Interview with the hackers who broke into South Africa’s Department of Defence

The attackers who claimed responsibility for breaching the South African Department of Defence and exfiltrating terabytes of data have told MyBroadband they still have access to the network.
Snatch, named for the iconic Guy Ritchie movie and a backronym for “Security Notification Attachment”, announced last week that they had breached the Department of Defence (DOD).
We contacted the group via instant message, and they provided a statement in response to our questions about the breach.
Initially, Snatch told people commenting on their posts about the leak that the breach had been ongoing for a year and that they had exfiltrated 200TB of data.
Snatch has subsequently told MyBroadband that they’ve had access to DOD systems for around six months and downloaded 1.6TB of data — the claimed uncompressed size of the archive posted to their website.
“The attack on South Africa has lasted for about half a year, starting as early as the end of 2022,” Snatch said.
“Ministry of Defense officials were categorically unwilling to accept information about penetration into the secure government network.”
Snatch said it made its first calls with warnings that the network is vulnerable in November 2022. They said they contacted the same officials on the list they posted to their website.
“As […] evidence [they] were given their call signs, which [is] internal information,” Snatch stated.
“This did not lead to any results — we were simply ignored.”
After their warnings were ignored, Snatch said they hacked ten to twelve internal servers and downloaded 1.6TB of data, including “military contracts, personal data of employees, and other information related to the security of the country,” they said.
“Afterwards, we have forgotten about the company for a few months — to remember about it in the summer of 2023.”
Snatch said it reported the leak to the DOD and invited representatives to their chatroom to discuss the situation.
“There was no talk of a buyout. Just an invitation to negotiate,” Snatch said in response to questions about whether they asked for money not to leak the data.
“The calls ranged from the president of the country to the cabinet and generals from the Ministry of Defense,” they said.
“It was pointless. People are so far away from cyber security that many of them did not even believe that there was any secret information on their servers.”
Snatch said they struggled to make people understand what was at stake.
“To put it simply, a lot of people didn’t even understand the word server, asking whether their laptop was hacked. Oh, my laptop is safe? Ok, that’s fine, bye.”
After leaking the data they had exfiltrated, Snatch said the South African government responded predictably.
“It always consists of three stages: Disbelief and laughter, trying to avoid publicity, and attempting to attack the resource where the information is posted and announcing to the media that the attack is fake,” Snatch said.
“This is how Europeans, Americans and Asians behave, everyone. Everyone.”
Snatch said the saddest thing was that the security of the DOD network has not changed.
“We still have a so-called hibernated fix inside the South African state networks,” the group said.
“We are making up our minds whether to continue attacking or [make it public and] giving everyone who has the skill and desire to attack the opportunity to do it.”
Snatch said South Africa was not the first country to be caught up in an arms scandal due to a leak, which then tried to keep it quiet.
“The first example were the French and their Hansoldt concern, Hemeria and Nexia, with the loss of over 6TB of top secret data, e.g. technological drawings of submarines using stealth technology,” Snatch stated.
“Then it was followed by a media blackout and complete silence on the leaks.”
Snatch reiterated at the end of their statement that they have nothing to do with the Snatch ransomware gang.
“We are the Security Notification Attachment,” they said.
Silence from the Department of Defence
Security researchers who downloaded a portion of the file and spoke to MyBroadband on condition of anonymity have said the archive Snatch posted as “proof of breach” appears legitimate.
They said the archive contains a mixture of personal and work files of Department of Defence and SANDF staff.
MyBroadband contacted various Department of Defence spokespeople for comment by email last Wednesday.
On Friday, SANDF spokesperson Brigadier General Andries Mokoena Mahapa reportedly told News24 the attack was “fake news”.
DOD Head of Communication Siphiwe Dlamini reportedly said, “Nope, none,” when asked whether there had been a breach.
We followed up with Dlamini and Mokoena by phone on Monday.
Dlamini retracted his denial, saying their personnel were relooking Snatch’s claims.
Mokoena also declined to stand by his statement that Snatch’s claims were “fake news” and pointed MyBroadband back to Dlamini.
“That was the information I had at that time,” Dlamini told MyBroadband regarding the DOD’s denial.
“Our guys are going through that, and I’m going to get updated information about what actually transpired officially by the end of the day.”
MyBroadband followed up with Dlamini on Monday afternoon, and he said he hadn’t heard back from the team yet. He said he hoped to have feedback that evening still.
As of Wednesday morning, the DOD had not provided feedback.