Darknet Cyber Actor Spotlight: Bjorka

October 19, 2022

DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.

Bjorka Terrorizes the Indonesian Government

In the last two months, a cyber threat actor known by the alias Bjorka has been terrorizing the Indonesian government by targeting vulnerable systems and doxing key officials. After compromising their targets, Bjorka has been leaking sensitive databases from key Indonesian-specific organizations, such as Indonesia’s central mobile telecommunications provider. They’re also released data from servers storing correspondences from the Indonesian President.

DarkOwl analysts have observed that the threat actor has become increasingly embolden in their attacks against Indonesia. They have expanded their operations, stirred up real-life darknet drama by claiming that “the wrong hacker was arrested,” and have repeatedly put out calls for cyberwar against the Indonesian government.

Trolling Indonesia Government Causes Deep Web Forum Chaos

The actor known as Bjorka joined Breach Forums in early August 2022, and immediately gained attention from the forum community. They contributed to the underground forum – known for circulating commercial and government data leaks – by sharing databases containing millions of private personally identifying information (PII) from WattPad and Tokopedia commercial websites. Both sites were reportedly compromised in 2020.

Bjorka subsequently engaged in more activity on the forum that indicates they were targeting Indonesian entities. This includes:

A post containing a database of 26 Million records of personal data exfiltrated from the Telkom Indonesia provider, IndiHome, which they uploaded and made available free of charge.

Posts offering for the sale of a Ministry of Communications and Information Technology (KOMINFO) database of over 1.3 Billion Indonesian SIM card registration records and an Indonesian Citizen database stolen from the General Elections Commission.

Post sharing a controversial archive containing a collection of “secret” letters sent on behalf of President Joko Widodo (Jowoki) by the Indonesia government’s State Intelligence Agency – Badan Intelijen Negara (BIN).

In addition to database leaks and doxxes, Bjorka has revealed controversial political information related to investigations inside Indonesia, which prompt social unrest. For example, Bjorka identified Muchdi Purwopranjono – an Indonesian politician, former major general in the Kopassus, and head of the BIN – as responsible for the murder of a prominent human rights activist, Munir Said Thalib in September 2004.

Bjorka has also showed particular interest in Ferdy Sambo and the Brigadir J murder case; Ferdy Sambo, former head of the police Propam Division, and Inspector General of Police, is one of four suspects accused of shooting of Brigadir J in July 2022.

On Telegram, Bjorka highlighted another Indonesian official, Tito Karnavian, and Ferdy Sambo’s supervisor, as a person of interest and that Tito knew all about Brigadir J’s murder.

Figure 1: Source Breach Forums, Tor Anonymous Network

The cyberattacks against ministries across the Indonesian government, including the “President’s Letters” as they’re commonly called, caused Bjorka’s popularity in the Indonesian hacking community to skyrocket. Many referred to Bjorka as the “Indonesian Spartacus”. The influx of non-English speaking forum members prompted the site’s administrator, pompompurin to post a notice demanding the new users behave themselves and post messages in English. The forum – as of time of writing – sits at over 172,000 member accounts, a user growth of nearly 3x the number of users DarkOwl observed in July.

In late September, Bjorka also shared a personal plea for the new Indonesian forum members to follow the rules.

“FOR EVERYONE WHO COMES FROM INDONESIA AND CAME HERE BECAUSE OF ME, PLEASE FOLLOW THE BF RULES

BECAUSE ALL THE STAFF AT BF ARE TIRED OF A BUNCH OF IDIOTS FROM INDONESIA WHO DON’T FOLLOW THE RULES.

USE ENGLISH BECAUSE BF IS AN INTERNATIONAL FORUM, SO STOP USING YOUR LOCAL LANGUAGE.”

– Quotes Directly From Bjorka on the deep web site Breach Forums

The influx of Indonesian-based forum members brought with it general criticism and negative sentiment regarding the Indonesian government, especially the Ministry of Information.

