South African Department of Defence Denies Stolen Data Claims

A 1.6TB file containing personnel details of the South African Department of Defence has been found on a leak site.

The "Snatch" group claimed responsibility for the data leak, and in a Telegram message said the massive file contained "exclusive information with billion dollar contracts, generals' call signs and personal information."

Leaked documents seen by the researchers from Orange Cyberdefense show lists of names, along with landline and cellphone numbers, email addresses, birthdates, and job titles. All the phone numbers were from the Pretoria region, where the Department of Defence is located.

In a statement to News24, Department of Defence spokesman Siphiwe Dlamini denied there had been any leak, while SANDF spokesperson Brigadier General Andries Mahapa dismissed claims about any leaked or stolen data as "fake news."

In a response via a Telegram message, the Snatch group said it spent a month trying to bring the reality of the situation to the country's leadership. "But they laughed and hung up on us and did not respond to our messages," according to the Telegram reply.

The South African Department of Defence did not respond to emails seeking clarification on what happened and the legitimacy of the data.

What Happened, and Who Is Snatch?

Charl van der Walt, head of security research at Orange Cyberdefense, says the security services provider was able to discover the leaked data via automated processes it conducts for research and customer assistance.

Carl Morris, senior lead research manager for Orange Cyberdefense, says there had been 16,922 views of the posted leaked data and 782 downloads of the 1.6TB file at the time of publishing. Morris says these numbers are quite low compared with some of the other leaks uploaded previously by the same group.

The researchers said Snatch was first seen in 2019. "They've been operating consistently ever since, with no apparent relationships with any other group that we're aware of or that we could determine," van der Walt says. "This is a low-burn, consistent kind of gang," adding that Snatch uses pure data extortion in about 10% of its attacks.

Next Steps for the Government

If a breach has taken place, the South African information regulator must be notified. In a statement, the regulator says it's aware of media reports about an alleged security compromise at the Department of Defence.

In 2021, the South African Department of Justice and Constitutional Development experienced a ransomware attack, which affected all of the department's electronic systems. Another attack in the same year saw the South African National Space Agency hit, with more than 14GB of information reportedly stolen by a group called CoomingProject, which posted some of the data online.