The South African National Space Agency (Sansa) has been the victim of an attempted cyberattack, and 20GB of data taken from one of its servers has been posted online.
A group calling itself CoomingProject has claimed responsibility for the attack.
Some of the group’s other victims include cloud cryptocurrency mining service Miningbase and the hacker community Hacker.org.
An analysis of the data taken from Sansa’s servers indicates that the attackers gained access to a file server which does not appear to contain any sensitive data.
This hack of Sansa’s server follows a cyberattack on state-owned ports, rail, and pipeline operator Transnet in July that severely disrupted South Africa’s ports.
The attack on Transnet brought operations at many of South Africa’s ports to a near-standstill.
With IT systems offline, Transnet had to rely on manual systems to process incoming and outgoing ships and the movement of containers.
The company declared force majeure on 27 July, and by mid-August public enterprises minister Pravin Gordhan said that Transnet had recovered most of its systems.
While the Transnet attack was suspected to be ransomware, CoomingProject states that they are not a ransomware gang.
In a statement to MyBroadband, the group said they are “a group like ShinyHunters”, which is known for stealing data from organisations and selling it on the dark web.
CoomingProject declined to reveal the vulnerability in Sansa’s systems which allowed it to gain access to the file server.
Emsisoft threat analyst Brett Callow told MyBroadband that while all gangs have the ability to encrypt and exfiltrate data, some choose to skip the encryption part and instead rely only on the threat of releasing their victims’ data to extort payment.
“The reason for this isn’t clear, especially as it may be less effective, but it may be because the gangs believe they’ll attract less attention from law enforcement by avoiding destructive attacks,” Callow said.
“CoomingProject is relatively new and, at this point, very little is known about the operation or those behind it.”
MyBroadband contacted Sansa for comment, which confirmed the data breach.
“On 6 September 2021, Sansa was notified of a possible breach to the IT system. A file consisting of Sansa information was in the public domain,” a spokesperson for the agency said.
“An internal investigation was conducted, and it was determined that no network breach occurred. The file dump was from the public anonymous FTP server that is active at the Sansa Hermanus facility.”
Sansa said that the server did have personal information of previous students at Sansa.
“Most of the data is information that can be accessed in the public domain as it refers to research related work in Space Science,” said the agency.
Sansa said that it completely removed the public anonymous access of the FTP server.
It committed to notifying the Information Regulator about the breach, and said that all affected parties will also be notified.
“Takedown requests have been sent to sites and domains hosting the data,” Sansa stated, but acknowledged that the data might remain on the Internet despite its attempts to have it removed.