- Malanta.ai discovered a 14-year-old cybercrime infrastructure in Indonesia that appeared to resemble state-sponsored operations.
- The network includes more than 320,000 domains, hacked government subdomains, and thousands of Android apps loaded with malware.
- The campaign stole more than 50,000 game credentials, using AWS and Firebase for C2, raising the suspicions of the nation-state.
Security researchers have discovered a massive cybercrime infrastructure in Indonesia that has been operating continuously for more than fourteen years.
The duration of the operation, the domains involved, the malware distributed and the data sold on the black market were such that the researchers – Malanta.ai – argued that the campaign was more akin to a nation-state campaign than that of “simple” cybercriminals.
“What started as simple gambling sites has grown into a sophisticated, well-funded and government-sponsored global attack infrastructure that operates across the Internet, in the cloud and on mobile devices,” Malanta said in a recent blog post.
Is the government involved?
According to the report, the operation had been active since at least 2011. The operators controlled over 320,000 domains, of which over 90,000 were hacked and hijacked. They also controlled over 1,400 compromised subdomains and 236,000 purchased subdomains, all used to redirect users to pirated gaming platforms.
Even worse, some of the compromised subdomains were on government and corporate servers. In some cases, threat actors have used NGINX-based reverse proxies to disrupt TLS connections to legitimate government domain names, masquerading their C2 traffic as legitimate government communications.
Then there’s the malware ecosystem: Researchers have discovered “thousands” of malicious Android apps distributed via public infrastructure (Amazon Web Services S3).
These apps acted as droppers, masquerading as legitimate gaming platforms and spreading malware that silently granted full access to compromised devices. The backdoors received commands directly from another part of the public infrastructure: the Firebase cloud service.
This resulted in more than 50,000 stolen user credentials for the gaming platform, countless infected Android devices, and hijacked subdomains circulating on the dark web.
“What if this ecosystem wasn’t just cybercrime?” ask the researchers.
Overall, the scale, reach, and financial support of this infrastructure is much more consistent with the capabilities typically associated with state-sponsored threat actors.