Masked Actors

Brain Cipher: What happens when national infrastructure comes under strike?

Season 1 Episode 8

Share episode

Send us a text

Indonesia, June 2024 - 210 critical government agencies were crippled in one fell swoop. Immigration services were in disarray; customs officers locked out of critical systems and travellers left stranded in airport and ferry terminals facing delays that would continue for a full week.

The culprit? Brain Cipher, a ransomware group barely a week old, which demanded a huge sum of $8M from Indonesia’s National Data Centre, bringing local government services to their knees. The chaos that followed lingers as a potent reminder of the widespread disruption across an entire nation that can stem from a single attack.

Join Group-IB’s Gary Ruddell and Nick Palmer as they talk to Jennifer Soh, Cyber Investigation Lead for APAC at Group-IB, exploring what motivates cyber criminals to target national infrastructure, and what happens when the pillars that hold up our modern digital society - from government and defence to energy- are struck by cyber-attacks.

Episode links:
Group-IB's Top 10 Masked Actors
Deciphering the Brain Cipher Ransomware
Patch or Peril: A Veeam vulnerability incident

By understanding who these actors are and how they operate, you can better anticipate threats and protect yourself in an increasingly hostile digital world.

Subscribe to Group-IB's Masked Actors now — and stay one step ahead in the fight against cybercrime.

FOLLOW GROUP-IB

Gary Ruddell:

Indonesia, June 2024. 210 critical government agencies were crippled in one fell swoop. Immigration services in disarray, customs officers locked out of systems, and travelers trapped in airports and at ferry terminals, dealing with delays that continued for a full week. This widespread disruption across an entire nation stemmed from a single attack on Indonesia's national data center. And perhaps more shockingly, the group responsible had only been active for around a week before it crippled Indonesia's local government services and prompted calls for the Minister of Communications and Information to resign. Initially demanding$8 million for the data encryption key, the group signed off their ransom note with their new code name, BrainCipher. So, Nick, what do we know about BrainCipher?

Nick Palmer:

Yeah, so BrainCipher is a ransomware as a service group, particularly aggressive growth strategy, and really rose to fame by targeting critical infrastructure in Southeast Asia. So the group emerged in June of 2024, and it was only a week before their high-profile attack on the Indonesian temporary national data center. In this particular case, the government actually refused to pay the ransom. Braincipher actually, and strangely, released the decryption key for free. BrainCipher, they target critical infrastructure, law enforcement, military, and they've been active primarily in the Asia Pacific region, Europe, North America, and South America as well. So they're a threat for all of the regions.

Gary Ruddell:

Thank you, Nick. Here to help us understand more key details about BrainCipher's motivations and the implications. Nick and I are joined by Group IB's head of high-tech crime investigations team for the APAC region, Jennifer. So welcome, Jennifer. Can you give us a little bit of uh background on your experience?

SPEAKER_00:

So I have been with Group IB for almost five years, and I'm the head of the high-tech crime investigation team, covering just the Asia-Pacific region. In my role, I'm responsible for leading investigations uh into the cyber threat landscape and of course keeping track of activities across our mass actors. I also work closely with various law enforcement agencies worldwide, including our partners like Interpol, Europol, and of course with other organizations and partners in the fight against cybercrime. So this is really vital in ensuring successful cybercrime operations and the disruption of cybercriminal activities. And I also do frequently partakes in investigation discussions with law enforcement agencies worldwide and to really bring forward investigation strategies to produce a positive outcome of criminals takedown. So some of the um successful operations that we have together with our partner Interpol would be like Operation Secure, Operation Falcon. We also do work closely with um the law enforcement agencies to take down um cybercriminals. And one of the most notable ones would be the Operation Distant Hugh, um, which we contribute to the arrest of the developer of Android malware children, as well as we also contribute to the arrest of the tractor called the Zordan, who is responsible for data breaches across many countries led by Royal Tiger Police as well as Singapore Police Force.

