The City of Johannesburg suffered a major network breach on Thursday 24 October 2019 when a group, reportedly known as the Shadow Kill Hackers, allegedly hacked into its system.

According to a report, the hackers left a bitcoin ransom note via Twitter. Business Day wrote that the hackers are demanding 4.0 bitcoins by 28 October at 5pm. If the City fails to do so they threatened to upload all the data they have procured onto the internet.

“All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information,” the ransom note reportedly said.

Deputy Director of Communications at CoJ Nthatisi Modingoane told Daily Maverick that CoJ could not confirm the name of the hackers nor the existence of the ransom note. The CoJ was conducting a thorough investigation into the matter.

“But we can confirm that there has been an attempted breach into the system which can be termed ‘hacked’,” Modingoane said. “But what has happened is that we spotted it early and we shut down the system to protect the residents of the City of Johannesburg so that nothing gets compromised.”

Systems that have been shut down since Thursday evening for precautionary measures include the City’s website (customers cannot log in to make their payments), e-services (no transactions can be made), billing systems as well as call centres. As a further result, the City’s customer walk-in centres were non-operational on Friday.

The hackers, according to Modingoane, are attempting to restore and reopen all systems after CoJ has shut the system down.

Daily Maverick visited one of the City’s customer walk-in centres in Randburg where one of the staff members who asked not to be identified said staff came in on Friday morning (25 October 2019) and were told “not to touch any of the computers”. He said customers had not tried to visit the centre following an alert disseminated by CoJ.

“However, we have to stay here because we were told that the system could come back online at any moment,” the staff member told Daily Maverick.

“Currently the staff members can’t work,” Modingoane said, “but they are going to remain there until the system is back up.”

Modingoane further explained that CoJ is working tirelessly to get the system back up but stated that residents should not be alarmed as the breach was detected at “user level and not at application level”.

Adam Oxford, a freelance technology journalist, said user-level still gives the hacker access to information.

“Just because they have only got into the server with the ‘user-friendly’ access it just means they won’t be able to change any of the core files,” Oxford told Daily Maverick, “but they still have access to whatever the user can see. They can see records or your electricity payments.”

“At the moment what we have deciphered is that nothing has been taken,” Modingoane said, “But the investigations are still at very early stages so we are allowing the investigators to do their jobs.”

The ANC Greater Johannesburg Region also put out a statement expressing their concern about the breach, stating that this has the potential of exposing the personal information of residents to cybercriminals and also exposing the data and information of CoJ as a whole.

“We think that the software that has been used is currently not the latest software that secures the network,” ANC regional spokesperson Jolidee Matongo said to Daily Maverick. “If it was this would have never happened.”

This is not the first time that Johannesburg has experienced an attack on its system, allegedly for ransom. In July 2019 residents of Johannesburg were not able to purchase or upload their electricity units due to a ransomware attack that took out Johannesburg’s City Power.

“Ransomware is a type of cyber attack in which a malicious program finds its way on to a computer system or network,” Oxford had told Daily Maverick, “and the damaging payload of that program will be to destroy data or encrypt it to the point where it is irretrievable.”

However, after some time City Power was able to resolve the issue and successfully restore electricity vending within hours of the security breach being identified.

Matongo said that in situations where customers are being compromised, the implicated company has a responsibility to keep the customer updated on their investigation.

“I am a customer myself,” Matongo said. “And they are being very quiet – and on an hourly basis they should be informing residents.”

Oxford added that there should never be a lack of information that is released as this does not help create preventative measures.

“All we have seen with these kinds of attacks is that the company affected, whether it be City Power or City of Johannesburg, is that they don’t release the follow-up information (on the investigation),” Oxford said. “They don’t give out details and never really know what happened and unless we know how these companies are attacked no one can help them.” DM