Sarulla Data Breach Exposes Energy Project Files

The Sarulla data breach has reportedly exposed confidential internal project files, engineering documentation, and administrative data belonging to Sarulla Operation Ltd., an Indonesian geothermal energy company. The breach was disclosed on the INC RANSOM dark web portal, where threat actors typically list stolen corporate information for extortion or public release. The company operates one of Indonesia’s most important geothermal projects, making this a potentially serious incident for both national energy security and international partners involved in the project.

Background on Sarulla Operation Ltd.

Sarulla Operation Ltd. is a major geothermal energy consortium responsible for developing and operating the Sarulla Geothermal Power Plant in North Sumatra, Indonesia. The project is one of the world’s largest single-contract geothermal developments, with an installed capacity exceeding 300 megawatts. It plays a critical role in Indonesia’s transition toward renewable energy and has long-standing partnerships with multinational companies, local contractors, and government agencies.

The consortium includes major players such as Itochu Corporation, Kyushu Electric Power Company, and INPEX Corporation. Because of its strategic importance, Sarulla Operation handles large volumes of proprietary engineering data, environmental assessments, and government regulatory filings. Any unauthorized access to this data could have significant implications for Indonesia’s energy infrastructure and foreign partnerships.

Details of the Sarulla Data Breach

The INC RANSOM group listed Sarulla Operation Ltd. among its latest victims on November 10, 2025. According to the leak site entry, the attackers claim to have exfiltrated sensitive project documents, employee records, and contract data before encrypting the company’s systems. The listing appears under the group’s “pending publication” category, suggesting the data may be released within days if ransom demands are not met.

• Threat Actor: INC RANSOM
• Victim: Sarulla Operation Ltd. (Indonesia)
• Leaked Data: Energy project files, financial records, corporate communications, and HR information
• Date Added: November 10, 2025
• Status: Awaiting verification

While no data samples have been publicly released yet, previous INC RANSOM leaks suggest that compromised data sets may include full corporate directories, PDF engineering blueprints, network topologies, and internal procurement contracts. Given the scale of the Sarulla project, even partial exposure of these materials could reveal valuable information about Indonesia’s renewable energy infrastructure and project management systems.

Nature of the Exfiltrated Information

Sources familiar with past INC RANSOM breaches indicate that the attackers usually target shared drives, cloud repositories, and project servers. The Sarulla data breach likely involved the theft of detailed energy production reports, turbine maintenance logs, and construction documentation, as well as employee identity data and business emails. Such materials are highly valuable to cybercriminals seeking to exploit industrial control system vulnerabilities or sell project intelligence to third parties.

Energy projects like Sarulla rely on complex, multi-vendor ecosystems. These systems often include remote monitoring software, IoT-based sensors, and SCADA (Supervisory Control and Data Acquisition) systems connected to the internet for real-time data transmission. If any of these systems were accessed, attackers could gain a deep understanding of the plant’s operational framework, which poses both cybersecurity and physical security risks.

Impact on Indonesia’s Energy Sector

The Sarulla Operation breach comes at a time when Indonesia is rapidly scaling up renewable energy initiatives to meet national sustainability goals. The exposure of sensitive project data could undermine confidence among investors and international stakeholders involved in the country’s geothermal expansion. It also highlights a broader issue affecting Southeast Asia’s energy sector: the increasing vulnerability of critical infrastructure to ransomware groups.

The Sarulla data breach may also create potential regulatory consequences under Indonesia’s Personal Data Protection Law (PDP Law), which came into effect in 2024. This law requires organizations handling personal or sensitive data to implement robust cybersecurity measures and to report breaches promptly. If personal employee or partner information was compromised, Sarulla Operation could face penalties or mandatory audits from government regulators.

Ransomware Group Profile: INC RANSOM

INC RANSOM is one of the more active ransomware groups in 2025, targeting energy, logistics, and manufacturing firms worldwide. Their operations are characterized by a focus on industrial networks and supply chain compromise, making them a persistent threat to critical infrastructure operators. The group has previously targeted similar organizations in the oil, gas, and renewable energy sectors, using double extortion tactics to pressure victims into payment.

Typically, INC RANSOM’s attacks begin with spear phishing campaigns or exploitation of known vulnerabilities in VPN gateways and remote access tools. Once inside, they move laterally across the network, escalate privileges, and exfiltrate terabytes of sensitive data before encryption. Their leak site serves as both a communication platform and a pressure tool, displaying corporate logos, victim details, and ransom countdowns to force public attention.

Potential Consequences for Stakeholders

The Sarulla data breach could have cascading effects beyond the immediate organization. Because the project involves multiple international partners, the stolen data may contain correspondence, financial agreements, and shared engineering resources from Japanese, American, and Indonesian firms. This raises the risk of diplomatic sensitivity if proprietary technology or government-linked materials are leaked online.

