Prominent private hospital group in South Africa hacked

Cyber extortion gang Everest Group has claimed responsibility for an attack on Mediclinic, stating that they exfiltrated 4GB of data and the personal data of 1,000 employees.

Mediclinic Southern Africa operates acute care private hospitals in South Africa and Namibia. It is 50% owned by Johann Rupert’s listed investment company, Remgro.

Screenshots on Everest Group’s dark web leak site suggest that the attackers got privileged access to Mediclinic’s human resources systems.

This includes everything from salary information to details about disciplinary actions. Another screenshot shows a listing of a user’s home directory.

Everest Group has given Mediclinic until just before 02:00 on Sunday, 1 June, to negotiate a price for not leaking the data.

MyBroadband contacted Mediclinic for comment, but it did not respond by publication.

Mediclinic was not the only company for which Everest Group released details this week. It also claimed responsibility for an attack on a Coca-Cola HR system.

Citing researchers from Venarix, Dark Reading reported that Everest’s latest attacks included files relating to SAP SuccessFactors, SAP’s cloud-based HR management platform.

Venarix believes Everest’s attack claims are legitimate. It also believes initial access in each case likely occurred through a third-party SAP service provider called “INK IT Solutions” based in Melbourne, Australia.

According to the report, the Everest Group was first spotted in December 2020, but never attracted so much attention because of its slow attack rate.

Venarix attributes 148 known cyber incidents to the group, noting that it appears to be opportunistic in nature.

In some previous cases, Venarix also sold its initial access to an organisation’s systems rather than exploiting it themselves.

South Africa under attack

The Mediclinic data breach is one of several recent attacks against prominent companies and government agencies in recent months.

Adidas South Africa notified customers this week that it suffered a data breach with people’s names, email addresses, phone numbers, genders, and birth dates potentially exposed.

MTN and Cell C also recently reported breaches.

While Cell C was up-front and provided details about the ransomware attack it suffered, MTN was more tight-lipped, only saying that some people in certain markets were affected.

Orange Cyberdefense’s head of security research, Charl van der Walt, recently told MyBroadband that cybercriminal activity targeting South Africa is expected to intensify in line with global patterns.

However, he also believes incidents could worsen faster in South Africa than elsewhere in the world.

He explained that, globally, the volume and intensity of cybercrime shows little sign of subsiding, adding that if anything, cybercrime merely shifts in response to geopolitical swings.

“In today’s climate, it’s very hard to predict if and how geopolitics shapes cybercrime in (South) Africa, but I can see very few scenarios in which the near future looks more secure to us,” Van der Walt said.

For example, South African organisations might expect to see more business email compromise scams as a result of lower digital literacy and weaker corporate finance governance protocols.

He added that they expect to see more crime stemming from fraudulent SIM swaps and alternate payment systems, while crypto-related thefts and fraud are expected to be less frequent.

Van der Walt said that, in addition to opportunistic criminals and more organised crime, state and state-aligned hacktivists are other threat actors to consider.

“State activities can be thought of broadly as espionage (which is common, continuous, and probably not really that ‘disruptive’) and ‘power projection’,” he said.

“State-aligned hacktivism is essentially a new form of state-aligned power projection, and so are mis- and disinformation, hack and leak campaigns, and targeted attacks on critical infrastructure.”

Van der Walt believes South Africa is very exposed to diverse forms of state-aligned power projection campaigns.

“To a degree, these are worrying because they have the potential to impact South Africa’s long-term financial and political prospects,” he said.

Mediclinic responds

Following publication, Mediclinic provided a statement revealing that the breach of its employment-related data had happened earlier this year.

“Upon learning of this incident, Mediclinic engaged the third-party IT service provider, who reported that it immediately took steps to ensure the containment of the incident,” the hospital group said.

“This included immediately isolating the affected system, resetting access credentials, and working with external specialists in an incident response investigation.”

Mediclinic said that as soon as it became aware of the incident, it took immediate action to assess and protect the integrity of its IT systems, alongside its cybersecurity partners.

“This assessment determined that the data impacted is limited to employment-related data, and we have taken appropriate steps to contact those whose data we believe may have been impacted,” it said.

“We are confident that no patient data has been affected, and we can confirm that Mediclinic did not experience any disruption to business operations.”

Since the incident, Mediclinic said it continued to implement further measures to enhance security safeguards with respect to third-party vendors.

“Mediclinic reported the incident to the appropriate regulators in each of our operating markets, and we continue to cooperate with the relevant authorities as needed.”