4 Min Read
Computer code on a screen with "ransomware" in red text
Source: Christophe Coat via Alamy

South African government officials are investigating reports that a ransomware gang stole and then leaked online 668GB of sensitive national pension data.

The alleged compromise of the Government Pensions Administration Agency (GPAA) data on March 11 has not yet been publicly confirmed, but the incident has already made national news in South Africa. The South African Government Employees Pension Fund (GEPF) stepped in to probe the claims by the notorious LockBit cybercrime gang.

GEPF is a top pension fund in South Africa, whose customers include 1.2 million current government employees as well as 473,000 pensioners and other beneficiaries.

"The GEPF is engaging with the GPAA and its oversight authority, the National Treasury, to establish the veracity and impact of the reported data breach and will provide a further update in due course," the pension fund explained in a public statement.

Not Properly Secured?

GPAA reportedly reassured the GEPF that it has acted to secure systems while the breach investigation was underway. However, preliminary investigations suggest that the LockBit claims may be related to a security incident the GPAA experienced in February.

The agency claimed an attempt to hack into its systems on Feb. 16 was unsuccessful, but that claim came under fire after the alleged LockBit leak. GPAA said in a public post on Feb. 21 that it shut down systems and isolated the potentially affected systems in response to what it characterized as an attempt to "gain unauthorized access to GEPF systems."

The agency said its administration system had not been breached.

"It looks like the right steps have been taken to ensure data safety following the incident by securing the compromised servers," says Matt Aldridge, principal solutions consultant at OpenText Cybersecurity. "However, the incident raises concerns about the overall security posture and resilience of the organization's systems."

Aftermath to Operation Cronos

The apparent attack against the GPAA comes just weeks after the Operation Cronos takedown, a law enforcement-led effort to disrupt the operations of LockBit and its ransomware-as-a-service affiliates.

LockBit and its partners took a blow from this action but have since resumed attacks using new encryptors and a rebuilt infrastructure, including a new leak site.

Amir Sadon, director of research at Sygnia, an incident response consultancy, says LockBit also set up a new data leak site and is recruiting "experienced pen testers."

"LockBit's rapid adaptation underscores the challenges of permanently neutralizing cyber threats, especially those with sophisticated operational and organizational capabilities," he notes.

Other experts caution that the leak of data from GPAA may stem from an attack that actually predates the Feb. 19 Operation Cronos takedown, so it would be rash to infer that LockBit is already back to full operational strength.

"The Government Pensions Administration Agency (GPAA) reported an attempted breach on Feb. 16 — prior to the takedown announcement," says James Wilson, a cyber threat intelligence analyst at ReliaQuest. "It is therefore plausible that LockBit are using an old attack as the basis of this claim in order to project the image that they have maintained their threat capacity."

LockBit is the most prolific ransomware group globally, and by far the most active ransomware gang in South Africa, accounting for 42% of attacks there in the last 12 months, according to Malwarebytes research shared with Dark Reading.

Ransomware groups like LockBit try to build a brand to attract affiliates and to ensure victims pay up. "Since Operation Cronos, LockBit will have been working hard to [re]gain the trust of affiliates, so the leak will be used as a way to demonstrate that they are continuing 'business as usual,'" says Tim West, director, threat intelligence and outreach at WithSecure.

Ransomware actors such as those behind LockBit primarily exploit two techniques to infiltrate companies: leveraging legitimate accounts and targeting vulnerabilities in public-facing applications.

They typically steal copies of a victim's data before they encrypt it to have two forms of leverage during ransom negotiations. Then they demand payment in return for the data, threatening the release of the information through leak sites if ransom isn't paid.

Thwarting Ransomware Attacks

Adopting proactive defense strategies is crucial to defending against the growing threat posed by ransomware attacks. For example, adding multifactor authentication (MFA) adds an extra verification step, complicating attackers' efforts to exploit compromised accounts or vulnerabilities.

Up-to-date backups that are regularly tested, endpoint protection, and threat detection capabilities all fortify systems against a ransomware attack. And managing vulnerabilities and mitigating their potential impact before they can be patched also hardens systems against ransomware.

Christiaan Beek, senior director of threat analytics at Rapid7, says "maintaining oversight of firewalls and VPNs is vital, as they present appealing entry points for unauthorized access."

Beek adds that management and administrative interfaces of public-facing applications also must be secured.

About the Author(s)

John Leyden, Contributing Writer

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights