Johannesburg spent the weekend struggling to recover from its second cyberattack this year as it took key services systems offline.
The city first alerted users of the attack via Twitter on Thursday 24 October:
The City has detected a network breach in its systems ^TK pic.twitter.com/r43iiJiUya— City of Joburg (@CityofJoburgZA) October 24, 2019
The cyberattack came from a group calling itself the Shadow Kill Hackers. Some media outlets are reporting it as a ransomware attack, but according to a note reportedly sent to city employees and shared on Twitter, the hackers didn’t encrypt data. Instead, they stole it and threatened to upload it to the internet if the City didn’t pay up. The note read:
All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.
The group reportedly demanded a payment of four bitcoins (£30,347) by 5pm today, Monday 28 October, or they will release the compromised data.
The attack also affected City Power, a city-owned utility providing pre-paid electrical power to residents. It said that it was experiencing call centre problems due to the incident, and urged people to use its mobile app to log power problems instead. It also said that billing systems had been affected:
UPDATE: Please find the media release about COJ hacked computer systems.^JM pic.twitter.com/q7oEwIurpx— @CityPowerJhb (@CityPowerJhb) October 25, 2019
The City updated citizens on the 25th with several tweets, including this one:
#COJSystemBreach Update: City continues to work towards restoring service. The dispatched high level technical team has been hard at work to ensure resolution. ^NS pic.twitter.com/hytnf0KZvB— City of Joburg (@CityofJoburgZA) October 25, 2019
Johannesburg added that its call centre and e-services platforms all remained offline, alongside its website. Cashiers remained offline, it said, adding that people could pay municipal accounts via electronic funds transfer and third party payment systems.
In an interview with a local TV station on Friday, a City spokesperson explained the rationale for shutting down key systems:
We shut down the system as a professional measure to protect the integrity of our data and make sure that the critical information of customers is not compromised…
It was important for us to safeguard systems fast before we began remedial work.
He added that the hackers had compromised systems “at the user level rather than the application level as such”, adding that the application level is where the account numbers were held, and “that part had not been affected as yet.”
The hacking group fought back on Twitter, seeming to refute the suggestion that sensitive customer account data had not been compromised while also stating that they were not responsible for attacks on several South African banks around the same time:https://twitter.com/ShadowKillGroup/status/1187723009756487682
In another tweet on Friday, the group accepted responsibility for hacking resort company First Group SA. That company’s site was also down on Sunday night.
As the reported deadline approached, the hacking group turned up the pressure on the City of Johannesburg:https://twitter.com/ShadowKillGroup/status/1187719319125463045
City Power spokespeople told reporters that the attackers “won’t get a cent”. At the time of writing, that seemed accurate: there were no significant transactions into the bitcoin address reportedly quoted in the extortion note.
This is the second publicly-known attack that the City of Johannesburg has weathered this year. In July, a ransomware infection encrypted City Power’s database, internal network, web apps, and website, making it difficult for people to purchase power from the company.