Alarm bells sounded last week when two government agencies were hacked in quick succession.
The department of justice and constitutional development as well as the South African National Space Agency both confirmed that on 6 September they were hit with cyberattacks. There appears to be no link between the two but the inauspicious timing of the breaches has piqued public interest into how state institutions were so readily compromised — not forgetting that Transnet was similarly taken advantage of in July.
While the increasing prevalence of the incidents has rightly raised concern, some in the cybersecurity field are more worried about the nature of the attack.
“The question becomes, how hard is it?” asked Haroon Meer, founder of applied research company Thinkst. “Are you being attacked by state-sponsored attackers, or are you being attacked by garden variety schoolkids? And that’s where our complications ratchet up. In reality South Africa is so poorly prepared for it that we’re in that latter category.”
Both the justice department and rail, port and pipeline company Transnet fell victim to ransomware. The concept behind the method is simple: a hacker is able to infect a device with malware and subsequently encrypt the user’s files. A ransom is then demanded for them to be unlocked — usually to be paid in Bitcoin. The scope of data withheld can range from sentimental personal folders to information necessary to the functioning of multinational corporations.
The use of ransomware has surged over the last five years and by many estimates is still exponentially increasing.
According to software firm Check Points’ mid-year security report, for instance, ransomware attacks in the first six months of 2021 were up by 93% compared to the same period in the previous year.
Ransomware’s popularity is also linked to its ease of use. Put simply, ransomware hackers do not have to code for subtlety in their malware; it is very much the point that you become aware of its existence once it has latched onto a target’s files. Importantly, it also spreads easily through phishing emails or drive-by downloading — the download of malicious code when an infected website is visited.
What this additionally means is that those responsible for recent government breaches are not necessarily elite, well-funded or coordinated hackers.
“It’s basic hygiene elements that are not there,” says Craig Rosewarne, managing director at Wolfpack Information Risk. “Ransomware happens because systems aren’t necessarily patched as they should be. The vulnerabilities aren’t patched over; users aren’t necessarily aware.
“There’s a lack of monitoring of environments to tell there have been unsuccessful logins or strange activity coming from a certain IP address. It’s the foundational things that should be done consistently that aren’t getting done and as a result these things are getting through.”
While the recent attacks are of a more straightforward nature, the cost they have wrought has still been substantial.
Minister of Public Enterprises Pravin Gordhan could boast that not a cent was paid to the Transnet hackers, but the attack still set off chaos at the state company. Employees were immediately instructed to log out of all digital infrastructure, ports halted to a standstill and force majeure was declared — a clause that relieves parties in a contract of responsibility should extraordinary events block them from fulfilling them. Weeks after the event, Transnet was still working to restore 100% of its IT systems.
The justice department has similarly found its operations inconvenienced. The department confirmed on Monday that child maintenance payments had been delayed due to certain systems not being accessible, while court recording equipment was also affected. Despite assurances that contingency measures were put in place to prevent any unscheduled disruptions, the high-profile bail hearing of alleged crime boss Nafiz Modack was postponed on Wednesday, reportedly due to issues with recording. The department ignored questions from the Mail & Guardian into whether the problem was related to the hack.
The Information Regulator — essentially the watchdog of this sector — reported being impacted by the ransomware due to relying on the department of justice and constitutional development’s IT systems. With its website taken down for three days, it expressed concern that such an incident was allowed to occur.
“As the Regulator we are concerned about the high number of security breaches in South Africa. In August alone, 38 responsible parties suffered, and reported, security breaches,” chairperson advocate Pansy Tlakula said. “Responsible parties are reminded of their obligation under the Protection of Personal Information Act to secure the integrity and confidentiality of personal information of data subjects by taking appropriate, reasonable technical and organisational measures to prevent unlawful access to or processing of personal information.”
The Space Agency, meanwhile, told the Daily Maverick that it was mostly files that were available on a public domain that were affected. Neither it nor the justice department reported being contacted for a ransom.
For the entities that have been affected, and those that share their vulnerabilities, the attacks serve as a vital prompt to shore up their security structures. As Meer argues, these breaches may well indicate that a skilled sleuth could exercise far more malicious damage.
“In some way, these ransomware attacks are such an entry-level problem, but they’re actually helpful, in a really horrible way,” he says. “So imagine our department of justice, and imagine the importance of that information to a foreign nation state.
“If I was able to compromise that network, and I was able to tell every case that passed through or whatever information I wanted to steal from them, I’d happily keep that access forever and keep using it. If you have access to that treasure trove, why would you ever upset the apple cart? If your enemy is making a mistake, don’t disturb them. Even though the medicine is bitter, it’s medicine we need.”
Foreign meddling, in fact, would not be a novel concept. The Guardian’s Pegasus Project in July revealed that President Cyril Ramaphosa was one of 14 heads of state and heads of government whose phone numbers appeared on a database of notorious Israeli spyware firm NSO Group. Apparently selected by Rwanda in 2019, there is no evidence that hacking of any sort was ultimately carried out.
The mere existence of such actors, however, might be cause for concern to government agencies that were so easily breached by less sophisticated methods. While any cybersecurity expert would be sure to point out that there is no bullet-proof guarantee, no system that is perfectly invulnerable, at this level the basic layers of protection are non-negotiable.