Threat Intelligence Tarot
Vol. II · 140
Criminal
risk 5/5
The National Brownout
Brain Cipher
LockBit 3.0 builder reuse
GovernmentNational data centersPublic servicesCritical sectors
Active since ~2024 · Extortion, Financial gain
The National Brownout does not aim at a single victim. It aims at a country — the data center that holds the licenses, the registries, the immigration logs — and stops the lights for everyone at once.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1490
Inhibit System Recovery
Impact
T1078
Valid Accounts
Persistence
T1567.002
Exfiltration to Cloud Storage
Exfiltration
T1027
Obfuscated Files or Information
Defense Evasion
T1059.001
PowerShell
Execution
Notable Operations
  • Indonesia National Data Center attack (June 2024) — 282 government services impacted
  • Free decryptor released after public pressure (July 2024)
  • LockBit 3.0 builder code base reuse
  • Continued public-sector targeting through 2024-2025
Defenses
  • National-scale active-active data center architecture
    NIST SP 800-34
  • Government cloud strategy with isolated tenant administrative planes
    FedRAMP equivalent
  • Crown jewel data inventory with mandatory offline backups
    CIS Control 11
  • National incident response coordination (CSIRT-level)
    NIST CSF: RS.CO
Reversed: Their Weakness
National data center single-points-of-failure are policy choices, not technical inevitabilities. Active-active geographically distributed government compute architecture removes this operator's largest leverage.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Self-Encrypting ThornNext →The Watching Child
Related Adversaries
The Beast of Edicts
Qilin
6 shared TTPs
The Self-Encrypting Thorn
Cactus
5 shared TTPs
The Loud Shame
8Base
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.