South African government officials are investigating reports that a ransomware group stole and then leaked 668GB of sensitive data online national pension data.
The alleged March 11 data compromise of the Government Pension Administration Agency (GPAA) has not yet been publicly confirmed, but the incident has already made headlines national news in South Africa. The South African Government Employees Pension Fund (GEPF) has stepped in to investigate claims by the infamous LockBit cybercriminal gang.
GEPF is one of South Africa’s largest pension funds, whose clients include 1.2 million current civil servants and 473,000 pensioners and other beneficiaries.
“The GEPF is working with the GPAA and its supervisory authority, National Treasury, to establish the veracity and impact of the reported data breach and will provide a further update in due course,” the pension fund said in a statement public.
Not adequately protected?
The GPAA reportedly reassured the GEPF that it had acted to protect the systems while the investigation into the breach was ongoing. However, preliminary investigations indicate that the LockBit claims may be related to a security incident tested by the GPAA in February.
The agency said an attempt to hack its systems on Feb. 16 was unsuccessful, but that claim came under criticism after the alleged LockBit data leak. The GPAA said in a public post on February 21 that it had shut down systems and isolated potentially affected ones in response to what it called an attempt to “gain unauthorized access to GEPF systems.”
The agency said its administrative system was not breached.
“It appears the right steps were taken to ensure data security following the incident by protecting compromised servers,” says Matt Aldridge, principal solutions consultant at Opentext Cybersecurity. “However, the incident raises concerns about the overall security posture and resilience of the organization’s systems.”
Consequences of Operation Cronos
The apparent attack on the GPAA comes just weeks after the attack Dismantling of the Cronos operationa law enforcement-led effort to disrupt the operations of LockBit and its ransomware-as-a-service affiliates.
LockBit and its partners took a major hit from this action, but have since resumed attacks using new cryptographers and a rebuilt infrastructure, including a new leak site.
Amir Sadon, director of research at Sygnia, an incident response consultancy, says LockBit has also created a new data leak site and is recruiting “experienced pen testers”.
“The rapid adaptation of LockBit highlights the challenges of permanently neutralizing cyber threats, particularly those with sophisticated operational and organizational capabilities,” he notes.
Other experts warn that the GPAA data leak could result from an attack that actually predates the February 19 takedown of Operation Cronos, so it would be foolhardy to infer that LockBit has already returned to full operation.
“The Government Pensions Administration Agency (GPAA) reported an attempted breach on February 16, prior to the removal announcement,” says James Wilson, cyber threat intelligence analyst at ReliaQuest. “It is therefore plausible that LockBit is using an old attack as the basis for this claim to give the image of having maintained its threat capability.”
LockBit is the most prolific ransomware group globally and by far the most active ransomware gang in South Africa, responsible for 42% of attacks in the last 12 months, according to Malwarebytes.
Ransomware groups like LockBit try to build a brand to attract affiliates and ensure victims pay. “Since Operation Cronos, LockBit has worked hard to do this [reg]gain affiliates’ trust, then the leak will be used as a way to demonstrate that they are continuing “business as usual,” says Tim West, director, threat intelligence & outreach at WithSecure.
Ransomware authors like those behind LockBit primarily leverage two techniques to infiltrate businesses: exploiting legitimate accounts or targeting vulnerabilities in public-facing applications.
They typically steal copies of a victim’s data before encrypting it to have two forms of leverage during ransom negotiations. They then demand payment in exchange for the data, threatening to release the information through leak sites if the ransom is not paid.
Counter ransomware attacks
Adopting proactive defense strategies is critical to defend against the growing threat posed by ransomware attacks. For example, adding multi-factor authentication (MFA) adds an additional verification step, complicating attackers’ efforts to exploit compromised accounts or vulnerabilities.
Up-to-date and regularly tested backups, endpoint protection and threat detection capabilities strengthen systems against ransomware attacks. Additionally, managing vulnerabilities and mitigating their potential impact before patches can be applied also hardens systems against ransomware.
Christiaan Beek, senior director of threat analysis at Rapid7, says that “maintaining oversight of firewalls and VPNs is critical, as they represent attractive entry points for unauthorized access.”
Additionally, public-facing application management and administrative interfaces also need to be protected, Beek says.