The breach was discovered by Insikt Group, the research division of threat intelligence company Recorded Future, in April. The firm detected PlugX malware, believed to be operated by a group called Mustang Panda, operating within the networks of Indonesian government agencies, cybersecurity publication The Record reported on Sept. 10.

Insikt researchers managed to trace the malware’s presence on the networks back to at least March, although they were unable determine how the government systems were breached or which network was the first to be compromised.

The researchers notified government officials of the cyberattack in both June and July but did not receive feedback, The Record reported.

Mustang Panda is believed to have orchestrated a cyber-espionage campaign targeting United States-based NGOs in 2017, according to US cybersecurity company Crowdstrike.

The group now appears to have moved its focus to Southeast Asia. In a report published in July, experts from antivirus software company Kaspersky highlighted cyberattack campaigns in Myanmar and the Philippines, some of which had targeted government agencies.

The attacks, which had reportedly been ongoing since at least October 2020, were believed to have been conducted by the HoneyMyte group, an alias for Mustang Panda.

Following the report by The Record, National Police spokesman Insp. Gen, Argo Yuwono said on Monday that authorities had launched an investigation into the alleged breach, Kompas.com reported.

National Cyber and Encryption Agency (BSSN) chairman Hinca Siburian would not confirm the reported cyberattacks, citing a lack of credible information and noting that the breach was only “suspected”.

Communication and Information System Security Research Center (CISSReC) chairman Pratama Persadha said the reported attack should serve as a wake-up call for the government to step up its cybersecurity efforts.

“A deep vulnerability assessment needs to be conducted on our system,” Pratama said in a statement on Sunday, adding that such an assessment should include routine tests of the government’s digital infrastructure.

The reported Mustang Panda cyberattack is the latest in a growing list of high-profile cybersecurity incidents that have occurred during the COVID-19 pandemic, as people and institutions rely more heavily on digital technology.

In July, encryption provider vpnMentor reported a data leak in the defunct electronic Health Alert Card (eHAC) system, which potentially compromised the data of some 1.3 million of eHAC users.

The report prompted the National Police, the Health Ministry and the Communications and Information Ministry to launch an investigation on Aug. 31 into the possible breach.

The Health Ministry uses the eHAC system to help for COVID-19 contact tracing. After a week of investigation, the authorities ended the probe and insisted that no attempt had been made to infiltrate data from the eHAC database.

Earlier this year, the private information of more than 200 million national health insurance (JKN) policyholders was also reportedly stolen and offered up for sale by hackers.

Data leaks have plagued Indonesian businesses as well. In July, unidentified hackers exposed the personal details of up to 2 million clients of BRI Life, the insurance arm of state lender Bank Rakyat Indonesia (BRI), and advertised the data for sale.

Experts have called on the government to comprehensively audit the country’s data breaches and to impose measures to prevent similar incidents from occurring in the future.

The slew of cyberattacks has piled more pressure on the House of Representatives and the Joko “Jokowi” Widodo administration to ensure the passage of the long-awaited data protection bill.

The House and the executive have been at a loggerheads over the design of a proposed data protection agency, which has slowed deliberation on the bill.

House Speaker Puan Maharani recently reaffirmed lawmakers’ commitment to passing the bill and called on the government to demonstrate its “seriousness” in the deliberation process.