How a Cyberattack Paralyzed Indonesia
/ 6 min read
Table of Contents
This incident reveals just how shockingly inadequate a nation’s digital infrastructure security can be. It also demonstrates how a seemingly minor security event can, under the right circumstances, trigger the collapse of a country’s entire digital backbone for days on end.
Last year, while flying back to Bali from Thailand, I noticed something odd at the airport: every single information screen was displaying the Windows “blue screen of death”. None of the departure or arrival boards were working. Even though I was entering the country at the time, I didn’t experience any significant delays or other issues. I just chuckled to myself, as it seemed to fit right in with my usual “Bali reality” - something, somewhere, wasn’t working again.
Fast forward a year, and I find myself studying the biggest cyberattacks of recent years, which led me to the largest attack in Indonesia’s history. It all clicked into place when I read about a massive ransomware attack on the national data center that occurred around June 20, 2024. I checked my calendar to see where I was, and sure enough, I had flown back from Thailand to Bali just a few days later.
Indonesia’s Digital Transformation
To fully grasp the story, we need to go back in time. President Joko Widodo, arguably the most popular president in the country’s history, launched a national initiative to consolidate and unify the government’s fragmented data systems.
At the time, government systems were scattered across roughly 2,700 data centers. This initiative involved migrating hundreds of critical state systems into a single data center in Surabaya. In doing so, the Indonesian government created a massive single point of failure.
Incident Timeline
| Date | Event |
|---|---|
| June 17, 2024 | The National Cyber and Encryption Agency detected attempts to disable Windows Defender at the Surabaya data center. |
| June 20, 2024 | The Brain Cipher ransomware was activated. Systems were encrypted, and critical government services across the country began to fail. |
| June 20–23, 2024 | The Immigration Service was the hardest-hit victim, paralyzing the country’s international airports and seaports. Authorities reverted to manual passport checks, leading to enormous queues of travelers. |
| June 24, 2024 | An official statement from the Indonesian government confirmed the Brain Cipher ransomware attack. The government disclosed the attackers’ demand for an $8 million ransom and stated its refusal to pay. |
The attack on this single point of failure caused the collapse of more than 282 central and regional government services hosted at the Surabaya data center. As mentioned, the immigration service was the most severely impacted, crippling entry and exit from the country. Other affected services included online student registration, which delayed payments to students, and the disruption of government procurement financing due to the failure of the Ministry of Maritime Affairs and Investment’s licensing service.
The Attack Vector
Few details are publicly known about how the attackers got in, and several theories exist—from an unsecured RDP (Remote Desktop Protocol) and the exploitation of a critical PHP vulnerability (CVE-2024-4577) to simple human error (like inserting a compromised USB drive). But for now, that’s not the most important part. The fact that an attacker breaches the first layer of defense doesn’t automatically mean the attack will escalate to such a devastating scale.
The primary reason the damage was so massive was a complete absence of strategy and governance. As noted earlier, the very act of centralizing all services into a single data center created a single point of failure.
The ransomware directly targeted VMware ESXi, the hypervisor platform running the virtual servers. By encrypting the ESXi environment, the attack instantly crippled all virtual servers at once, causing the entire data center to collapse.
From there, the attacker either exploited another vulnerability to execute malicious code or simply had the administrator credentials, possibly obtained through phishing. These signs lead me to believe this was all enabled by a chain of tragic human failures, with the attack likely being executed through the human element, such as a data center operator.
The biggest problem was the lack of a backup strategy. It was shocking to learn that 98% of the data in the center was not backed up. The remaining 2% did have backups, but they were stored on the same network as the primary data, making them easily accessible to the ransomware.
This absence of backups meant there was virtually no ability to resolve the situation. If the government hadn’t obtained the decryption key, it would have faced a grueling and incredibly expensive process of system and data reconstruction, leading to government paralysis, a political crisis, an international reputation problem, and more. The damage would have been colossal.
Obtaining the Keys
On June 24, 2024, the Indonesian government issued a statement refusing to pay the ransom, perhaps not yet fully aware of the extent of the damage.
What happened next is entirely unprecedented in the history of such attacks. On July 1, 2024, the hacker group posted a public statement on the darknet apologizing to the citizens of Indonesia and announcing they would release the decryption key for free. They emphasized that this decision was made voluntarily, without any pressure from the state.
The attackers completely changed the narrative, claiming their motive was not extortion but a “pentest with subsequent payment”, and they reprimanded the Indonesian government for its insufficient funding of cybersecurity.
If we entertain the idea that this claim is more or less true, we can speculate that the attackers were horrified by the scale of the damage they caused and simply backed off, fearing consequences that had escalated to a matter of national security. This version could support the theory of human error as the attack vector and suggest the attackers might have been from Indonesia.
Either way, by providing the decryption key, the attackers allowed the Indonesian government to escape a catastrophe at the eleventh hour.
Conclusion
Southeast Asia is currently one of the most active regions for cyber threats. It’s a mix of an underdeveloped legal environment that makes it a popular base for hacker groups, a rapidly growing technology sector, significant economic growth, and a clash of geopolitical powers.
As incredible as this story may sound, it aligns perfectly with what I’ve come to know about the region over the last three years of living here. This area, home to nearly 700 million people, is facing significant future expenditures on cybersecurity. Judging by the Indonesian government’s response to this incident, I dare say they are only at the very beginning of that journey.