Gary Ruddell:

Jennifer, it sounds like you're a very busy lady. Uh well, thanks for taking the time to join us. Uh Nick, BrainCipher, what do we know at the moment about their motivations?

Nick Palmer:

Yeah, so thanks a lot for the introduction, Jennifer, and uh glad to have someone like you on our team to actually disrupt cyber criminals. So, talking about brain cipher specifically, like most ransomware as a service groups, their key drivers are financial gain. You know, they're financially motivated by nature, they want to scale their operations. Um, typically they work in unison to what other ransomware as a service groups do. So they encrypt uh sensitive data, disrupt operations, and then demand uh money for uh decryption keys. Uh, typically they also work on double extortion. So victims also are blackmailed, uh, potentially sensitive data is stolen, and that sensitive data is then ransomed as well as given access to their business once again.

SPEAKER_00:

So for large-scale tech like the one on Indonesian National Data Center, whereby it hosts actually many other government agency services, uh sort of reputation-building exercises for them. Um especially in many of the ransomware as a service group. They actually operate like legitimate business. Um they hire people, they post ads, um, they hire jobs like pen testers, malware reverse engineers, or even developers. And they also frequently advertise their services on the forums. And this attack, um, which really came so soon after the group was formed, they functions to advertise their ability to prospective affiliates who want to work with the ransomware group. Um, this really shows that though they are really serious about the threats they make.

Nick Palmer:

Yeah, definitely important for ransomware as a service groups like Brain Cipher to take care of their brand, to really curate their brand, to make other affiliates want to work with them, and also to make businesses take them seriously when they demand ransom.

Gary Ruddell:

Yeah, I think in this case as well, they released a statement, didn't they, apologizing for the attack and then released the data for free? I mean, what does that tell us?

Nick Palmer:

Yeah, it was a super interesting entry into the ransomware as a service market for this particular group. You know, we fully expected to see the data for BrainCypher on their leak site. And they actually posted, we made an independent decision to not um continue with our operation on this particular case. So a really interesting development, especially for their first case, and especially because the brand for ransomware as a service groups are really important.

SPEAKER_00:

Yeah, and this actually raises many passing questions, you know such as whether or not they can actually exfiltrate content from their victims, or no, they are actually claimed to be, or are they really considering the repercussions because you know all the media attention, including the various government agencies, are actually monitoring them. So when GoIB actually first investigated into them, uh, we actually monitored their data lake sites, and we found that the data was not published for most of the victims that we monitor. And though it's important to note that this attack itself has already caused many um functionalities of the government operations to be done, such as like the shutdown of services. There are people stuck and borders and in the airports as well. These are all happened regardless. So the attack itself has already a huge impact on the citizens, on the government, even across the nation, even without the direct payment of that ransom money.

Gary Ruddell:

And this attack obviously took place in Indonesia, but what are the dangers then for other regions?

Nick Palmer:

Yeah, I think that's one of the most important things when looking and researching what cyber criminals are doing is that cyber criminals aren't strict with geographical boundaries, right? Oftentimes they want to learn, they want to experiment, they want to test their tactics, their techniques, and their tools in one location. They want to perfect their operations so it's scalable. And once they've done that, they're going to start this activity more worldwide. So it's really important for businesses to understand what cybercriminals are doing in other regions and what might affect me soon.

SPEAKER_00:

Yeah, and I totally agree with Nick. So no region is actually safe from any particular group, even if their interest initially retains for maybe one country, but they are eventually going to expand further to the rest of the world. And for us group IB, we have actually concluded that Brint Cipher and the other groups, such as SenseiQ, no name and estate ransomware could be related to each other due to the similarities in their ransomware notes, the contact details, as well as the tall websites. And these groups have been known to operate in France, Malaysia, Hong Kong, YSA, Italy, and Lebanon.

Gary Ruddell:

We've covered ransomware groups in the past, and they have, you know, by and large targeted private operations, you know, looking to extort large cash sums out of companies. What's the motivation to target a national infrastructure rather than a private business?

