{ "id": "bc2d3d3d-8937-4cf0-85e6-724618c9687b", "created_at": "2026-04-06T00:10:15.179038Z", "updated_at": "2026-04-10T03:36:33.501407Z", "deleted_at": null, "sha1_hash": "c941673a6db00af57b7c88da9c06352e35a23992", "title": "Indonesian intelligence agency compromised in suspected Chinese hack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90438, "plain_text": "Indonesian intelligence agency compromised in suspected Chinese\r\nhack\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-13 · Archived: 2026-04-05 17:50:48 UTC\r\nChinese hackers have breached the internal networks of at least ten Indonesian government ministries and\r\nagencies, including computers from Indonesia's primary intelligence service, the Badan Intelijen Negara (BIN).\r\nThe intrusion, discovered by Insikt Group, the threat research division of Recorded Future, has been linked\r\nto Mustang Panda, a Chinese threat actor known for its cyber-espionage campaigns targeting the Southeast Asian\r\nregion[1, 2].\r\nInsikt researchers first discovered this campaign in April this year, when they detected PlugX malware command\r\nand control (C\u0026C) servers, operated by the Mustang Panda group, communicating with hosts inside the networks\r\nof the Indonesian government.\r\nThese communications were later traced back to at least March 2021. The intrusion point and delivery method of\r\nthe malware are still unclear.\r\nSome systems are still infected, despite clean-up efforts\r\nInsikt Group researchers notified Indonesian authorities about the intrusions in June this year and then again in\r\nJuly. Officials did not provide feedback for the reports.\r\nBIN, which was the most sensitive target compromised in the campaign, did not return requests for comment sent\r\nby The Record in July and August.\r\nA source familiar with the investigation told The Record last month that authorities had taken steps to identify and\r\nclean the infected systems.\r\nDays after, Insikt researchers confirmed that hosts inside Indonesian government networks were still\r\ncommunicating with the Mustang Panda malware servers.\r\nPart of China sprawling cyber-espionage campaigns\r\nNews of this intrusive cyber-espionage effort comes as the two countries have been re-establishing close\r\ndiplomatic relations after almost reaching armed conflict a few years before, primarily due to marine territorial\r\ndisputes.\r\nCurrently the second-largest investor in Indonesia, China has been cozying up to Indonesian provinces over the\r\npast two years to facilitate increased trade and further its implementation of the Belt and Road Initiative, a foreign\r\npolicy initiative to invest in neighboring countries in order to establish lasting political ties and trade agreements.\r\nhttps://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/\r\nPage 1 of 2\n\nBut these investments haven't always been welcome, with some countries seeing them as a Trojan horse for their\r\neconomies.\r\nSince 2013, when China made its Belt and Road Initiative public, cyber-espionage groups have often targeted\r\ncountries where China planned to invest as part of this project.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/\r\nhttps://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/" ], "report_names": [ "indonesian-intelligence-agency-compromised-in-suspected-chinese-hack" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434215, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c941673a6db00af57b7c88da9c06352e35a23992.pdf", "text": "https://archive.orkl.eu/c941673a6db00af57b7c88da9c06352e35a23992.txt", "img": "https://archive.orkl.eu/c941673a6db00af57b7c88da9c06352e35a23992.jpg" } }