Hackers who targeted the justice department’s IT systems have stolen an untold number of personal details, believed to belong to staff and ordinary citizens, in an apparently highly sophisticated ransomware cyber attack.
While the department has confirmed this month’s attack was a ransomware assault, it has denied media reports that its backup computer servers and the data that was stored on the systems had been encrypted and was being held for a R33m ransom.
On Monday Mybroadband reported that the hackers had demanded R33m in bitcoin for the database to be decrypted.
The attack affected magistrate’s and high courts across the country, as well as the payments of thousands of maintenance orders.
The assault, which IT forensic expert Jacques van Heerden described as a cyber warfare attack, comes after African Bank on Wednesday confirmed that personal data, including that of a number of the bank’s loan customers under debt review, was compromised after a cyber attack on debt collector Debt-IN.
Though the Debt-IN attack occurred in April, it was only discovered last week, said the bank’s chief risk officer, Piet Swanepoel, during an interview with Business Day.
He said they had notified “the relevant regulatory authorities and are alerting customers who have been affected”.
Last month hackers launched a major cyber attack on Transet, bringing its port operations to a grinding halt for a week.
A Sunday Times Daily source with knowledge of police investigations said ransomware had been installed on the department’s IT serves and that the backups had been severely affected.
“This is a bloody mess. Entire systems have been affected. It’s not just affecting the courts, but other government departments and agencies linked to the department.
“The information regulator’s office was affected by this assault.”
This is a bloody mess. Entire systems have been affected. It’s not just affecting the courts, but other government departments and agencies linked to the department.
— Piet Swanepoel
He said a high-level intergovernmental agency investigation, involving crime intelligence, the Hawks and State Security Agency, was under way.
“Investigators are looking at whether there are any links between the Transnet assault and the justice department attack. The problem is no one has been able to identify how the attack was launched or when it was launched. We are flying blind. Systems at the department are brought online, only for investigators to discover that other parts of the system have been affected.”
He said personal information had been compromised “and now there is big concern that banking and the private details of potentially thousands of ordinary citizens is severely compromised”.
“No one knows the extent of the impact, but what we can say is it will be huge. The ransomware is locking certain systems. Reports are that multimillion financial demands for decrypting databases are being made.
“That information is being kept tightly under wraps though.”
In response to detailed questions from Sunday Times Daily, the department’s director-general, advocate Doctor Mashabane, said reports that a R33m ransom was demanded for the decryption of its IT servers were “inaccurate”.
“The department would like to place on record that though the breach is attributed to a family of ransomware, it has not received any ransom demand after the breach. The department is now rebuilding its backup infrastructure, and so far has not experienced any encryption in this regard.”
He said investigations were ongoing to establish the identity of the perpetrators.
Mashabane said all their IT systems had been compromised, from a system administration and end-user perspective.
He said the department’s IT team, with selected industry parties and organs of state, were working to contain the spread of the malware and get services safely back online.
“Other processes are under way to address challenges that are being experienced.
“Priority has been given to services affecting the public directly, particularly as it pertains to beneficiary payments [maintenance], and ensuring that court proceedings continue.”
He said they were working with banks to ensure payments were received.
Mashabane said while the electronic court recording systems which were affected were back online, the Master’s Offices were continuing to operate manually.
“Senior officials critical to rendering key services have been placed on an alternate, secured email system. This functionality is being extended to all employees.”
Investigating these is going to be tough. One has no idea when they were launched or whether the ransomware has truly been removed.
— Jacques van Heerden
He said after a report from investigators on Sunday, they discovered that some personal information may have been “exfiltrated, accessed and sent outside the organisation”.
“We are establishing the exact nature of personal information that has been accessed, as well as the affected parties involved.”
Van Heerden said the three latest cyber attacks were definitely “touching on cyber warfare”.
“Given that they are against financial and critical government institutions, they cannot be looked at in isolation.”
He said the attacks were all ransomware and had been designed to have maximum impact.
“Investigating these is going to be tough. One has no idea when they were launched or whether the ransomware has truly been removed.”
He said officials working from home on unprotected Wi-Fi systems were among the biggest inadvertent threats to organisations.
“That’s because while a company can securely guard who accesses its internal Wi-Fi system, the same control cannot be exerted on officials working from home on uncontrolled Wi-Fi systems.”
Professor Danny Myburgh of Cyanre, The Digital Forensic Lab, described the justice department breach as major.
“It’s called a big-game hunt. The attackers spend months looking for big targets where they will have huge impacts through their hacks. The department is a major target.
“What must be investigated is what the real motive is and whether it was really for ransom demands or to bring down critical government systems.
“Other questions to be asked are why are SA’s government departments, within weeks of each other, suddenly being attacked.”
Collen Weapond, the information regulator’s designee for the protection of personal information, said they were waiting for information from the department on what the root cause of the attack was and what steps had been taken to mitigate the impact of the attack.
“Their response will determine our next step and whether we launch our own investigation.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.