Jakarta. State-owned railway company Kereta Api Indonesia (KAI) has fallen victim to a data breach from a hacking group known as Stormous. The hackers said they successfully accessed sensitive data, including employee information, information distribution systems, customer details, tax data, geographical information, company records, and other internal data.
According to the Cybersecurity and Infrastructure Security Agency Research Center (CISSReC), the breach was executed by Stormous approximately one week before the information was leaked by @TodayCyberNews on its X account on Sunday.
Stormous gained access to KAI’s system by exploiting a virtual private network (VPN) using credentials stolen from several employees. Upon penetrating KAI’s network, the hackers proceeded to enter dashboards within its systems, ultimately extracting the data.
The group also shared screenshots of the accessed dashboards, indicating successful entry through internal employee access, potentially obtained through social engineering, phishing, or the purchase of credentials from other hackers utilizing log stealers malware.
Despite KAI’s efforts to mitigate the breach by disabling the VPN portal and revoking some credentials, Stormous claims these measures are ineffective. They allege to have maintained access for nearly a week and warn of potential backdoors installed in KAI’s system, allowing them to re-enter at any time.
Discovered data includes 82 employee credentials, almost 22,500 customer credentials, and 50 credentials from employees of KAI partner companies. This data was obtained from around 3,300 URLs that served as the external attack surface of KAI’s website.
CISSReC Security Research Institute Chairman Pratama Persadha emphasizes that cybersecurity relies not only on infrastructure and security devices but also on employee training regarding cybersecurity aspects.
“Awareness of cybersecurity risks, such as attacks on employee PCs/laptops or credential acquisition through phishing attacks, is crucial,” he said on Tuesday.
“While cybersecurity systems may be sophisticated, education for employees and cybersecurity from work devices is critical to ensuring the organization’s overall security,” he added.
On the dark web, Stormous published a sample of stolen data from KAI totaling 2.2 GB under the file name kai.rar. They set a 15-day deadline for KAI to pay a ransom of 11.69 BTC, approximately Rp 7.9 billion, with a threat to publish all data if the ransom is not paid.
KAI asserts that there is currently no evidence of data leakage from its system, contrary to the claims made by Stormous.
Nevertheless, KAI’s spokesperson, Joni Martinus, said that they are conducting a thorough investigation to trace the cyberattack issue. Joni also assures the public that all KAI data is secure and that all operational information and technology (IT) systems, online ticket purchases, and face recognition boarding gate services continue to operate smoothly.
“There is no need for the public to worry about face recognition boarding gate data security. We have robust information security management and have implemented international standards,” said Joni Martinus in his official statement on Tuesday.
PT KAI will also collaborate with law enforcement to investigate the case. Joni said that KAI will not pay the ransom demanded by Stormous.
Indonesia experienced various data breaches in 2023, including the leakage of 19.56 million users’ data from social security agency BPJS Ketenagakerjaan on the dark web, the financial sector breach at Bank Syariah Indonesia in May, and the hacking incident by Bjorka, who claimed to have compromised 35 million My IndiHome user data in June.
Tags:
Keywords:
——————————————————–