SPEAKER_00:

So there are actually quite a number of reasons. And the first one, of course, you know, targeting a huge um infrastructure like the national data center. This actually helps to boost their reputation. It's sort of like a marketing tactic that they can use to boost uh their reputation, improve the relationship between them and other tractors, but really it's about the domino effect of the attack like this. So any attack on any key piece of infrastructure gives attackers more bang for the buck. And they aren't just taking down one organization, they are actually affecting the whole nationwide. Whereby a lot of the services, um, whether it's government or private, they all rely on it. And especially when the people are being stranded at airports after the brain sample attacks on the data center, probably didn't even consider that a single attack on something like that could actually impact the daily lives of a citizen.

Nick Palmer:

Yeah, for sure. The I I uh I love the word uh or the phrase, Jennifer, bang for your buck, right? And at the end of the day, these cyber criminals are operating a business like we talked about before, right? So you imagine if you go wake up in the morning, you try to catch the bus to go to work and you can't pay, or you try to take money out of the ATM and you can't get it. You know, what's going to be more impactful? That or your local bakery not being able to give you bread that morning. Um, so I think it's all about how do we cause maximum disruption as a ransom or as a service group to get maximum financial benefit at the end of the day.

Gary Ruddell:

So in this attack, there was 200 critical government agencies plus went offline. Is it common for a single attack to have such a wide impact?

SPEAKER_00:

It really depends on the victim, you know, who the track has targeted. Um, but this definitely is not a rare case, you know, especially for a national data center, whereby there are a lot of government services that are hosted there. So once it's down, definitely you would expect a range of services um supplying to the citizens of Indonesia to be downed. Um yeah, and because of this, the national data center can't even operate and deliver their services.

Nick Palmer:

Yeah, I think when I look at what can be the impact to me as a private citizen and what we talked about before, you know, ransomware as a service groups, they want to maximize their profit, and that's done by maximizing impact. Um, I think one of the scariest things of this day and age is actually a tax on critical infrastructure. So not being able to take out your money from the financial infrastructure, you know, not being able to use public transportation, um, you know, lights, um, fuel, electricity, not being able to be delivered to your home, you know, these are some of the things that I think are critically important for people and also becoming critically important for ransomers of service operators. You know, if you look at some of the recent past events for ransomers as a service groups, like the colonial pipeline in 2021, this had a huge impact on um the American pipeline system carrying uh gasoline um across the United States. And it even had an impact on the price of gasoline and also uh fuel shortages reported in multiple different states during that uh attack. Um, even up to 87% of stations had run out of fuel during that. So when I look at if I was a ransomware as a service operator, what could be the most critical organization or operation to target to maximize my benefit? Critical infrastructure, financial systems, electricity, hospitals, you know, these are some of the things that are critically important for uh an government and a citizenry to ensure it's protected.

SPEAKER_00:

Yeah, so what Nick has mentioned is really just a good example of the real-world implications of an attack like this. So though the attack only focuses on one particular company, the effects is something like a domino. No, it was felt by ordinary people throughout America and even made their way to the president's desk.

Gary Ruddell:

What kind of impact would we be looking at for an attack on, say, a defense contractor?

Nick Palmer:

So uh I think when you look at recent past again, you know, attacks on different military or defense organizations have been increasing. You know, it's become a more important tool within a nation-state repertoire to actually conduct attacks against defensive organizations, whether that be to conduct espionage and collect information about what the adversary is doing from a defensive perspective, or actually disrupting defensive operations, whether that be you know radar uh tool sets, uh, whether that be uh different drone services that rely on software and services that can be disrupted. So I think it's you know essential for a nation that's wanting to protect themselves to understand that there's an adversary on the other side that's wanting to see what they're doing and also disrupt it.

Gary Ruddell:

Jennifer, how do you see that playing out for an energy provider, for example?

