In the last quarter of 2012, Indonesia was nowhere to be seen on any list of countries from which cyber attacks originated. It accounted for 0.7% of all attacks, according to a quarterly “state of the internet” report from Akamai, a cloud-computing and online content-delivery business.
In Akamai’s latest report (pdf), which looked at the first quarter of 2013, attacks from Indonesia jumped by a factor of 30 to account for over a fifth of all attacks. That makes it second only to China. No other country on the list came anywhere close in terms of growth. So what exactly is going on?
David Belson, the author and editor of the report, says it’s hard to tell. Akamai acts as an intermediary for serving up web content; its servers host mirrors of entire or partial sites that it serves to browsers based on a variety of factors, all of which boil down to making the experience faster and smoother. As such, it serves nearly a fifth of web traffic. That puts it in a good position to comment on trends on the web.
Yet its data on attacks comes from what Belson describes as “honeypot or darknet systems,” which don’t exactly hide from view but whose existence is not advertised either. In the first quarter of the year, these systems saw tens of thousands of attacks. (By contrast, its public servers, the data for which is not used in the report, saw millions.) That means that the attackers are actively looking for vulnerabilities.
It is hard to draw any firm conclusions based on Akamai’s data: Belson could not say whether the attacks were sustained over the three-month period or were isolated incidents. Nor is it possible to tell whether they really came from Indonesia. “Its entirely possible that the system that’s contacting Akamai is being used as a proxy or a waypoint by an attacker that is located somewhere else. So in Indonesia, for instance, it may be the case that for some reason there are a number of end-user systems that have been compromised and are under the control of a hacker in Russia or somewhere else,” says Belson. Akamai conjectures that the nature of the attacks—mostly gunning for web-based services—suggests the existence of a botnet.
Yet it would be foolish to dismiss the notion of Indonesian hackers entirely. Indonesia has been hit by a spate of cyber attacks of late. According to the communications ministry, there were 36.6 million incidents of hacking against the government in the last three years. In January of this year, the online group “Anonymous Indonesia” defaced 12 government websites to retaliate against the arrest of an alleged hacker. The growing incidence of attacks has reportedly forced the country’s defense ministry to set up a special team to mitigate the threats to national security. Yet the Indonesian government also alleges that the attacks originated from abroad, specifically from China, Russia, North Korea and the United States.
It will be a while until it is clear what exactly is going on with Indonesia. Different firms have different ways of measuring attacks, so we may have to wait for Akamai’s next report to get a decent comparison. In the meanwhile, Belson has agreed to look at reports from Akamai’s public servers to see if a there is any correlation. Expect an update when we hear back from him.