- Malanta.ai uncovered a 14-year-old cybercrime infrastructure in Indonesia that resembles state-sponsored operations
- Network spans more than 320,000 domains, hijacked government subdomains, and thousands of malware-laden Android apps
- Campaign stole over 50,000 gambling credentials, used AWS and Firebase for C2, raising suspicions in nation-states
Security researchers have discovered a massive cybercrime infrastructure in Indonesia that has been running non-stop for more than 14 years.
The duration of the operation, the domains included, the malware that was circulated and the data that was sold on the black market were so extensive that the researchers – Malanta.ai – said the campaign is more like a campaign by a nation-state than that of “simple” cybercriminals.
“What started as simple gambling websites has evolved into a global, well-funded, sophisticated and state-sponsored attack infrastructure operating across the web, cloud and mobile devices,” Malanta said in a recently published blog.
Is the government involved?
According to the report, the operation had been active since at least 2011. The operators controlled more than 320,000 domains, including more than 90,000 hacked and hijacked ones. They also monitored more than 1,400 compromised and 236,000 purchased subdomains, all used to redirect users to illegal gaming platforms.
To make matters worse, some of the compromised subdomains were on government and enterprise servers. In some cases, threat actors deployed NGINX-based reverse proxies to drop TLS connections on legitimate government domain names, thereby disguising their C2 traffic as legitimate government communications.
Then, there’s the malware ecosystem: Researchers found “thousands” of malicious Android apps, distributed via public infrastructure (Amazon Web Services’ S3 buckets).
These apps served as a dropper, posing as legitimate gaming platforms while deploying malware that granted full access to compromised devices in the background. The backdoors received their commands directly from another piece of public infrastructure: Google’s Firebase Cloud Messaging service.
This resulted in over 50,000 login credentials stolen from gambling platforms, countless infected Android devices, and hijacked subdomains circulating on the dark web.
“What if this ecosystem wasn’t just cybercrime?” the researchers speculated.
Typically, the scope, scale, and financial backing behind this infrastructure align much more closely with the capabilities typically associated with state-sponsored threat actors.
Through cybersecurity news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
