South African Department of Defence hacked — attackers allegedly leak Ramaphosa’s number

A ransomware gang calling itself “Snatch” — after the iconic Guy Ritchie film released in 2000 — has claimed responsibility for exfiltrating 200 terabytes of data from the South African Department of Defence (DOD).

The group has apparently posted only a fraction of the data it stole online, releasing a 499GB compressed archive that it says extracts to around 1.6TB of data.

A security researcher who spoke to MyBroadband on condition of anonymity confirmed that the leak appeared legitimate.

They said the data came from the DOD, not an affiliated company like Armscor or Denel.

In addition to leaking DOD data, Snatch also posted the contact information of several senior government officials online — including phone numbers it says belong to Cyril Ramaphosa.

Checking the list of eight cellphone numbers against Truecaller’s database revealed that two could belong to South Africa’s sitting president.

According to cybersecurity company Sophos, Snatch uses an attack model where they penetrate enterprise networks via automated brute-force attacks against exposed services, then leverage that foothold to spread internally within the target organisation’s network through human-directed action.

Their malware reboots Windows machines into Safe Mode before encrypting the data they wish to hold ransom.

“The attackers may be using this technique to circumvent endpoint protection, which often won’t run in Safe Mode,” Sophos said.

When it discovered this attack vector in 2019, Sophos quickly raised the alarm as the severity of ransomware that runs in Safe Mode was a significant threat.

In addition to the novel modus operandi, Sophos also found from recruitment posts that Snatch only accepted Russian speakers into the gang.

Interestingly, the Russian-language gang chose the week of the BRICS Summit, which is being hosted in South Africa, to release the data it exfiltrated from the DOD.

According to Snatch itself, this was no coincidence.

“The project is a year old, about 200TB of data was extracted during the year,” it said in a post online.

Screenshot from the Snatch ransomware group’s website about data it stole from the South African Department of Defence

Snatch said it specifically chose the week of the BRICS summit to release the data. It then used the opportunity to spread its message that South Africa is laundering arms for the United States and money for corporations.

They also accused Ramaphosa of being “the main arms baron of the black continent or the main gasket for laundering arms contracts in the USA.”

Additionally, the attackers said, “The BRICS summit for Africa is just a screen issued by the white masters from a country with a constantly stumbling president.”

Snatch’s statement revealed a relatively poor grasp of geopolitics and South Africa’s domestic politics.

Ramaphosa’s government has been routinely criticised for its unaligned stance on Russia’s invasion of Ukraine.

Political analysts have warned that South Africa stands to be excluded from the United States’ African Growth and Opportunity Act (AGOA), losing out on billions in exports.

Former World Bank president David Malpass warned South Africa was playing with fire by trying to play countries against one another, which could hurt the country’s relationship with the US.

US ambassador to South Africa, Reuben Brigety, accused South Africa of supplying weapons and ammunition to Russia earlier this year.

This was after the Russian cargo ship Lady R controversially docked at the Simon’s Town naval base to offload weapons South Africa had ordered before the Covid–19 pandemic.

The South African government maintains that Lady R returned to Russia empty.

Defence minister Thandi Modise infamously said, “We did not send fokol to Russia, not even a piece of Chappies [bubble gum].”

In addition to their claims that South Africa was in bed with the United States, Snatch also said their website has faced constant denial-of-service attacks since posting the South African DOD leak.

“The folks from the Ministry of Defense (or their American curators) really do not want this information to pop up at the summit’s eve so… We have not seen such a powerful attack on our resources even from the French side,” they said, referring to previous leaks.

“This is not surprising at all — when people launder billions of dollars on state contracts and feed international corporations, they are surely ready to spend a couple of extra million dollars to destroy our source of information.”

Several days later, the group said it was beginning to feel respect for Africa.

“Neither the Americans nor the Europeans could afford to spend such resources to attack our project,” they claimed.

“Representatives of South Africa have been doing this for the third day in a row, and, judging by the level of the attack, it costs somewhere between 150k–200k dollars [R2.8–R3.7 million] a day. But frankly speaking, they would rather spend this money on their network infrastructure and security.”

MyBroadband contacted the Department of Defence for comment. It did not respond by publication.

Update — 27 August

Following media reports about the data breach, the attackers have stated that they are not the “Snatch” ransomware gang.

“We have nothing to do with the Snatch ransomware project that appeared in 2019 and existed for about 2 years,” they claim.

“We are the Security Notification Attachment (SNAtch for short) Team, a group specializing exclusively in leaked sensitive data.”

The group said it does not deal in ransomware.

“We don’t aim to stop a company [or critical infrastructure] from operating by attacking it with software that blocks the control servers,” Snatch stated.

“If journalists analyze our work carefully, they will see that not a single client of ours has been attacked by a malware that can be called Snatch,” they said.

“Yes, many of them have been attacked by various ransomware, as we are open for cooperation and often groups that work in this direction give us unique confidential data that were leaked from the attacked companies. But once again, the Snatch locker that we are compared to in the media has never been used.”

Now read: DStv Twitter account promotes crypto scam

Latest news

Partner Content

Show comments


Share this article
South African Department of Defence hacked — attackers allegedly leak Ramaphosa’s number