SNATCHed – SANDF data leaked in cyberattack appears to be authentic, say cybersecurity analysts

An alleged breach of South African Defence Force (SANDF) computer systems by hacking group SNATCH appears to be confirmed as authentic, according to a Daily Maverick investigation alongside South African cybersecurity researchers.

The cyberattack group claimed to have penetrated SANDF systems on 21 August 2023, before publishing on its Telegram channel the personal contact details of high-ranking political and Defence Force officials, including those of President Cyril Ramaphosa. The group alleges to have stolen some 200TB of data, and has uploaded 1.6TB to date. The group also claimed that it had approached political and defence officials before the leak, after the initial compromise of systems in late 2022, to no avail. 

“In summer of 2023 we again tried to contact the leadership of South Africa, up to calls to the Cabinet of Ministers and personally to the president of the country. But we faced a wall of misunderstanding and an approach that can be characterised by such a phrase – my personal laptop is not hacked? No? Well, that’s good,” the group told Daily Maverick.

Rather strangely, in its publication of the leak, SNATCH claimed a relationship between the SANDF and the US Defence Advanced Research Projects Agency (Darpa), an assertion not supported by data seen by Daily Maverick. However, Daily Maverick’s analyst has yet to have sight of the full archive of files.

“In the uploaded archives, Darpa interaction between Darpa and the South African Ministry of Defence will become sore [sic], in this regard, we have the opportunity to argue about their promising cooperation,” SNATCH told Daily Maverick.

“We have extracted 1.6TB of exclusive information with billion dollar contracts, generals’ call signs and personal information,” the group claimed on its Telegram channel, announcing the leak.

SANDF denial, then acknowledgement

In the wake of SNATCH’s claims, the SANDF initially responded with a firm denial that its systems or data had been compromised. However, subsequent developments appear to have forced the SANDF to acknowledge, albeit reluctantly, that there may be an issue.

“It can be confirmed that the system of the Department of Defence has not been hacked,” the SANDF said on 2 September. “This is the work of criminal syndicates within the cyberspace, aided through information leaked from the department.” Detailed questions were put to Defence Force spokesperson Siphiwe Dlamini, but a response had not been received by the time of publication.

An investigation by Daily Maverick in collaboration with cybersecurity analysts allowed a glimpse into the leaked data, which seemed to contradict the SANDF’s statement that the information had merely been “leaked”.

The findings overwhelmingly point to the data’s authenticity, with the sheer scale of the data available pointing to a wide-ranging scrape of multiple personal computers and servers linked to the SANDF, rather than a single person distributing the data. 

The exposed documents encompass a wide spectrum, including complete email archives of high-ranking Defence Force members, intricate payroll documentation, ongoing litigation records against the SANDF, sensitive procurement orders and memoranda of strategic importance exchanged between South Africa and other nations.

“The resources involved are massive,” one cybersecurity researcher told Daily Maverick. The researcher has had sight of at least 160GB of the 500GB file. “Just the hardware involved to store the data – assuming they did steal 200TB, is upwards of $10,000.”

SNATCH, an acronym for Security Notification Attachment, has garnered notoriety for its involvement in numerous data breaches across the globe. They have differentiated themselves from a previous, ransomware based hacking group who were known by the same name - who used ransomware called “Snatch” to encrypt their targets and extort money to unlock the devices.

It is alleged to have been involved in breaches involving military departments, payment services and multinational corporations. These include UK-based the Briars Group, military provider Hensoldt (France) and Korean manufacturer Ssangyong. 

What sets SNATCH apart is its assertion that it does not resort to ransomware tactics, instead targeting entities with lax network security and subsequently leaking their confidential data.

“We have nothing to do with the Snatch ransomware project that appeared in 2019 … What do we want to achieve? We want your country to pay attention to the existing problem of cybersecurity …” the group told Daily Maverick, noting that it had conducted many similar attacks against other countries without discrimination.

Strange claims

The group has made strange claims on its Telegram channel about the publication of the SANDF documents, stating: “… We are ready to introduce to you the main arms baron of the black continent or the main gasket for laundering arms contracts in the USA (and maybe in the whole world) – Mr Matamela Cyril Ramaphosa.” The Presidency spokesperson, Vincent Magwenya, declined to answer Daily Maverick’s questions, referring all queries to the Department of Defence.

The initial document shared by SNATCH, presented as “proof” of its breach of SANDF servers, raised concerns about the nature of the breach. 

This “proof” document contained the personal details, contact information, and force numbers of several SANDF personnel. While concerning, it provided only a glimpse of the larger, more comprehensive data reservoir. 

After the publication of the leak and subsequent denial by the SANDF, SNATCH stated: “The saddest thing is that we spent a month trying to bring the reality of the situation to the country’s leadership, including the president of the country and the cabinet of ministers and high-ranking officials of the Ministry of Defence. But they laughed and hung up on us and did not respond to our messages.”

The revelation of the larger data dump paints a more comprehensive picture of the breach’s scope.

Among the trove of data that cybersecurity researchers in contact with Daily Maverick have had sight of are classified documents never meant for public consumption. These include the Defence Force’s comprehensive record of police cases opened against SANDF members during the Covid-19 lockdown enforcement, as well as an in-depth geopolitical analysis of Mozambique, seemingly prepared in anticipation of SANDF deployment in support of the Southern African Development Community Mission in Mozambique.

Top secret files

Further startling discoveries in the leaked data are many files classified according to the Minimum Information Security Standards (MISS). The data encompasses documents marked as Secret, Confidential, and Restricted, clearly intended for internal use within the SANDF only. These include meeting minutes between high-level officials, as well as unit orders and logs detailing the loss of armaments and ammunition.

Posting on X (formerly Twitter), Darren Olivier, director at African Defence Review, explained how the SANDF segregates its networks:

“SA DoD has 3 main network types: 1) “Open” with internet access. No access to internal systems. 2) “Black” intranets. No/limited internet access, no docs below Top Secret/Secret, no operational systems. 3) “Red” networks for operational systems & TS/S material.”

According to the MISS classification of some of the leaked data, that would mean that all levels of networks had somehow been compromised, given the presence of information classified as “Secret”.

The data breach also unveils evidence of the SANDF’s acquisition of software designed for digital surveillance, cyberattacks and information warfare. This revelation carries the potential to compromise operational deployments of the SANDF and expose its capabilities to non-state actors.

“The investigation continues, and the perpetrators will be brought to book. The Department assures South Africans that our systems are secured, and measures have been put in place to ensure that state information is not compromised,” the SANDF said.

However, the alleged SNATCH breach seems to indicate otherwise. The likely confirmation of data authenticity and the nature of the exposed information raise deep concerns about the current state of the SANDF’s network security infrastructure, as well as possible compromises to ongoing operations on the continent. As the investigation unfolds, questions about the breach’s origins, its impact on national security and the adequacy of SANDF’s cybersecurity measures loom large. DM