Hackers who breached South Africa’s companies database say it’s much worse than anyone knows
A ransomware gang claiming responsibility for the Companies and Intellectual Property Commission (CIPC) hack says they’ve had access to the agency’s systems since 2021.
The CIPC is an agency inside the Department of Trade, Industry, and Competition where companies, co-operatives, and intellectual property is registered.
The hackers contacted MyBroadband after the CIPC issued a press statement on Friday claiming that its “firewall and data protection systems” helped mitigate a recent data breach.
According to one of the group’s representatives, this is completely false.
They said the CIPC has tried to cover up the fact that it was breached almost three years ago and did nothing to address its weak security.
Additionally, the agency has been coy about the extent of the breach.
“Our ICT technicians were alerted […] to a possible security compromise and […] certain CIPC systems were shut down immediately to mitigate any possible damage,” it stated.
“Unfortunately, certain personal information of our clients and CIPC employees was unlawfully accessed and exposed.”
The attackers told MyBroadband that they got in using an exploit in a system developed for the CIPC by software development house Sword South Africa.
They said they could’ve exfiltrated the CIPC’s entire database — including plain text passwords and credit card information.
The exploit also gave them full access to company registrations. They could add or remove directors at will, or alter the records in other ways.
“They tried to cover their tracks when we pointed out the basic security holes. They are reckless with sensitive info,” the group said.
“This incompetence extended to them processing and storing credit cards in the clear.”
As proof of their claims, they provided private information MyBroadband would recognise.
They also pointed to a post on Pastebin as proof of their claim. The data sample contained several people’s full names, ID numbers, physical addresses, phone numbers, email addresses, and CIPC passwords.
The post is dated 2021.
We have not linked to the Pastebin post as it does not appear to be easy to find through simple searches.
The group also showed MyBroadband that it was possible to access someone’s CIPC user account without knowing their password.
Since the site is still vulnerable and live, we will not disclose any details about this exploit yet.
Hackers have CIPC systems’ source code
After their initial ransomware attempt in 2021, the attackers said they moved on when it seemed like the CIPC had cut off their access to its systems.
“Despite that public post [on Pastebin], no data was sold. Once our access was burnt, we moved on thinking they would tighten up security,” they said.
“Yes, data was encrypted, but only on one file-share server. We are just skids, and despite having domain admin creds, we never launched a full attack.”
Skids is a contraction of “script kiddies” — a derogatory or self-deprecating term used amongst hackers to describe those with limited skills and only use programs or exploits developed by others.
“We had control over the entire estate in 2021 and just f****ed around,” they said.
“This time we got access to unencrypted card data and didn’t dump it… Why? Because although we want money, we are not after the individuals but the bigger organisations!”
Asked if their group had a name, the attackers said they didn’t.
“We do not have any affiliations or agenda besides finding entities [and] corporations with embarrassingly poor security. We do not go by any name. We are anonymous.”
Regarding their latest attack, the group said they returned to the CIPC nearly three years later to find it was vulnerable to exactly the same exploit as before.
This time, they also downloaded all of Sword South Africa’s source code for the exploited systems.
“The code is full of ridiculous security holes and it’s quite clear that these have never been through a security audit,” they said.
$100,000 ransom
“In this latest breach, we asked for a reasonable $100,000 [R1.9 million] in return for us deleting everything.”
The hackers said they still have a level of access despite the CIPC’s efforts to remove them.
“CIPC has tens of millions in the bank, and $100,000 could have been a write-off for them,” they said.
“We would rather them spend the real money on proper security audits.”
The attackers said the CIPC quietly published its POPIA note only after they threatened to go public.
“Not taking any accountability for the breach but rather saying that they discovered the breach because of their magic firewalls,” they said.
“We think the money wasted on incident response should rather go to rebuilding and properly securing the entirety of CIPC’s functions.”
MyBroadband contacted the CIPC for comment, forwarding all of the details the attackers provided to ask if they were aware of the full extent of the exploit.
The agency declined to comment.
“Kindly note that the questions you are asking are security related and have a potential to expose CIPC to further risks,” CIPC chief strategy executive Lungile Dukwana said.
He added that they are handling the matter with the relevant law enforcement agencies.
“The information provided in media release is adequate for now and will be updated should there be further developments,” Dukwana said.
MyBroadband also contacted Sword South Africa and various sister companies for comment. It did not respond by publication.