- Malanta.ai uncovers 14-year-old cybercrime infrastructure in Indonesia resembling state-sponsored operations
- The network covers more than 320 thousand domains, hacked government subdomains and thousands of malware-infected Android applications.
- The campaign stole more than 50 thousand gambling credentials, used AWS and Firebase for C2, raising suspicions among nation states.
Security researchers have discovered a massive cybercrime infrastructure in Indonesia that has continued unabated for over 14 years.
Operation duration, included domains, malware The data distributed and sold on the black market was so large that Malanta.ai researchers said the campaign more closely resembles that of a nation state than that of “ordinary” cybercriminals.
“What started out as simple gambling sites has grown into a global, well-funded, sophisticated, state-sponsored attack infrastructure operating across the web, cloud and mobile devices,” Malanta said in a recently published blog.
Is the government involved?
The operation had been going on since at least 2011, according to the report. The operators controlled more than 320,000 domains, including more than 90,000 that were hacked and hijacked. They also controlled more than 1,400 compromised subdomains and 236,000 purchased ones, all of which were used to redirect users to illegal gaming platforms.
To make matters worse, some of the compromised subdomains were on government and corporate servers. In some cases, attackers have used NGINX-based reverse proxies to disable TLS connections to legitimate government domain names, thereby disguising their C2 traffic as legitimate government communications.
There's also a malware ecosystem, with researchers finding “thousands” of malicious Android apps distributed through public infrastructure (Amazon S3 web services segments).
These apps served as droppers, posing as legitimate gaming platforms while deploying malware that granted full access to compromised devices in the background. The backdoors received commands directly from another piece of public infrastructure… GoogleFirebase Cloud Messaging Service.
As a result, more than 50,000 credentials were stolen from gaming platforms, and countless numbers were infected Android devicesand hijacked subdomains circulating on the dark web.
“What if this ecosystem isn’t just cybercrime?” the researchers suggested.
Typically, the scope, scale, and financial support of this infrastructure are much more consistent with the capabilities typically associated with state-sponsored threat actors.
By using Cyber Security News
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok. for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
