Chinese hackers allegedly breach system of Indonesian ministries

Insikt Group, the threat research division of cybersecurity company Recorded Future, in April 2021 reported that at least 10 Indonesian ministries and institutions were hacked by Mustang Panda, a group of Chinese hackers. It also found PlugX, Mustang Panda’s malware, within the Indonesian government network. The break-in is suspected to have happened since March 2021.

Insikt claimed that the State Intelligence Agency (BIN) is one of the infected Indonesian government institutions. Cybersecurity news publication The Record has requested confirmation from the Indonesian government in July and August, but received no feedback. The Indonesian government in August has reportedly cleaned up their system network. However, a few days later, Insikt Group stated that the government’s side of the network was still communicating with Mustang Panda’s malware server.

Cyber security experts analysed that Mustang Panda is using Thanos ransomware. Chairman of the Research Institute for Cyber ​​Communication & Information System Security Research Center (CISSReC) Pratama Persadha on 12 September claimed that his team has profiled Mustang Panda as a hacking group - most of its members are Chinese nationals. The group is also responsible for the making of Thanos ransomware.

Thanos is capable of accessing data and login credentials on a PC device it is planted on and sending the data to command and control (CNC) as well as giving access to the hackers to control the target’s operating system (OS). Thanos has 43 different configurations to avoid firewalls and antivirus.

However, Pratama stated that information about affected ministries and institutions have not been confirmed aside from the claims made by Insikt. He said the public needs to wait for more evidence before trusting such statements.

Ministry of Communication and Informatics spokesperson Dedy Permadi on 12 September said the ministry is looking into the alleged breach. Later at night, Minister of Communication and Informatics Johnny G. Plate addressed the issue. He said everything that “has anything to do with cyber should be directed to the cyber bureau”, referring to the National Cyber and Crypto Agency (BSSN). 

Recorded Future is a private cybersecurity company founded in 2009 and based in Somerville, Massachusetts. The company focuses on collecting, processing, analysing and disseminating intelligence threats. In 2020, the company launched a news outlet that specialises in cybersecurity called The Record. Insikt Group is a team that consists of veteran threat researchers that support intelligence analysts, engineers and data scientists in the company.

The Record also linked this cyber espionage with China’s foreign policy: Belt and Road Initiative. This policy is widely suspected as China’s Trojan Horse strategy that targets other countries the republic works with.