Answers sought on apparent SA defence cyber attack


In the same week South Africa’s senior soldier warned of “increasingly sophisticated threats” against military information and communication technology (ICT), both the SA National Defence Force (SANDF) and Department of Defence (DoD) were reportedly subjected to a cyber attack.

The attack purportedly carried out by the Snatch group extracted 1.6 terabytes of data from DoD systems. It allegedly contains military contracts, ‘internal call signs’, and personal information.

On Friday, Department of Defence spokesman Siphiwe Dlamini told News24 that there had been no leak, while SANDF spokesperson Brigadier General Andries Mahapa said it was “fake news”. defenceWeb still awaits official comment from the SANDF at the time of publication.

The motive for this alleged attack is not clear, Democratic Alliance (DA) shadow defence and military veterans minister Kobus Marais said, other than the ransom attackers accusing the South African government of fuelling the “international illegal arms trade”.

The Snatch group first said it was responsible for the data breach on 21 July, and a month later published a ‘proof pack’ containing Defence Material Division personnel information, including contact details. The group said the breach “exposes the current government as totally corrupted, involved in international illegal arms trade. It reveals illegal traffic on the African continent and all interested parties from other countries, mainly from the United States.”

The group subsequently made the hacked data available for download but defenceWeb could not verify this as it would take ten days to download the file. The release came midway through the BRICS Summit in Johannesburg, with Snatch stating that the summit “is just a screen issued by the white masters from a country with a constantly stumbling president.”

In the light of SANDF Chief, General Rudzani Maphwanya’s mid-week address to MICSSA (Military Information and Communications Symposium of South Africa), he maintains Minister Thandi Modise should react “either declining or confirming the veracity of the alleged ransomware attack”.

“If confirmed, South Africa needs to know when the attack took place; what type/s of information was compromised, was a ransom demanded and – if yes – how much?”

While the country waits for confirmation, Marais note “it won’t be surprising if it turns out to be true”. This he justifies pointing to what he sees as skewed spending priorities in the DoD/SANDF. “These are questionable with most of the money going to non-essential expenditure which could have resulted in DoD IT (information technology) enterprise architecture becoming dated and vulnerable to ransomware attacks.”

Addressing MICSSA delegates at the CSIR Conference Centre on 22 August, Maphwanya said the SANDF needed to modernise its ICT and “ensure” its information systems are secure in light of increasingly sophisticated threats. Defence ICT, according to him, is not “just a support capability but an arm of the fifth domain of warfare”.

In January, parliamentarians heard SANDF Cyber Command was functioning “but not optimally” from its head, Brigadier General Mafi Mgobozi. He said the Command “is able to be proactive when responding to cyberattacks and can undertake threat analysis”. This includes detection and identification of cyber threats; development of threat taxonomy to predict possible threats; monitor adversary trends and doing the same for supply chain emerging threats.

South Africa’s cyber defence capacity at SANDF level has three strategic goals – capability development; cyber security awareness, research and training; and national as well as international co-ordination and collaboration, according to his presentation.