Finance Minister Enoch Godongwana.
Image: Supplied
Finance Minister Enoch Godongwana has confirmed that the Land and Agricultural Development Bank of South Africa was hit by a ransomware attack earlier this year.
The attack occurred on January 12.
The Minister revealed this in a parliamentary reply to uMkhonto weSizwe MP Adil Nchabeleng, who had asked him about the nature of the breach, the systems affected, and whether a ransom had been demanded.
The Minister said that hackers demanded 5 Bitcoin, about R5.4 million, but the bank did not pay. He confirmed that critical banking systems and farmer data were not compromised.
"Land Bank detected unauthorised activity within parts of its computer systems. Preliminary investigations indicated that a third party gained access through a vulnerability on an internet-facing server and deployed ransomware, which encrypted a portion of the Land Bank server environment as well as multiple laptops." Godongwana said.
"The ransomware targeted servers in virtual server environments that are running Microsoft operating systems. The threat actors have been identified as a Ransomware-as-a-Service Group"
The Minister added that the Land Bank immediately isolated affected systems, removed indicators of compromise, and strengthened security controls.
"It must be noted that Land Bank’s critical ERP, core banking and customer relationship management (CRM) systems were not accessed, and therefore not compromised by the threat actor. This was due to the SAP system being in a separate technical environment to that of the rest of the servers".
"The remainder of the environment (including the non-SAP servers) were either encrypted or rendered inaccessible to the Land Bank IT team and users. Multiple laptops were also encrypted."
He also revealed that hackers had demanded Bitcoin for the return of stolen data and a promise not to publish it.
"The threat actors have requested 5 Bitcoin (approximately R5,4 million currently) as a ransom payment for the return of data and/or the non-publication of data. Land Bank has taken the decision not to make any ransom payment and confirms that no ransom payment was made".
The minister said prior to and during restoration of the Land Bank IT environment, Land Bank isolated its environment, removed indicators of compromise, strengthened its security controls by hardening and configuring firewalls and patching vulnerabilities among other measures, to ensure that any unauthorised attempts to enter Land Bank's IT environment can be detected and remediated effectively and timeously.
The latest incident comes after other attacks on South African entities. Last May, South African Airways faced a major cyber incident that disrupted access to its online platforms.
It was reported at the time that the breach affected the airline’s website, mobile application, and several internal systems, prompting immediate action to mitigate the impact on flight operations and customer service.
Cape Times