PT. Kereta Api Indonesia (PT. KAI) has become a victim of data leakage, first publicly disclosed in 2024. According to tweets from the @TodayCyberNews account on the X platform (Twitter) on January 14, PT. KAI fell prey to hackers who claimed to have successfully stolen several sensitive data, including employee information, customer data, tax data, company records, geographical information, information distribution systems, and various other internal data.
Based on the investigation conducted by CISSReC, the hacking of PT. KAI was carried out by a ransomware group named Stormous about a week before the hacking information was released by them. The Stormous ransomware gang gained access to PT. KAI's system through a VPN access using several credentials from multiple employees. After successful entry, they accessed dashboards from several PT. KAI systems and downloaded the data contained in those dashboards.
The Stormous ransomware gang also shared screenshots of a dashboard accessed using the credentials of a KAI employee they obtained. This confirms that Stormous indeed gained access through the internal credentials of employees, obtained either through phishing and social engineering methods or purchased from other hackers using log stealer malware.
PT. KAI seems to be aware of the attack and has taken some mitigating measures, such as disabling the VPN portal on the PT. KAI site where the hackers entered and accessed the PT. KAI system. They also removed some credentials obtained by the Stormous ransomware gang. However, according to Stormous, these efforts are in vain because they have been in the PT. KAI system for almost a week and have successfully downloaded data from the system.
Mitigating measures like these may not be efficient since there is also a possibility that the ransomware gang has installed a backdoor in the PT. KAI system that they can use to access the system again whenever they want. They are unlikely to release their hacking target easily. Therefore, if the backdoor cannot be found, one of the safest steps to take is to deploy the system on new servers using the backup data that PT. KAI has, after fixing the portal or employee credential data known to have leaked.
According to the data we managed to gather, there are 82 leaked credentials of PT. KAI employees, along with almost 22.5 thousand customer credentials and 50 credentials from employees of other companies partnering with PT. KAI. The credential data was obtained from about 3300 URLs that were the external attack surface of the PT. KAI site.
When looking at cybersecurity systems, it's crucial not to focus solely on the infrastructure and cybersecurity devices. We must also consider other aspects, such as employee training on cybersecurity, as it is a critical point for the cybersecurity of an organization. Cyberattacks often start with the compromise of an employee's PC/laptop or the acquisition of employee credential data through phishing attacks.
Although the cybersecurity system owned by an institution utilizes the most advanced and sophisticated systems, if employee education and the cybersecurity of work devices are lacking, the overall security system of an institution will be considered weak or inadequate. This is because there are still vulnerabilities that can be exploited for a cyber attack.
Personnel need to be educated on how to identify and recognize potential cyber attacks, so they don't fall into the trap of engaging in activities that could allow hackers to take control of their computers or laptops. Once control is seized, hackers can penetrate deeper into the system, potentially stealing or even damaging data within the system.
Furthermore, considering the current threat trends, it is evident that security is often considered an add-on or supplement to an organization's existing system, despite the high risks involved. Therefore, there needs to be a massive and structured movement to make cybersecurity a focus understood and mandated by High-Level Persons or leaders in the organization. The goal is to prioritize cybersecurity from the very beginning, long before applications are created, making security a focus from the outset, or in other words, there should be a campaign about the "Security By Design" concept.
PT. KAI must genuinely consider the aspect of cybersecurity, especially since they are currently vigorously implementing a face recognition system in their ticketing system, including for boarding purposes. As a result, PT. KAI must be more vigilant and strengthen its cybersecurity system.
On its dark web page, the ransomware group Stormous shared a sample of the data they stole from PT. KAI, amounting to 2.2 GB in compressed form and named kai.rar. The hacking group Stormous has given PT. KAI a 15-day deadline to negotiate and pay the ransom they demand, which is 11.69 BTC, or nearly equivalent to 7.9 billion rupiahs. They threaten to publish all the data they have obtained if the ransom is not paid.