Justice department loses millions in yet another cyber attack

Cyber thieves have breached the Department of Justice systems for the third time in as many years, again making off with millions of rand. 

TimesLIVE has learnt the hackers targeted the department’s Guardian’s Fund in KwaZulu-Natal and the Free State and made off with R18m.

The thieves pulled off the heist on April 6, but the attack was only discovered and reported five days later, a departmental insider told TimesLIVE. 

Because of the cyberattack, payments from the affected offices were suspended pending the investigation, and have yet to be resumed. The department said it would resume payments on Thursday, June 1.

The Guardian’s Fund, which falls under the master of the high court, was created to manage money on behalf of those legally incapable of managing their affairs. This includes minors, unborn heirs, and missing or absent people. 

According to the fund’s annual financial statements for the financial year ending in 2022, the fund had just over R17bn in reserves invested with the Public Investment Corporation. The fund is administered in five other masters’ offices, in Cape Town, Pretoria, Bloemfontein, Kimberley and Makhanda.

“They say it’s hackers, but I smell a rat,” the insider told TimesLIVE.

“It’s the same account, (and) it happened the same way as last time. There has not been any media statement (from the department), and they have suspended payments for the poor orphans with no plan for it also to be communicated internally.”

The department confirmed the cyberattack saying it is being investigated by the Hawks, the Financial Intelligence Centre and an internal forensic team.

Spokesperson Stephans Mahlangu said the department saw the need to manage cybersecurity as a strategic concern and had invested heavily in several initiatives to strengthen controls and defensive capabilities. This, he said, included renewal of infrastructure, contracting external skills and expertise, establishing processes to uncover vulnerabilities and weaknesses, as well as regular awareness and training for staff. 

“The department categorically refutes the assertion that it is unable to secure itself, information, as well as bank accounts. The department, like any other organisation operating in the cyber realm, is confronted with constantly evolving and increasingly sophisticated cyber threats that in many cases are well ahead of the existing protective measures,” Mahlangu said. 

“The department has implemented a layered range of cyber security controls to protect its information and related assets, including administrative and technical controls, ranging from policies and procedures access controls, malware protection, intrusion detection systems, network monitoring, and so on These security controls are regularly being monitored, tested and audited by external parties to ensure they remain effective.”

This latest hack is apparently identical to another one pulled off in September 2020 when the thieves siphoned R10m from the department in 11 transactions. 

A year later, the department’s entire IT system was encrypted and officials and members of the public were locked out. This affected court operations, maintenance payments and the functioning of the master’s office, where deceased estates are processed

Earlier this month, the information regulator reportedly found the department guilty of negligence for failing to prevent the data breach which led to it losing about 1,204 sensitive files. The regulator said the department did not take adequate steps to safeguard its IT systems against hackers.

The regulator’s investigations reportedly found that if the department had renewed its security incident and event monitoring (Siem) and intrusion detection system licences, the breach would have been prevented. The licences apparently expired in 2020. 

The regulator’s spokesperson, Nomzamo Zondi, said: “Had the department renewed these licences it would have been able to receive alerts of suspicious activities of unauthorised people or it would have been able to monitor unusual activities on their network and keep backup of their lost files.”

The regulator has served the department with an enforcement notice and ordered it to renew the software licences and take disciplinary action against implicated officials within 31 days.

Cybersecurity company Scarybyte said government infrastructure in general was facing often-severe cyberattacks. The Sandton-based firm recently helped Postbank stem fraud and cyber vulnerabilities that had seen the organisation lose R150m.

“The rapidly changing digital landscape necessitates a dynamic approach to cybersecurity, encompassing state of the art technology, skilled personnel, and robust procedures,” said the firm’s CEO Karim Jaber.

“Experiences at the Postbank have emphasised that a proactive, multilayered approach to cybersecurity is vital ... The DoJ's repeated breaches indicate that their cybersecurity measures may need bolstering,” he said.

 “Given the nature of these repeated attacks, we cannot rule out the involvement of insiders. It's imperative to have a comprehensive approach to security that considers both external and internal threats.”

TimesLIVE

Support independent journalism by subscribing to the Sunday Times. Just R20 for the first month.