Indonesian Intelligence Agency Reportedly BreachedAt Least 10 Indonesian Government Ministries and Agencies Affected
Insikt Group, the threat research division of threat intelligence firm Recorded Future, says it has discovered Chinese hackers have breached the internal records of at least 10 Indonesian government ministries and agencies, including computers from Indonesia’s primary intelligence service, the Badan Intelijen Negara.
According to The Record by Recorded Future, the researchers at Insikt Group first discovered this campaign in April, and say it has been linked to Mustang Panda, a Chinese threat actor known for its cyberespionage campaigns targeting the Southeast Asian region.
Researchers detected PlugX malware command-and-control servers, operated by the Mustang Panda group, communicating with hosts inside the networks of the Indonesian government.
Mustang Panda, also known as TA416, had earlier targeted diplomatic missions and organizations around the world that have dealings with China's government. Security firm Proofpoint in November reported that the advanced persistent threat group had begun ramping up its activities with a new phishing campaign leveraging updated malware targeting diplomatic missions around the world to collect data and monitor communications (see: Chinese Hacking Group Rebounds With Fresh Malware).
It is unclear what data or departments have been affected due this breach.
Systems Still Infected
The Record says it was informed by a source last month that authorities had taken steps to identify and clean the infected systems. But it reports that despite cleanup efforts, some of the systems are still infected and hosts inside the Indonesian government networks were still communicating with the Mustang Panda malware servers.
Researchers at Insikt Group notified Indonesian authorities about the intrusions in June and again in July, the Record says, but the officials did not provide feedback for the reports.
A spokesperson for the Badan Intelijen Negara was not immediately available to comment.
Jake Williams, formerly of the National Security Agency's elite hacking team and currently CTO at BreachQuest, says it's completely unsurprising that the Indonesian government - and specifically intelligence - would be targeted.
"There's little doubt that China sees the Indian Navy as a potential threat to its strategic dominance in the region. Indonesia serves as an important chokepoint between the Indian and Pacific oceans. There are almost certainly myriad intelligence requirements fulfilled by this targeting as well, given Indonesia's geographic position and economic influence in the region," Williams tells Information Security Media Group.
How the Malware Operates
TA416 uses two RAR compression files to hide the malware and if the malicious files are opened, a PlugX Trojan is then installed, according to the Proofpoint report.
Researchers at Trend Micro had reported that PlugX can help attackers maintain persistence within devices or networks, locate and steal files and act as a keylogger. In some cases, legitimate files are used to help hide and then decrypt the malware as an obfuscation technique, Trend Micro said.
The Proofpoint researchers also found command-and-control servers for the most recently discovered campaign share IP addresses with previous campaigns associated with TA416.
"The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools, and it demonstrates adaptation in response to publications regarding their campaigns," according to the Proofpoint report. It concludes: "These tool adjustments, combined with recurrent command and control infrastructure revisions, suggests that TA416 will persist in their targeting of diplomatic and religious organizations."