Cyber Incident Victim: Perusahaan Gas Negara
Date:
Apr 2022
Location:
Indonesia
Summary
The Hive ransomware gang targeted Indonesia's state-owned natural gas provider, Perusahaan Gas Negara (PGN), disrupting its website operations and demanding a ransom through double extortion tactics involving data theft and encryption. The attackers employed phishing emails delivering Cobalt Strike implants to deploy their custom Go-based ransomware, known for rapid encryption and resistance to reverse-engineering. This incident followed Hive's pattern of high-impact attacks on critical sectors, including prior breaches of healthcare providers and retail chains, where they stole sensitive data and crippled operational capabilities. The gang's infrastructure enabled lateral movement across networks to execute tailored ransomware payloads, exacerbating recovery challenges for victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 3, 2022, the Hive ransomware gang attacked Perusahaan Gas Negara (PGN), Indonesia’s state-owned natural gas distribution company. The incident became public when cybersecurity monitoring account DarkFeed tweeted about the attack on April 3, noting PGN’s status as a government-operated energy company with $3 billion in revenue serving 84 million customers. PGN’s website became inaccessible following the attack and remained offline as of the initial reporting period, though the company had not issued any official public statements confirming the incident’s scope or operational impacts at the time of reporting. The Indonesian government maintains majority ownership of PGN, positioning the attack as one against critical national infrastructure. This incident followed closely after Hive’s March 2022 attack on Partnership HealthPlan of California, where they stole 85,000 patient records and disrupted healthcare authorization systems, demonstrating the group’s pattern of targeting high-impact organizations across sectors.
Hive employed its characteristic double-extortion tactics during the PGN attack, combining data encryption with threats to leak stolen information unless ransom demands were met. The group typically gains initial access through phishing emails delivering Cobalt Strike implants, which establish persistence and enable lateral movement before deploying the ransomware payload. Their custom malware, written in the Go programming language, enables rapid encryption and presents reverse-engineering challenges due to limited analysis tool support for Go-based binaries. Prior to the PGN incident, Hive had compromised 355 victims since emerging in June 2021, including November 2021’s $50 million Bitcoin ransom demand against MediaMarkt and August 2021’s attack on Ohio’s Memorial Health System that forced cancellation of urgent medical procedures. The group demonstrated particular focus on healthcare targets, with 16 confirmed healthcare sector attacks in 2022 alone, though their victimology spanned public and private entities across the United States, United Kingdom, Spain, and Turkey. No information regarding PGN’s containment measures, ransom payment status, or data recovery processes was disclosed in available reporting.