BSSN confirms its website was hacked and defaced

Another round of the non-existence of Indonesian digital security: the National Cyber and Crypto Agency (BSSN) on 25 October had its National Malware Centre website hacked and defaced. This raises questions and scrutiny about the organisation itself, considering that the BSSN is the bureau that is responsible for national digital security.

Website defacement is a form of attack on a website where the attacker changes the looks of the website.

In the circulating screenshot of the website, there was a text “Hacked by theMx0nday” written on top of the organisation logo. Below the logo, the hacker specified that the defacement is done as an act of revenge to Indonesian hackers who they claimed to have hacked Brazilian websites.

Throughout the year, Indonesians have seen too many government websites getting hacked, but this specific case is the most ironic of them all. The BSSN is Indonesia’s primary cyber intelligence, cyber threat intelligence, cyber defence and cyber security agency. The fact that a website under its jurisdiction is still easily hacked speaks volumes about the level of Indonesia’s national cyber security.

TFR compiled some of cyber-attacks against government websites with quite high profile over the past year:

1. The Prosecutor’s Office was hacked in May 2021 and the stolen data was uploaded to and sold on RaidForums.

2. In the same month, BPJS had its database hacked and the data sold on RaidForums.

3. Pertamina was hacked in March 2021, in which the hackers managed to leak the company’s internal data on the dark web.

4. After the arrest of the Nganjuk regent, the Nganjuk administration’s official website was hacked and defaced in May 2021. The landing page showed only a YouTube video of the deputy of the Corruption Eradication Commission explaining the arrest of the regent.

5. In June, the Department of Population and Civil Registration servers in Malang, Subang, Bogor city and Bekasi were hacked, forcing Bogor to go offline for a while.

6. The West Kalimantan Public Health Office’s website was hacked and defaced to show Japanese writings in June. This became a problem because the people of West Kalimantan relied on the website for information regarding COVID-19 handling in the province.

7. The website of the Indonesian Cabinet Secretary was hacked in July. Unlike in 2015 when it was hacked by “Chinese hackers”, this year it was hacked and defaced by Padang Blackhat.

8. The Makassar administration’s website was hacked in July 2021. The website was also defaced where in the landing page there was a question about the government’s decisions to dismiss people who trade for a living during the pandemic. 

9. In August 2021, the eHAC system was hacked and about 1.3 million data were compromised.