Lax cybersecurity has exposed the personal data of millions of ordinary South Africans to hackers, and even President Cyril Ramaphosa’s home address, identity and cellphone numbers have been accessed illegally as hackers run rampant through flimsy security.
A series of screenshots supplied to the Sunday Times over the past month by a group of hackers calling themselves SpiderLog$, who have been running unauthorised vulnerability scans on government servers, show that government departments and state-owned companies are not safe and are “wide open” to intrusion.
The SpiderLog$ hackers said SA is a “playground for hackers’’, and apart from top political figures, the department of defence (DoD) and the State Security Agency (SSA), which hold some of SA’s most sensitive military and intelligence information, have also been targeted.
Ramaphosa’s personal information is part of data that was released by hackers following the breach of credit bureau TransUnion in March. Transunion said the hackers had aggregated the data stolen from it, with data from other breaches unrelated to it dating back as far as 2017.
"We are aware that the criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017. With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it."
It emerged from Sunday Times inquiries that the extent of the hack and the details it exposed may be far more widespread than originally believed.
“You can verify our findings with another company ... Yes, SA is a playground for hackers because anyone is able to map your country’s digital infrastructure,” said SpiderLog$.
It was initially reported that only 3-million consumers had been affected, but it now appears the group behind the TransUnion breach, which calls itself N4aughtySecTU, has combined this data with much more.
SpiderLog$, which accessed the hacked data, also managed to obtain details of a loan Ramaphosa took out in the 2000s from one of the top four banks.
The Sunday Times shared the information with the presidency, whose spokesperson Tyrone Seale said: “The president is concerned at the unlawful acquisition, use or dissemination of the personal information of any individual regardless of the position they occupy.
“Our law-enforcement agencies are working with partners in the private sector and the international community to combat cybercrime domestically and internationally. As in all countries, our capacity in this area has to evolve as the methods used to commit cybercrime evolve,” Seale said.
As ransomware attacks increase in SA, the government has been identified as worryingly vulnerable to a cyber onslaught that could either cripple it or result in confidential or personal information being leaked to malicious groups across the world.
In one example shared with the Sunday Times and authenticated by leading cybersecurity firms, the DoD and SSA's webmail interface — something experts say is one step away from full access to the department’s email server — was penetrated.
This creates a risk that state-sponsored hackers — considered the best equipped and most highly motivated — would not only be able to see all mail communication inside the department, they would be able to create and send emails using department accounts.
Also found by SpiderLog$ were the private IP addresses of government servers that are not meant to be visible to outside eyes, and their domains and internet service providers.
Last year the department of justice, the South African National Space Agency and Transnet were hit by debilitating ransomware attacks.
The government has been identified as worryingly vulnerable to a cyber onslaught
In the justice department attack, the entire IT system was encrypted and officials and members of the public were locked out.
This affected court operations, maintenance payments and the functioning of the Master’s Office, where deceased estates are processed. In 2020, hackers accessed the Guardian’s Fund and stole R10m.
The attack on Transnet and its port terminals unit led the state-owned company to declare force majeure after its operations were essentially blocked. At the time, public enterprises minister Pravin Gordhan said a criminal investigation was under way.
In January, Curo Fund Services, SA’s biggest provider of investment administration services with R2-trillion in assets under management, was locked out of its systems by cybercriminals for almost five days before its technicians regained control.
The N4aughtySecTU hackers demanded $15m (about R233m) from TransUnion as part of a “bounty” for finding the vulnerability, but TransUnion refused to pay, saying it was extortion.
TransUnion, which is still assessing the extent of the information stolen, was directed to inform all affected customers by the Information Regulator, which could fine it up to R10m.
The information regulator did not respond to requests for comment on the TransUnion matter despite undertaking to do so.
Cybersecurity consultant Johan Brider said the type of information available from the TransUnion breach makes it possible to launch social engineering attacks to upload very dangerous spyware to Ramaphosa’s phone, which would even enable the tracking of his movements. This would, he said, require skilled and well-resourced hackers.
However, the state vulnerabilities shown to the Sunday Times by the SpiderLog$ hackers are arguably more dangerous.
“The most troubling thing about the screenshot is that we can actually run different programmes to harvest credentials to give access to the department of defence, their webmail,” said Brider, who works with leading cybersecurity firm WolfPack Information Risk.
Bongo Sijora, director of cybersecurity firm Umboko Sec, said: “The exposure of defence department servers and IP addresses means malicious or hostile actors could see the internal communications between senior generals and officers. It also exposes the department’s weapons systems and deployment plans and locations.”
Sijora said their research showed that SA has a funding gap of at least R18bn to secure all national key points and national departments from cyber threats.
WolfPack MD Craig Rosewarne said SA does not have proper statistics and research on the extent of its cybersecurity problem.
“SA’s been very slow off the mark in terms of keeping up with cybersecurity and privacy legislation ... But [the Protection of Personal Information Act] is a good piece of legislation, we finally now have an information regulator that’s still young ... but is showing its teeth, which is positive,” he said.
“The Cyber Crime Act, which dictates penalties for the various types of cybercrimes, is good and now gives prosecutors jurisdiction in terms of what they can prosecute. But the structures that are needed to enforce the act, or the other elements that are needed to investigate, arrest and prosecute, still need to be developed drastically.
"The skills, the training — think about the police where you need to report these cases — are not properly equipped yet.”
Scarybyte, a firm that claims to be SA’s only military-grade cybersecurity firm, said in today’s cyberthreat environment, companies are using proxies to hide IP addresses to distract the attackers.
SA has a funding gap of at least R18bn to secure all national key points and national departments from cyber threats
“Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.
"There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure,” said the company’s strategy director, who asked not to be named.
Besides the defence department and SSA, another security cluster department found wanting by the hackers was the department of justice, the victim of several hacks and ransomware attacks, whose intranet was penetrated by SpiderLog$.
SSA spokesperson Mava Scott said it isn’t true that an organisation is vulnerable and at risk because its internet and business services are visible on the internet.
“The opposite is in fact not desirable, that is, for the business or government services not to be seen and accessible on the internet, unless that business is conducted on the dark net. It should also be noted that unauthorised access to government or business sites is an offence,” he said.
Scott said the “SSA and the government have a cybersecurity management cycle which ensures that the security of systems is tested regularly against vulnerabilities and threats; and security countermeasures and controls are put in place to address such vulnerabilities and threats whenever they are detected”.
Scott said the SSA advises government and state organs to ensure that they also back up their information regularly.
Transnet said it has deployed adequate systems to detect and respond to malicious activities on its network.
“The organisation is continually updating its incident response plans and attains regular independent reviews to ensure it addresses the ever-changing threat landscape. Transnet also complies with the requirements and standards set by the information regulator,” it said.
The department of justice did not respond to questions.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.