Security gurus weigh in on SA’s latest cyber attacks
Cyber security gurus, including Eugene Kaspersky, CEO of Kaspersky Lab, say the recent spike in cyber attacks in SA is a result of inadequate investment in cyber security and criminals capitalising on COVID-19. These “terrorist”-type attacks will continue in the near future, they say.
This week, the second largest private hospital operator in SA, Life Healthcare Group, became the most recent victim of a cyber attack, in the midst of the COVID-19 outbreak.
The hospital group was forced to bring in external cyber security experts and forensic teams “to advise and supplement internal teams and capacity” after the breach.
Life Healthcare is one of several South African entities that have been targeted by hackers this year. In February, Nedbank warned that the information of about 1.7 million clients was potentially affected by a data breach, and the following month, chemicals and fertiliser maker Omnia Holdings said its IT infrastructure was subject to a cyber attack.
The City of Johannesburg has also been a target, as were Capitec Bank and Telkom.
Says Kaspersky: “The recently reported cyber attack on a healthcare institution in South Africa highlights yet again the harsh reality that cyber criminals across the globe are continually on the lookout for ways to exploit the COVID-19 pandemic for their own gain.
“Regrettably, during the past months, we’ve seen many cyber attacks on hospitals and health institutions around the world, and we consider them to be nothing less than terrorist attacks.
“Given that this global pandemic will likely continue for some time, we expect cyber criminals to keep exploiting the coronavirus situation and, alas, we cannot rule out other healthcare institutions being targeted in future.”
Michael Tumusiime, lead security engineer at cyber security firm Checkpoint East Africa, says businesses must look at threats from an architectural perspective.
“What happened to Life Healthcare is not unique; it is something that is happening globally. When COVID-19 kicked off, we saw many customers in Europe being targeted with fictitious COVID-19-related e-mails and domains.
“Africa has followed closely behind, as we are now starting to see these attacks reach our continent. We can also expect this trend to continue if companies use generation three and four security to ward off generation five and six attacks.
“With people working from home, the perimeter has moved, therefore you can no longer protect your assets just by using perimeter security.”
Tumusiime explains: “You need to think about the different ways that people access information and the different assets to protect against. Think mobile threats, think about security in the cloud, think about IOT devices and have a comprehensive security approach protecting those. It also helps if you have an incident response plan to help in the mitigation and recovery in case you get compromised.”
Earlier this month, Telkom reportedly fell victim to the group behind the Sodinokibi ransomware, also known as REvil.
Zaheer Ebrahim, senior sales engineer SA at Trend Micro Sub-Saharan Africa, says even though ransomware attacks are a constant risk in the digital landscape, “a new type of malicious software-based on the Java programming language has been discovered in the wild.
“Dubbed PonyFinal, it sees hackers gain access to a company’s system via a brute-force attack. Once inside, they deliver the ransomware payload.”
He says beyond the way the attack is propagated, PonyFinal is unique from other ransomware in that it is activated by human operators and not automated.
“This is reflected in how it can hibernate until such time as the attacker decides it can cause the most financial damage to the target organisation.
“Essentially, the malware deploys a script to perform data dumps. Perhaps more concerning is the fact that the malware ‘waits’ for the ideal time to make the most financial gain before it executes, remaining undetected on the infected system until it is too late. Subsequently, as per any other ransomware, the company files are then encrypted, and a ransom note is left.”