SQL Injection Attack Defaces Website of Indonesian Narcotics Agency

The official website of Indonesia’s National Narcotics Agency (Badan Narkotika Nasional, BNN) suffered a severe defacement attack on March 4, 2025, perpetrated by a threat actor using the pseudonym “Havij Santana”—a moniker directly referencing the notorious Havij SQL injection tool.

The compromised page, sirenaapi.bnn.go.id/file-berkas-klien/lampiran-1741007401174-623910112.html displayed a mocking message alongside claims of unauthorized access to internal databases.

This incident underscores Indonesia’s persistent vulnerabilities to automated exploitation tools and follows a pattern of high-profile breaches targeting government infrastructure.

Technical Analysis of the Attack Vector

Accordsing to the post from cyberfeeddigest,Forensic evidence suggests the attacker leveraged Havij, an automated SQL injection framework first developed in 2010 by Iranian cybersecurity firm ITSecTeam.

Havij’s GUI-driven interface enables even low-skilled hackers to probe web applications for SQLi vulnerabilities by injecting malicious payloads like 999999.9 UNION SELECT * FROM table_example—a signature pattern detected in 30% of SQLi attempts monitored by Check Point’s intrusion prevention systems.

The tool’s traffic is identifiable through its unique user agent string (Mozilla/4.0 [...] Havij), which was logged during the BNN breach.

Havij operates by exploiting improper input sanitization, often converting string-based database entries into integers to trigger error messages.

For instance, a payload CONVERT(int, db_name()) forces the server to reveal the database name upon failure.

In this case, the defacement page’s source code contained remnants of such queries, indicating the attacker successfully enumerated table structures and exfiltrated administrative credentials.

Contextualizing Indonesia’s Cybersecurity Crisis

This breach follows a February 2025 incident where threat actor KryptonSec_My infiltrated BNN’s cloud infrastructure (cloud.bnn.go.id), accessing sensitive operational documents like SOP Berantas (eradication protocols) and personnel records.

Despite efforts to migrate systems to secure environments after the 2024 LockBit 3.0 ransomware attack on Indonesia’s national data center, agencies like BNN remain critically exposed.

Cybersecurity analysts attribute these lapses to:

1. Legacy Infrastructure: Outdated web frameworks with unpatched vulnerabilities, as seen in the 2021 Log4Shell crisis.
2. Insufficient Credential Hygiene: The 2024 breach of a U.S. state government via a former employee’s compromised VPN account highlights the risks of unrevoked privileges.
3. Overreliance on Reactive Measures: Indonesia’s refusal to pay ransoms—such as the $8 million demand during the 2024 PDNS breach—has not been matched by proactive investments in threat detection.

Implications and Expert Responses

The defacement raises alarms about data integrity within BNN’s narcotics enforcement operations. Exposed internal portals could reveal informant identities, surveillance tactics, or case files, undermining national and regional drug interdiction efforts.

Pratama Persadha, chair of Indonesia’s Cybersecurity Research Institute, criticized the government’s “reactive patchwork approach,” noting that ransomware attacks have surged since 2017.

Check Point researchers emphasize that Havij-based attacks remain prevalent due to their simplicity, urging organizations to:

• Deploy web application firewalls (WAFs) with signature-based detection for Havij’s payload patterns.
• Implement parameterized queries to neutralize SQLi attempts.
• Conduct regular audits of user roles, especially after employee departures, to prevent credential reuse.

The BNN defacement epitomizes the dual threat of automated exploitation tools and institutional complacency.

While Indonesia’s National Cyber and Crypto Agency (BSSN) has restored access to the affected page, the breach underscores an urgent need for modernization of federal IT ecosystems.

Also Read:

FunkSec Ransomware Alert: Desa Cimenyan Targeted

See more