“With all of the Indonesian crap taking place in here, I wouldn’t be surprised that Indonesian intelligence are joining here in sheer numbers”

“The reason why most Indonesians supported Bjorka … because they are clowns, literally an entire circus, their ministry of information and technology is literally a graduate of agriculture”

“Their security is honestly a joke at this point”

“I’m from Indonesia but I signed up not to be able to meet Bjorka but to learn to break into a database and share even though it’s my own country’s database, I’m doing this to fight a stupid government just because of one case they can be like children who can only cry and can only cry corrupt people’s money rather than the people’s interests. Sorry for the long post, greetings from Indonesia.”

– Posts from other forum users regarding Indonesia and Bjorka

Figure 2: Source Breach Forums, Tor Anonymous Network

Some Leaks Confirmed As Valid

Many leaks that surface on darknet forums like Breach Forums are met with skepticism of their legitimacy. Even breaches like Paytm, which appeared earlier this summer have had information security researchers respond – after the fact – that the information contained in the leaked database is fabricated, likely from other leaked open sources.

In mid-September, the Head of the National Cyber and Encryption Agency (BSSN) in Indonesia publicly stated that President Joko Widodo’s documents and letters as well as ministers’ personal data, were valid although with the surge of additional leaks during September, there have been numerous denials from Indonesian government officials of the legitimacy of the leaks, antagonizing and frustrating many threat actors on the forum. According to open-source news reporting, the Indonesian Ministry of Communications had also launched an investigation into the IndiHome data leak.

Who is Bjorka?

While Bjorka recently gained notoriety for their activity on Breach Forums, it’s no surprise DarkOwl discovered they were also active on the forum’s predecessor, Raid Forums. A user with the same moniker joined RaidForums in November 2020 and their profile includes a muted version of the same avatar image. According to DarkOwl Vision archives of RaidForums, in April 2021, they promoted their digital data project, leaks[.]sh, as a leaked database search engine built on ElasticSearch using commercial and government leaks shared by the forum administrator Omnipotent and other data brokers on Raid Forums. They also maintain the Surface Web domain bjork[.]ai.

Bjorka claims their physical location is Warsaw, Poland on their Breach Forums account profile and social media accounts related to the threat actor continue the Polish-connection narrative, claiming ties to a “smart old man in Warsaw” who experienced Indonesia’s injustice in 1965. This is likely reference to September 1965, when the Indonesia Army carried out mass killings and imprisonment of members of the Communist Party of Indonesia, Gerwani women, ethnic Javanese, and ethnic Chinese.

While little is recorded about the 1965-66 political killings in East Java there is research covered in the Journal of Genocide Research covering how the military influenced civilian perceptions and created divisions between the political left and right. The threat actor continued that their friend could not be tracked down.

“yea don’t try to track him down from the foreign ministry. because you won’t find anything. he is no longer recognized by Indonesia as a citizen because of the 1965 policy. even though he is a very smart old man” – Source Twitter (@bjorkanism)

According to social media in mid-September, the Bjorka “team” possibly expanded to include another darknet forum member known as strovian after the threat actor posted threads to Breach Forums in September calling Indonesian intelligence, BIN “stupid.”

Figure 3: Source Breach Forums, Tor Anonymous Network

The threat actor strovian – active on Breach Forums since April 2022 – has targeted servers in Indonesia and offered multiple databases for sale. The strovian cybercriminal appears to have exfiltrated databases detailing the identities of Indonesian police officers (POLRI DB) and Indonesian customs officers (DIRJEN BEA CUKAI). They also offered a BIN intelligence database for sale stolen in 2020 from a Foreign Affair Intelligences Deputy. strovian offered a similar Police Database on RaidForums in February 2022, prior to its seizure and shutdown.

Some conspiracy theorists suggest the Bjorka team and the attacks against KOMINFO originated with the Indonesian government, “like ISIS was created by the US Government” as a societal distraction from other geo-political agendas and corrupt initiatives or formed as a justification for state budget increases.

Recent social media posts across Twitter, YouTube, and TikTok – many from accounts using the infamous Anonymous Legion Guy Fawkes mask – suggest that the Bjorka hacker is neither a name nor a person, but instead is a nation-wide hacking “movement” and represents social justice for the Indonesian people.

