportedly took place when information on 279 million people was stolen from the social health security administration (BPJS) in May.

<!--[if gte vml 1]> <!--[endif]-->A man visits a hacker community website at a house in Jakarta, Indonesia, Monday, Sept. 20, 2021. (AP Photo/Tatan Syuflana)


What are the root causes?

Cyberattacks in Indonesia will continue to persist because people underestimate them and do not understand their characteristics, said Mr Ardi Sutedja, head and founder of  Indonesia Cyber Security Forum (ICSF).

“The various technologies that we use today are not the work of Indonesians. We are all only users of technology. 

“Today's technology changes in seconds so we don't have the luxury of time to learn all the technology and its risks,” he said. As a solution, he suggested more human capacity building as well as better digital literacy education. 

Mr Pratama Persadha, chairman of cyber security NGO Communication and Information System Security Research Center (CISSReC) concurred. 

He said that people need to be constantly educated on the dangers of uploading their personal data including pictures online. He also espoused the need to set personal social media accounts to private mode, constantly change passwords and minimise the use of public wifi.

There is also the risk of personal data being leaked via electronic platform services.

“That’s why we need better regulations so those who are responsible for our data leaks can be punished,” he said. 

Mr Yihao Lim, a principal intelligence advisor with cybersecurity firm Mandiant Threat Intelligence said that since many businesses moved online amid the pandemic without much lead time, they might not have the best security measures in place to ensure that information is kept secure. 

He also said that many organisations have increased their reliance on cloud-hosted third-party providers for their primary business tasks. This has put more pressure on the third parties to ensure availability and security. 

Mr Lim urged companies to “invest in training and awareness among internal staff, keep them updated on latest happenings and phishing methods that attackers use to prevent any successful intrusion”.