Hacking group SpiderLog$ has obtained the details of a loan President Cyril Ramaphosa took out from one of South Africa’s top four banks in the 2000s, the Sunday Times reported.
SpiderLog$ said it was able to use data leaked by another group called N4ugtysecTU after it breached credit bureau TransUnion earlier this year.
The dataset included Ramaphosa’s home address, ID number, and cellphone numbers.
TransUnion disputed that leaked Home Affairs data came from its servers, saying that the attackers had obtained it from an earlier breach.
Ramaphosa was not the only prominent figure whose data was allegedly exposed in the TransUnion breach.
At the time, N4ughtySecTU threatened to leak to personal data of President Cyril Ramaphosa and EFF leader Julius Malema.
SpiderLog$ used Ramaphosa’s data to draw attention to glaring vulnerabilities in South African security systems, especially those employed in government departments — including defence and state security.
“South Africa is a playground for hackers because anyone is able to map your country’s digital infrastructure,” the group told Sunday Times.
According to the report, SpiderLog$ has supplied screenshots to the paper proving they could access sensitive military and intelligence data.
Cybersecurity firms warned that the vulnerabilities discovered by a hacking group could lead to attackers intercepting sensitive military and intelligence information.
In one of the screenshots, SpiderLog$ showed it could gain entry to the defence and state security departments’ webmail interface.
The paper verified the group’s claims with cybersecurity firms WolfPack Information Risk and Umboko Sec.
WolfPack Information Risk consultant Johan Brider said the most troubling thing they saw in the screenshot was that they could run programs to harvest credentials that could give access to the department of defence’s emails.
SpiderLog$ was also able to identify the private IP addresses of the government’s servers, their domains, and Internet service providers.
Cybersecurity provider Scarybyte’s strategy director told the paper that companies use proxy servers to hide IP addresses and that there isn’t usually a good reason to disclose internal IP addresses.
Umboko Sec director Bongo Sijora told Sunday Times their research showed a shortfall of at least R18 billion in government spending on securing national key points and departments from cyber threats.
Several government entities have fallen victim to severe cyberattacks in the past year.
In July 2021, Transnet’s port systems were taken down following a ransomware attack, leading to substantial delays in shipping at various points of entry to South Africa.
The Department of Justice also suffered a ransomware attack in September 2021, which locked it out of its files and systems.
That impacted the courts and the Master’s Office, which had a knock-on effect on several critical services — including maintenance payments and deceased estates.
The department only managed to return some of its online services four weeks later and has had to recover data from physical records.
It recently emerged that the attack occurred less than a week after the department’s IT contracts had lapsed in August 2021, and its internal officials took over troubleshooting and reporting.
More recently, the government’s DigiTech “app store” illustrated its apparent inability to properly secure online systems.
The website’s developer had set up the site to allow anyone to register an account and upload a “digital product” with video links and images.
Some South Africans discovered they could exploit the poorly-designed system and spammed the site with listings pointing to the “Rickroll” — a YouTube video of Rick Astley’s hit song Never Gonna Give You Up.
However, a security researcher who spoke to MyBroadband warned the site used extremely outdated and insecure technology.
The system also allowed anyone to upload arbitrary HTML, which attackers could have used for cross-site scripting exploits.
This code would have been executed as soon as users clicked a listing, potentially infecting them with malware or launching other kinds of attacks.