A dark, ominous, “Anonymous” styled video released on YouTube in September openly declared ‘cyberwar’ with the Indonesian government on behalf of the Bjorka cause.

Figure 4: Source hxxxs://www.youtube.com/watch?v=1CTKtorlnf4

[TRANSLATED IMAGE]

“The name Bjorka represents the Indonesian people.”

Figure 5: Source YouTube Link REDACTED

[TRANSLATED IMAGE]

“with this we will declare a cyber war with the Indonesian government.”

There are multiple mentions by Bjorka directly that they are a result of ‘monsters’ and Indonesia’s five-pillared state philosophical principle called, Pancasila, which translates to “the five bases.”

The threat actor claims Pancasila was not proven and not completely implemented in Indonesia. The nation emblem of the country incorporates the Pancasila ideals, and any criticism of the philosophy is forbidden by law, possibly resulting in criminal charges.

Figure 6: Source Wikipedia

[TRANSLATING IMAGE]

“- Belief in the one and only God.

– Just and civilized humanity.

– The unity of Indonesia.

– Democracy guided by the inner wisdom in the unanimity arising out of deliberations amongst representatives.

– Social justice for all of the people of Indonesia.”

Critics of Pancasila are often angry that the philosophy does not include the right to atheism, i.e. the rejection of any theistic belief, but it is extremely unclear what Bjorka really believes regarding Pancasila and how it’s impacted them so deeply.

Bjorka claims the “country is in a bad situation with rising fuel prices” and political corruption. One of their more recent social media posts predicts they will target hacking public citizens debts and “forfeit all online loan applications and delete all data.”

Figure 7: Source Twitter, October 4, 2022

Bjorka Mocks Indonesian Government

In mid-September 2022, Bjorka shared a post titled, “THE INDONESIAN GOVERNMENT IS LOOKING FOR ME?” citing reports that the Indonesian government had formed a ‘special team’ to hunt the cybercriminal down.

Bjorka alleged that the State Intelligence Agency (BIN) and the National Police had incorrectly identified and arrested a young man as the Bjorka hacker using Instagram account (@volt_anonym), but the real Bjorka on active on the forum claiming this was all false information and they were very much free from jail.

Figure 8: Breach Forums, Source: Tor Anonymous Network

Bjorka stated they had direct insider knowledge from a friend at the palace of the President, and that the President was soon going to dismiss the Minister of Communications and Information Technology. They encouraged the President to hire someone “tech savvy” instead of political partisans or military officers.

On social media, the actor claimed they did not want to harm the citizens of Indonesia, and that their intent was to expose security vulnerabilities and weaknesses in Indonesia’s networks. They followed by posting the personal information (dox) of several high-ranking Indonesian government officials on their Telegram account. The data set included phone numbers, email addresses, full names, gender, NIK (identity number), KK (family card), physical addresses, and vaccine numbers.

After releasing the data, Bjorka teased officials directly on social media who dismissed their leaks as unimportant.

“How are you, Mr. @Mohmaffudmd? Are you still sure that no important data has been leaked?”

– Source: Twitter

On the birthday of the KOMINFO Minister, Johnny G. Plate, Bjorka posted “Happy Birthday” along with a detailed dox of the minister’s personal information. Much of information had already been uploaded on another popular doxing deep web site in August. Bjorka followed with sharp words for the minister on social media:

“This is a new era to show differently. Nothing will change if fools are still given immense power. The supreme leader in technology should be assigned to someone who understands, not a politician and not someone from the armed forces. Because they are just people – stupid people.”

– Source: Twitter

At the end of the month of September, the threat actor initiated a thread titled, “NATIONAL CYBER AND CRYPTO AGENCY OF INDONESIA” and included a CNN Indonesia news article reporting that the BSSN had increased its budget directly because of their data leaks. They included in the post, the name and photograph of the head of the agency along with a detailed dox and images of his identification cards.

According to open sources all the hacktivism against Indonesia by Bjorka has resulted in changes in government policy. Indonesia enacted its first personal data protection bill at the end of September. The bill imposes sanctions and criminal charges on organizations that fail to safely secure personal data. Individuals are also able to claim compensation for data breaches.

