Cyber Incident Victim: PT Telkom Indonesia (Persero) Tbk
Date:
Jun 2024
Location:
Indonesia
Summary
A ransomware attack compromised Indonesia's national data center, disrupting services for over 200 government agencies at national and regional levels. The Lockbit 3.0 ransomware group demanded an $8 million ransom, which authorities refused to pay. Critical functions like immigration services have been partially restored, while others such as investment licensing remain affected. PT Telkom Indonesia is collaborating with domestic and international partners to break the encryption holding data hostage, as the National Cyber and Crypto Agency conducts forensic investigations into the breach. Recovery efforts are ongoing, with officials emphasizing continued restoration work without capitulating to extortion demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 20, 2024, Indonesia's national data center suffered a ransomware attack that compromised government systems and disrupted services across more than 200 national and regional agencies. The attackers encrypted critical data, rendering it inaccessible, and demanded an $8 million ransom for the decryption key. The Communications and Informatics Ministry confirmed the incident through its director general of informatics applications, Samuel Abrijani Pangerapan, who stated that immigration services at airports were among the first affected systems but had since been restored. Other essential services, including investment licensing platforms, remained non-functional during the initial recovery phase. PT Telkom Indonesia's director of network & IT solutions, Herlan Wijanarko, disclosed that the attackers explicitly held data hostage and conditioned access on ransom payment. Communication and Informatics Minister Budi Arie Setiadi publicly refused the $8 million demand, asserting recovery efforts were underway without capitulation. The National Cyber and Crypto Agency (NCCA) initiated forensic analysis to determine the attack's scope and origin while coordinating restoration activities. Service disruptions caused operational paralysis across multiple bureaucratic functions, affecting citizen-facing and internal government processes.
The NCCA's head, Hinsa Siburian, identified Lockbit 3.0 ransomware samples in compromised systems, confirming the malware variant responsible for the encryption. PT Telkom Indonesia collaborated with domestic cybersecurity teams and international partners to analyze the encryption mechanisms and develop countermeasures. Recovery operations prioritized critical infrastructure, with immigration systems returning to functionality first due to their high public impact, while other agencies faced prolonged downtime. Investment licensing systems remained impaired, delaying administrative procedures for businesses and economic activities. No evidence of data exfiltration was disclosed, with authorities focusing exclusively on the ransomware's encryption impact. The incident highlighted systemic vulnerabilities in Indonesia's centralized data management infrastructure, though no specific technical weaknesses were detailed publicly. Government statements emphasized resilience through organic recovery capabilities rather than ransom negotiation. Forensic investigations continued to trace attack vectors and identify potential lapses in security protocols. The disruption underscored dependencies on the national data center, with multi-agency service outages persisting beyond initial containment efforts.