Furthermore, if operational or maintenance data were compromised, malicious actors could use that knowledge to exploit vulnerabilities in similar geothermal facilities or associated power grid systems. The attack serves as a reminder that even renewable energy projects, which are often considered less attractive targets than fossil fuel operations, have become prime candidates for cyber extortion.

Why Energy Firms Are High-Value Targets

Ransomware operators increasingly view energy sector companies as lucrative targets due to their dependence on uninterrupted operations. Shutting down a single plant can result in millions of dollars in losses, creating immense pressure on victims to pay quickly. Additionally, energy companies often manage large financial transactions and maintain confidential data tied to national infrastructure, making them valuable for both financial and geopolitical exploitation.

In the case of Sarulla Operation, attackers could also leverage insider knowledge of vendor systems, project milestones, or government partnerships to identify new targets. Information extracted during the breach could serve as reconnaissance material for future attacks against other Indonesian or regional energy operators.

Global Reactions and Cybersecurity Implications

International cybersecurity researchers have expressed concern about the potential geopolitical impact of the Sarulla Operation data breach. The incident echoes similar attacks on energy companies in Japan, Malaysia, and India, where ransomware groups have increasingly targeted renewable infrastructure. Analysts suggest that the trend may reflect a strategic interest in the growing renewable energy market, which now represents billions of dollars in public and private investment across Asia.

For Indonesia, the breach may accelerate government initiatives to strengthen industrial cybersecurity. The National Cyber and Encryption Agency (BSSN) has previously warned of ransomware threats targeting infrastructure sectors, urging operators to adopt stricter endpoint monitoring, network segmentation, and employee training to detect early-stage intrusions.

Recommended Actions for Sarulla and Partners

In the aftermath of the Sarulla data breach, several immediate steps are recommended for the company and its collaborators:

• Incident Response Investigation: Engage independent cybersecurity experts to analyze entry points, persistence mechanisms, and data exfiltration activity.
• Data Classification and Containment: Identify what categories of data were exposed and prioritize containment of the most sensitive information.
• Partner Notification: Inform all international project stakeholders and contractors of potential exposure to enable coordinated defense efforts.
• Public Relations Strategy: Prepare a transparent and fact-based public statement to reassure investors, regulators, and communities dependent on the project.
• Regulatory Reporting: Comply with Indonesia’s PDP Law by submitting breach notifications to relevant authorities within the mandated timeframe.

Additionally, all partners in the Sarulla consortium should review their access privileges and authentication systems to ensure that compromised credentials cannot be reused. It is likely that attackers may attempt to exploit connected networks belonging to suppliers or engineering subcontractors.

Broader Lessons for the Energy Sector

The Sarulla data breach underscores the need for continuous cybersecurity modernization within energy and infrastructure projects. Many of these environments still depend on legacy systems that were not built with modern threats in mind. Integrating robust detection systems, encryption policies, and segmented networks is no longer optional for companies operating in critical sectors.

Collaboration among government, private firms, and international partners is essential to mitigate the rising threat of ransomware in energy infrastructure. Regular penetration testing, network redundancy planning, and real-time data backup procedures can help minimize the impact of potential future breaches.

Consumer and Public Response

Although the Sarulla Operation data breach primarily affects corporate and industrial data, the public impact cannot be ignored. Indonesian citizens may become concerned about the security of national energy systems or disruptions in power supply, even if the breach did not directly affect plant operations. The company’s transparency in addressing the situation will play a major role in maintaining public trust.

At the same time, this breach reinforces the importance of digital accountability in public-private partnerships. When national infrastructure projects rely on private contractors, their cybersecurity maturity directly affects the resilience of the entire sector. Strengthening vendor risk assessment and contractual security obligations will be key to preventing similar incidents in the future.

Final Outlook

The Sarulla data breach is a reminder that energy infrastructure, especially in emerging renewable sectors, remains a high-value target for organized ransomware operations. The combination of international partnerships, technical data, and regulatory exposure creates ideal leverage for attackers seeking large ransom payments. Even if no ransom is paid, the exposure of sensitive project files could harm trust among investors and contractors for years to come.

As of now, Sarulla Operation Ltd. has not issued an official statement. The scale of exfiltrated data and the ransom terms remain undisclosed. Botcrawl will continue monitoring for verified data samples or public statements from the company. Updates will be published if new evidence confirms the full extent of the breach.

For in-depth reporting on recent data breaches and the latest international cybersecurity developments, follow Botcrawl for verified coverage and expert insight into global digital threats.