Bjorka Started Something That Shows No Signs of Slowing Down

During the month of September, Bjorka posted several high-profile leaks mentioned earlier, but their verdant followers and other darknet cybercriminals targeting Indonesia have leaked dozens more databases and sensitive data such as: Indonesia’s car registration databases, citizenship databases from the Ministry of Social Affairs, an Indonesian tollway operator, and government social assistance systems. Bjorka’s efforts indeed appears to have launched a concerted movement against Indonesia and what its citizens jokingly call an “open-source country.” (See REFERENCE – Sample of Indonesia-Related Data Leaks at end of document)

A twist to the Bjorka movement narrative is a thread titled, “66 GB Indonesia Department of Communication and Information Technology” shared by a Breach Forum user named, toshikana on September 13th. The forum user, who joined in July 2022, refers to something called “Operation Garden of the Gods” they and one other threat actor carried out with the intention to:

“improve the Quality of the Department but not limited to: Education, Cybersecurity, Consistency, Human Resources, On Target Budget Utilization and Good Communication since the name of your Department is Department of Communication and Information Technology but the fact is that You always fail to Communicate.”

– Post from user toshikana

The post also includes the data leak links for the KOMINFO database that Bjorka had shared earlier and then continues with an epilogue referring to the “General” and states their Group – which includes the General – was offered a large sum of money in August to target the Department of Foreign Affairs but they sent warning emails to the Minister Prabowo because they are not supporting any kind of “Revolution.”

toshikana implies that someone knowledgeable of this underground community and its members sought out to finance the cyber operation and sow chaos in Indonesia.

“With the permission of the General, we will securely store the rest Data classified as Confidential/Secret/Top Secret in our server until we see a significant change from you, we will not sell, share or use this. I’m sure we all agree that something that is promised to be safe, in the future it must remain safe and so is Confidential Data, it must remain Confidential, even if it is old Data or Data belonging to Poor People, isn’t that right Plate? what about you Semmy? Dedy? BSSN? and the Department of Health?

What we both will never breach/leak: anything related to Civilians/Poor People, Department of Foreign Affairs, Department of Defense and the Indonesian Military…. you’re welcome.

Also since our Group was offered a large sum of Money from a dozen People over Jabber to breach the system of the Indonesian Department of Foreign Affairs and Defense and sell the data to them, on Aug 25, 2022 one of our Lieutenants had sent a warning Email along with the evidence to the two Departments, also had sent an Email to Minister Prabowo about the huge potential of Cyber Espionage, but my sixth sense tells me that our Email was not read or it was read but only considered as a joke, with tremendous interest from them, you may have to pay attention to this one and don’t let your eyes closed.”

– Source: DarkOwl Vision

The surge in Indonesia-specific activity by other cyber actors might have prompted Bjorka to share personal information about themselves with their online community. Last week, Bjorka revealed their gender on Telegram, claiming they were “just a girl hiding behind a computer” living happily in Poland and they will “disappear for a while” due to so many issues in Indonesia. They also dismissed any suggestion that Bjorka was a ‘team.’

Perhaps posts stating strovian had joined their efforts and drama-filled threads from toshikana, might all have been simply a psychological operation, a possible diversion for the Indonesian government and intelligence teams’ digital investigators, or an attempt to emphasize that Bjorka is much larger than one person and is movement inspiring a social revolution in Indonesia.

Figure 9: Source Telegram

As of October 13th, Bjorka’s Telegram channels had all been shut down by Telegram staff and Bjorka quoted administrators stating, “even private channels can also be taken down.” Bjorka’s Twitter account (@bjorkanism) was also suspended due to “rules violations” which they contest stating staff from both platforms are simply actioning requests submitted by the Indonesian government. They included an ominous threat against Twitter if their account is suspended again.

“I will promise to delete twitter from play store if he suspends me again.”

– Source Twitter

Figure: Sample Indonesia-Related Leaks

DarkOwl Sources

DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives.

Remembering the subtle differentiations between data, information, and intelligence, DarkOwl’s key sources of raw data are described here.