SPEAKER_00:

So for an energy provider, definitely would we would we actually see more immediate widespreads of disruption from the tech itself? Um, you can imagine the chaos that would ensue if the energy supply chain began to fall apart. No, um, there will be no electricity in houses, in buildings, mass power outages, you know, even crippling essential services. Um the risk to the public safety is significant, especially if it's like a hospital. No, the uh tools or the surgery that may be ongoing for that period of time when there's no electricity, all the surgeries would fail and it would actually impact someone's life and death. And of course, there will be also the economic losses that stem from businesses who are unable to operate, um, especially in the event for like manufacturing, whereby they do need to operate 24-7. And the financial strain could be levied at impacted supplier. So there will be definitely um delivery gaps that would likely cause further disruptions that could actually last for weeks or maybe even months, even after the services is just started.

Nick Palmer:

Yeah, and these really aren't thought exercises anymore. I think we've seen this proven by different ransomware as a service groups like BrainCypher, um, having already targeted national critical infrastructure like energy.

Gary Ruddell:

Yeah, so we're talking about you know genuinely dangerous levels of disruption here. It's not just you know financial impact, right? 100%.

SPEAKER_00:

Yes. We are actually just potentially just one heck away from crippled national infrastructure. And if the malicious track does really choose their target with a mind to cause lasting chaos, they could easily have an impact beyond their initial scope.

Gary Ruddell:

We've talked a bit in previous episodes about the way that organizations are interlinked these days and you know what that means if a customer or a partner isn't as secure as your own infrastructure. Jennifer, do you have anything to add about how that plays into attacks like the Brain Cypher one?

SPEAKER_00:

So if something happens to a central organization and everyone is served by that organization, whether it's individuals or other businesses, they will all be impacted. That's why it's important to ensure that no members of your supply chain match your level of preparedness. So you can actually conduct like um uh incident recovery drills or no disaster recovery drills, just to make sure that no, you are prepared for all these kind of attacks. And it really only takes one weak link, and the weak link can be come from anywhere and still impact you. And business resilience should also include considerations on how to respond in the event that you know a central organization goes dark. So you have to define your dependencies, uh, know your assets, um, and learn what a successful cyber attack on one of those could mean for you. And this will actually help you to be prepared in the event it happens. And of course, to start off, you can also ask yourself questions you know, where does your data come from? How it was being protected, what system do you use? You know, how frequently it is being updated, you know, to prevent any vulnerabilities from being exploited. Um, are your recovery plans hosted solely online? Do you have any backup paper copies? And of course, no, the most important thing, what is the change of command in the event of a cyber incident? No, are they prepared? Uh you have the lease of who to call, which uh owners to call, let's say if one of their servers is down.

Gary Ruddell:

Great advice, Jennifer, and great questions to ask. Speaking about you know, recommendations and things, you know, how can institutions and critical partners prepare for the likelihood of being targeted in such an attack?

Nick Palmer:

Yeah, I I think it's not a likelihood anymore. It's the reality, right? These ransomers of service groups will target you at some point in time and being prepared and understanding who your adversary is first and foremost and what you're going to do about it when you are targeted is essential. So, um, you know, I think about practical things. For example, understanding all of the different ransomers of service groups, understanding their tactics and techniques that they've employed to target different organizations. There's a lot of overlap. You know, they're not doing really special things in order to target these organizations. So, really understanding how are they gaining initial access, how are they moving laterally in your network, uh, and making sure that you have the necessary controls in place to detect these things. Um, these are essential and not necessarily difficult things to do. Um understanding, of course, what your net what your perimeter looks like to the adversary. So using something like attack surface management and employing can I detect these different tactics and techniques. On my external perimeter that ransomware as a service groups would use. And then I start to look at what are you going to do when you're actually hit? So, what does my incident response plans look like? Jennifer mentioned, you know, do we have backups in place? I like to also also think about other things, not just IT and cybersecurity. So, what are the lawyers going to do? What are the PR and marketing departments going to do? How are we going to communicate to our customers? You know, these are all critical things that you should really think about, not if but when these types of organ uh criminals actually target you.

