Suara.com – Cyber security expert and Chairman of the Communication & Information System Security Research Center (CISSReC) Pratama Persadha revealed how hackers broke into the PT Kereta Api Indonesia (PT KAI) system which led to an alleged data leak.
It is known that the alleged KAI data leak case had an impact on a number of information stolen by hackers, such as employee information, customer data, tax data, company records, geographic information, information distribution systems and various other internal data.
Based on the CISSReC investigation, Pratama revealed that the hacker who broke into PT KAI was a ransomware gang called Stormous. The hacker group had entered the KAI system about a week before the hacking information was announced.
He continued, the Stormous ransomware gang gained access to the PT KAI system via VPN access using several credentials from several employees.
“After successfully logging in, they managed to access the dashboard of several PT KAI systems and download the data in the dashboard,” said Pratama in a press release, Tuesday (16/1/2024).
Apart from that, Stormus also shared a screenshot of a dashboard which is a dashboard that is accessed using the credentials of one of the KAI employees that they obtained.
“So this confirms that Stormouse entered through internal employee access which they managed to obtain, either through phishing and social engineering methods, or they bought these credentials from other hackers who used log stealers malware,” he continued.
Pratama suspects that PT KAI is already aware of the cyber attack and has carried out several mitigations such as deleting and deactivating the VPN portal on their site.
It was stated that this was an entry point for hackers who then accessed the PT KAI system and deleted several credentials that had been obtained by the Stormous ransomware gang.
It’s just that these efforts are considered futile. He continued, the Stormus gang had been in the PT KAI system for almost a week, not an hour.
“It’s not only been an hour since they entered the PT KAI system, but they have managed to enter and download the data in the system for almost a week,” he explained.
Pratama considers that the mitigation carried out by PT KAI is inefficient because there is a possibility that hackers have installed a backdoor in the company’s system. This can then be used as access to get back into the PT KAI system whenever the hackers want.
“Because of course they won’t just let go of their hacking targets,” continued Pratama.
If PT KAI cannot find the backdoor, Pratama suggests that one of the safest steps to take is to deploy the system on a new server using the company’s data backup.
“According to the data we managed to dig up, there were 82 PT KAI employee credentials that were leaked as well as almost 22.5 thousand customer credentials and 50 credentials from employees of other companies that partnered with PT KAI. The credential data was obtained from around 3,300 URLs that were the surface for external attacks on the site PT KAI,” explained Pratama.
It is known that the Stormus ransomware gang has shared an example of the data they hacked from PT KAI amounting to 2.2 GB in the form of a compressed file and named KAI.rar.
“The Stormous hacker gang gave PT KAI a deadline of 15 days to negotiate and pay the ransom they requested, namely 11.69 BTC or almost the equivalent of IDR 7.9 billion rupiah and threatened to publish all the data they obtained if the ransom was not paid,” concluded Pratama.