South Africa’s Department of Defence (DoD) maintains its information communication technology (ICT) system – two weeks after a cyberattack reportedly siphoned 1.6 terabytes of data from DoD systems – wasn’t hacked.
A Saturday (2 September) statement attributed to Siphiwe Dlamini, Head of Communications (HOC), has it “preliminary investigations confirm the department has not been hacked”.
It continues: “This is the work of criminals syndicates within the cyberspace aided through information leaked from the Department”.
The DoD, according to the statement, “has policies in place that prohibits unauthorised access and sharing of classified information”.
“The investigation continues and perpetrators will be brought to book. The DoD assures South Africans that our systems are secured and measures have been put in place to ensure that the state information is not compromised.”
Darren Olivier, Director at African Defence Review, believes “this is a messy response from the DoD and not entirely convincing. The group claims to have had access to DoD networks for months and if an insider did leak this much data (apparently 200 TB according to the group) I’d expect there to have been arrests already.”
Olivier added that, “when the news first broke there may have been some justification for a confused response from the DoD, but there’s now sufficient information in the public domain that proves that the leak is real and extensive. More blanket denials without details aren’t going to earn trust.
“Moreover, even if this was an insider attack that’s not much better than an external attack. There should be no way for any individual on the inside to have this much access and be able to send so much data to Russian servers without being detected. Judging by what security researchers have posted so far the leak is a combination of material from network shares and the contents of certain employees’ computers. I believe nearly all the documents are Restricted or Confidential but there are claims of Secret documents included.”
Based on what security researchers have released publicly so far it looks like it was content on the DoD’s intranet that was breached and not any of the Red classified networks, Olivier stated. “If so, that limits the damage. But nobody can be certain until the entire leak has been released.”
Olivier cautioned that classified data hygiene standards within the SANDF have been slipping for years. “I’m also not at all surprised if the intranet has been breached. Security on that network has been an afterthought for decades and some of the systems running on it are ancient, unsupported, and unpatched. Funding for replacements is low & SITA has lost many specialist skills. In fact, I’ve long assumed that this level of network in any South African government department has been more or less persistently infiltrated by other countries and can’t be considered safe or secure. Talks with DoD and the Council for Scientific and Industrial Research security personnel over the years have reinforced that.
“There is also clear evidence of poor security standards on the intranet. First, researchers have shown that DoD personnel stored personal documents and files on DoD machines, which are now all unfortunately leaked. Second, this much data leaving the DoD should’ve been detected. If the hack or leak or whatever we want to call it was limited to the intranet then the damage will be at least contained. Few files are truly secret, though perhaps embarrassing, and no key operational systems would’ve been compromised. It’ll be a lesson painfully learned.
“The one thing neither we nor government should do is bury our heads in the sand and pretend that things are okay as long as the files aren’t reported on. The data is out there now, our adversaries already have it. What matters is how the DoD recovers and prevents a recurrence. It’s time to take the cybersecurity of our national departments much more seriously. If this kind of attack can happen at the DoD it can happen at Home Affairs, DIRCO, Energy, Public Enterprises, the Presidency, the SAPS, and a host of other crucial departments too,” Olivier concluded.
The hack, apparently the work of the Snatch group, extracted massive amounts of data allegedly containing military contracts, ‘internal call signs’ and personal information. On 21 July the Snatch group claimed responsibility for the data breach and published “a proof pack” a month later. This reportedly contained Defence Material Division personnel information, including contact details. The group subsequently made the hacked data available for download but defenceWeb could not verify this as it would take ten days to download.
Addressing delegates at last month’s MICSSA (Military Information and Communications Symposium of South Africa), SA National Defence Force (SANDF) Chief General Rudzani Maphwanya said the force needed to modernise its ICT and ensure its information systems are secure in light of increasingly sophisticated threats. Defence ICT, according to him, is not “just a support capability but an arm of the fifth domain of warfare”.
On Thursday (31 August) the senior officer tasked with overseeing SANDF Cyber Command, Brigadier General Mafi Mgobozi, was promoted to Chief Command and Management Information Systems (CMIS). His accession to major general took place during a SANDF Chief Work Session at Rhemardo Holiday Resort, Mookhopong in Limpopo, SA Army Corporate Communication reported. His replacement as what Army communications term “Director Cyber Communication” is not named.