The South African National Defence Force (SANDF) has again denied that the Department of Defence’s network was hacked following claims of an alleged data breach last week.
In a statement on Saturday, 2 September 2023, the SANDF said the incident was the work of “criminal syndicates within the cyberspace” aided through information leaked from the department.
“The Department of Defence has policies in place that prohibit the unauthorised access and sharing of classified information,” stated Department of Defence communication head Siphiwe Dlamini.
“The investigation continues, and the perpetrators will be brought to book.”
The latest statement from the SANDF implies that it suspects the involvement of a department insider in providing the information to “criminal syndicates”.
The Department said it could assure South Africans its systems were secured and measures were put in place to ensure that state information was not compromised.
Terabytes of data allegedly stolen
This statement comes after the SANDF and DOD initially denied it had been the victim of a breach at all, then walked back the denial pending further investigation.
South Africa’s defence agencies have now continued to deny they were hacked but confirmed they suffered some kind of data leak.
A hacking group called Snatch claimed responsibility for the attack on the Department of Defence last week.
Snatch posted a 499GB archive online, which they say extracts to 1.6TB of data, as proof.
Security researchers who downloaded a portion of the archive and spoke to MyBroadband on condition of anonymity said the data appears legitimate.
In addition, the group published the contact details of several government and military officials, including phone numbers and private email addresses allegedly belong to President Cyril Ramaphosa.
MyBroadband interviewed the group who claimed to be behind the attack.
In their version of events, there was no question that the incident included compromising the department’s network, as opposed to simply using data leaked by an insider.
They said alleged they notified the department about its network’s vulnerabilities but were ignored.
“Ministry of Defence officials were categorically unwilling to accept information about penetration into the secure government network,” Snatch said.
“As […] evidence [they] were given their call signs, which [is] internal information,” Snatch stated.
“This did not lead to any results — we were simply ignored.”
They also said that discussions with senior officials of the department were pointless.
“People are so far away from cyber security that many of them did not even believe that there was any secret information on their servers,” Snatch said.
“To put it simply, a lot of people didn’t even understand the word server, asking whether their laptop was hacked.”
At the time of the interview, Snatch said it had been in the network for over six months and still had a so-called hibernated fix inside the South African state networks.
“We are making up our minds whether to continue attacking or [make it public and] give everyone who has the skill and desire to attack the opportunity to do it,” Snatch said
This group has denied it has links with the Snatch ransomware gang.
Backpedal upon backpedal
MyBroadband first reported about the alleged hacking on Friday, 25 August 2023.
The Department initially failed to respond to our queries about the incident, but several of its spokespeople told News24 there was no breach.
SANDF spokesperson Brigadier General Andries Mokoena Mahapa slammed the claims as “fake news”.
But defence department communications head Siphiwe Dlamini subsequently walked back those statements on Monday, 28 August 2023.
“Our guys are going through that, and I’m going to get updated information about what actually transpired officially by the end of the day,”
The department failed to provide the promised feedback, instead issuing its most recent statement five days later.
MyBroadband again tried to contact the department for more details on its latest update on Saturday, but Dlamini had not responded to our calls or WhatsApp messages by the time of publication.
Update — 13:53
Following the publication of this article, Dlamini told MyBroadband the investigation into the incident was ongoing.
He did not provide further clarity on why the department did not consider the leaking of its data to a criminal syndicate as hacking.
He also did not confirm whether the department believed the incident occurred due to an insider leaking information to Snatch.