More about PDNS incident 2024 (The Indonesia National Data Center)
Summary
TLDRIn this video script, Bud Froman discusses the 2024 Indonesia National Data Center incident, where a ransomware attack by the 'brain chipper' group encrypted the data center's hypervisor, disrupting various government services. Froman, not involved in the incident, deduces the situation based on various sources, highlighting the lack of a timely switch to a disaster recovery center and the absence of proper backups. The script also mentions the unusual apology and offer of decryption keys from the attackers without ransom. Lessons learned and the importance of understanding the incident to prevent future attacks are emphasized.
Takeaways
- 🗓️ The incident occurred on June 20th, 2024, at the Indonesian National Data Center, affecting multiple services including immigration and causing significant disruption.
- 📊 A range of organizations were impacted, from the National Archive to university application systems, highlighting the widespread reliance on electronic services.
- 🚨 The data center was hit by a ransomware attack from a group known as 'brain chipper', which was a variation of LockBit 3.0, indicating a targeted and sophisticated cyber threat.
- 🛡️ The National Data Center's architecture included two data centers and one backup system, but the backup was not effectively utilized during the incident.
- 💡 The hypervisor, possibly VMware-based, was the main target of the ransomware, encrypting it and preventing access to virtual machines, which was a critical vulnerability.
- 🔒 The ransomware encrypted the hypervisor using Babuk encryption, which is a form of public key cryptography, complicating the decryption process.
- 🤔 There were questions about the incident's response time and the lack of a swift switch to the disaster recovery center, suggesting potential issues with preparedness and response protocols.
- 🛑 The incident raised concerns about the lack of effective backups, with some institutions not having their own backup systems, leading to a significant recovery challenge.
- 🔑 In an unusual twist, the attackers offered to provide the decryption key for free, which was confirmed to work by some, but raised suspicions about potential hidden malware.
- 🔍 The investigation into the incident is ongoing, with forensic reports not yet available to the public, leaving many questions about the breach's specifics unanswered.
- 📝 The speaker emphasizes the importance of learning from this incident to prevent similar occurrences in the future, underlining the need for better security practices and backup strategies.
Q & A
What was the main issue faced by the Indonesia National Data Center on June 20th, 2024?
-The main issue was that the Indonesia National Data Center, specifically PDN S2, was hit by a ransomware attack from a group called 'brain chipper,' which led to a denial of access to various government services and applications.
What is the significance of the term 'hypervisor' in the context of the data center's architecture?
-A hypervisor is a piece of software that allows multiple operating systems (virtual machines) to run on a single physical server. It is significant because the ransomware attack encrypted the hypervisor, preventing access to the virtual machines hosted on it.
Why was the Windows Defender disabled prior to the ransomware attack?
-The script does not provide a definitive reason for the disabling of Windows Defender, but it suggests that an attacker may have infiltrated the hypervisor and disabled it to pave the way for the ransomware injection.
How did the ransomware attack affect the immigration services in Indonesia?
-The attack caused the immigration services to become inaccessible, as they rely on electronic systems that were impacted by the ransomware. This included the auto gates at airports which could no longer function properly.
What was the role of Telkom Sigma in the incident?
-Telkom Sigma was the hosting provider for the National Data Center. The script suggests that the incident was specific to the PDN S2 and does not reflect on Telkom Sigma's overall credibility.
What was the outcome of the ransomware attack on the virtual machines (VMs)?
-The VMs were encrypted, and some institutions did not have backup systems in place, which complicated the recovery process. The decryption key was later offered by the attackers, but the extent of the encryption and its impact on individual VMs was not fully detailed.
What was the unusual development regarding the ransomware group's behavior after the attack?
-Unusually, the ransomware group issued a public apology and offered to provide the decryption keys for free, without demanding payment, which is not a common practice for such groups.
Why was there a delay in switching to the disaster recovery center (DRC) after the ransomware attack?
-The script does not provide a clear reason for the delay, but it raises questions about whether the DRC was also compromised, had different technology that made synchronization difficult, or if there was simply no DRC in place.
What was the reported issue with the backup systems of the affected institutions?
-The script indicates that many of the affected institutions did not have proper backup systems in place, which is a critical oversight for any organization, especially one providing essential government services.
What is the significance of the term 'Babuk encryption' mentioned in the script?
-Babuk encryption refers to the specific type of encryption used by the ransomware group. It is significant because understanding the encryption method is crucial for decrypting the affected systems and recovering the data.
What were some of the speculations about how the ransomware attack was initiated?
-The script suggests speculations about the attack being initiated through software vulnerabilities, remote desktop protocol connections, or by exploiting access to the hypervisor, but the exact method remains unclear.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
Cybersecurity incident in Indonesia: the PDN(S) incident
FULL Dialog - Mantan Hacker Bicara Soal Data Nasional "Down"
Teknologi Sebenarnya di Balik Peretasan Pusat Data Kominfo (Enkripsi Data)
Bangun PDN Rp 700 Miliar, Kini Dibobol Hacker
DARURAT HACKER!! DARI SERVER KOMINFO, IMIGRASI SAMPAI KEMENTERIAN & LEMBAGA DIRETAS - RUANG 28
Mengenal Brain Cipher, Hacker yang Klaim Bertanggung Jawab atas Serangan ke PDN
5.0 / 5 (0 votes)