Indonesian BNN's Cloud System Breached by KryptonSec_My, Data Leak Dates Back 3 Years

On February 6, 2025, threat actor KryptonSec_My publicly claimed responsibility for breaching the cloud system of Indonesia’s National Narcotics Agency (BNN). The hacker alleges limited data was available on the compromised server, with much of the information dating back approximately three years, as evidenced by sample images shared in the initial disclosure.

The breach reportedly targets the official BNN website, "bnn.go.id", although KryptonSec_My provided no direct information about the specific domain or server exploited. However, an investigation by the Cyber Defense Insight team led to the discovery of a potentially vulnerable domain: "cloud.bnn.go.id", which they suspect served as the origin of the data breach.

According to the threat actor, several folders containing sensitive documents were retrieved during the attack. The publicly shared samples include materials from the following categories:

• Personal Records: Names of individuals associated with the organization.
• Operational Folders: Including Design, Berantas, and LHP (Laporan Hasil Pemeriksaan).
• Confidential Reports: Such as LI (Laporan Informasi), SKP 2021 (Strategic Planning Documents), and SOP Berantas from BNNK Tasikmalaya.
• Internal Communications: Notes and recorded discussions under the folder Talks.

Image 1.1 Sample of unathorized access by Threat actor

Initial assessments of the leaked content confirm that most of the documents date back at least three years, suggesting that the data may be outdated or related to legacy systems. Nonetheless, this breach raises significant concerns over the security of government-managed cloud platforms and sensitive law enforcement data.

While the leaked data is reportedly older, its exposure still poses considerable security risks, including:

1. Operational Disruption: Access to internal communications and standard operating procedures (SOPs) could provide malicious actors insights into law enforcement tactics.
2. Identity Risks: Names and potentially sensitive personal details may put BNN personnel and external collaborators at risk of targeted attacks.
3. Reputational Damage: The breach could undermine public trust in BNN’s ability to secure critical assets.

Given the lack of details from the attacker about the exploited domain, Cyber Defense Insight’s focus on "cloud.bnn.go.id" appears plausible. Misconfigured or outdated cloud services have been a frequent entry point for cyberattacks, making cloud security a priority for government agencies managing sensitive data.

To prevent further exposure and mitigate risks, BNN should prioritize the following actions:

• Immediate Forensic Analysis: Investigate how the threat actor gained initial access to the cloud system.
• Patch Vulnerabilities: Address any misconfigurations or outdated software identified during the investigation.
• Strengthen Cloud Security: Implement robust cloud security measures, including regular penetration testing and multi-factor authentication.
• Employee Training: Educate staff on identifying phishing attempts and social engineering tactics commonly used by threat actors.

KryptonSec_My’s claim underscores the importance of proactive cybersecurity measures for government agencies. Although the compromised data may be dated, the incident highlights potential vulnerabilities in cloud systems and the necessity for regular security audits to ensure that outdated or legacy data is securely archived or deleted.

As cyber threats continue to evolve, organizations like BNN must maintain a proactive defense posture, leveraging threat intelligence insights to stay ahead of attackers and protect sensitive national data.