SPEAKER_00:

Yeah, and we have seen a lot of security advisories out there. And there are also like frameworks such as NIS that guide you on how to better secure your data, your systems. So all this user advice also applies, especially enforcing multi-factor authentication to reduce the risk of unauthorized access to systems. Because typically for ransomware, the initial vector is always compromised accounts or big accounts. And of course, to really strengthen your threat intelligence posture, to really know the different indicators of compromise from different various um tractor groups so that you can do constant monitoring for them to check whether if your organization was being targeted by them. And of course, organization must always periodically review and update their incident response plan, especially the crisis playbook, so that in the event of an incident, they know what to do, they are prepared, and they can resume the operation as fast as possible. Of course, as part of proactive, you know, continuous monitoring, organizations should also do track hunts, you know, to find whether there are any track actors that have been hidden inside your organization lying dormant. And this is really essential because typically these kind of groups have already been collecting your data for quite a while. So it's important to do these track hunts to really find out them quickly and then eradicate them. And of course, to really subscribe to a trusted threat intelligence feed whereby they can provide you information about trackers, about uh indicators of compromise to really keep you up to date with the latest cyber attack trends as well.

Gary Ruddell:

And in the event that critical infrastructure did go down, what sort of things the organizations need to know to get back up and running again?

SPEAKER_00:

So when any organization suffers from a cyber attack, it's really down to the incidence response team because they would be the first one in line to react on an incident, to ask information, know how that happened, and to analyze the impact. So this is where the the team that actually steps in and begin the process of establishing the impact severity, collecting and preserving the evidence, which is very important. And of course, to really understand how the attackers move through the network and if they have already moved to other parts of the network infrastructure. So the more information an organization can gather about an attack, the higher the likelihood they will be protected from undergoing another in the future.

Nick Palmer:

Yeah, I think those are really great points, Jennifer, about you know having a competent incident response team. You know, I'd like to probably reiterate a few things about um items that you didn't mention. You know, thinking outside of cybersecurity, how are we going to communicate with our customers? How are we gonna communicate with our third parties? Um, you know, I think it's essential to think about your brand during this particular moment. It can be highly impacted. Um, and responding not only from implementing backups, hopefully that you have implementing your incident response team, getting your systems back up and running, but you know, really understanding how I'm going to protect my brand as well while I get my business back up and running can be extremely important as well.

Gary Ruddell:

That's really great insights. Thank you both for the time today. And thank you, Jennifer, uh, for jumping on the podcast. It's great to meet you finally. And I hope everything goes well in APAC.

Nick Palmer:

Yeah, thanks a lot, Jennifer. Congratulations on the promotion again.

SPEAKER_00:

Thank you. Thank you, everyone.

Gary Ruddell:

Your data is valuable and it's under attack. Cyber espionage groups, financially motivated threat actors, ransomware attackers, and other criminal enterprises are on the rise. Working in secrecy to dismantle security perimeters, they spread like a virus through the web, stoking geopolitical tensions, holding businesses to ransom, and flooding criminal marketplaces with sensitive information. These groups thrive in secrecy now more than ever. Knowing who your adversaries are is critical. So join us as we ask who's behind the world's most prolific cyber criminal groups. What are their tactics, their motivations, and their impact? Who are the world's masked actors? Masked Actors is an independent podcast from Group IB, a leading voice in the fight against cybercrime. The threat landscape evolves quickly, but all information was correct at the time of recording and based on Group IB's high tech crime trends report 2025. Join in the conversation online using the hashtag masked actors. And don't forget to subscribe so you don't miss an episode. Thanks for listening. See you next time as we uncover more of the world's top masked actors.

Head Shot

Gary Ruddell

Host
Head Shot

Nick Palmer

Host
Head Shot

Jennifer Soh

Guest