An investigation by auditing firm KPMG has found that criminals used privileged access to database systems within South African state-owned Postbank to steal about R109-million (US$6.12 billion) in five separate incidents between October 2021 and October 2022.
Per the report, the cyber fraudsters employed a combination of insider access to critical IT systems, VPN access for PIN resets and the use of runners to exact the cyberheist.
KPMG presented its findings to parliament’s portfolio committee on communications & digital technologies on Tuesday.
In the presentation, KPMG said the scheme involved accessing database systems to inflate the balance of targeted accounts and then deleting logs of the event, followed by the resetting of the Pins of 239 cards (some of these cards were no longer active but brought back online for purposes of perpetrating the fraud) to be used for withdrawals. The criminals employed “runners”, who used 281 different cards to withdraw funds via some 20 000 transactions across 1,700 ATMs. Some cards were cloned and used in close proximity to one another. The spoils were then shared among the crooks.
KPMG said it is likely that hackers had full knowledge of Postbank’s internal systems.
“The [account] inflators had full knowledge of the database and operating environment, [they] accessed the system through access point names (APNs) and a local-area network. [We] identified at least two team members who had access to all IT team’s passwords,” said the KPMG report.
Breakdown
A breakdown of the various incidents shows that in October 2021, a threat actor – or actors – fraudulently accessed the Integrated Grants Payments System (IGPS) database and increased the cash balances of specific South African Social Security Agency (Sassa) grant recipient accounts, after which the fraudulent withdrawals took place. An estimated R89.5-million was stolen during this period.
Thereafter, in May 2022, Sassa cards that had a positive balance but that had previously been blocked on suspicion of fraud, were unblocked, only for the residual funds to be withdrawn as well. A further R1.3-million was stolen during this incident.
In August 2022, a repeat of the October 2021 modus operandi saw a further R5.8-million stolen in just two days. A month later, in September 2022, another R3.9-million was stolen when the fraud management team unblocked cards that were suspected of fraud to “update comments”, the threat actor – or actors – took advantage of this gap and withdrew funds from these cards.
Finally, in October 2022, criminals fraudulently created a “representation of deposits” into a number of Postbank accounts and then withdrew funds from them. A further R9-million was stolen in this way, bringing the estimated total of funds looted from the bank to R109.5-million.
KPMG identified the following weaknesses in Postbank’s ICT environment which made the organisation vulnerable to attack:
- The Postbank network is flat, with no segregation of zones, accompanied by inappropriate user access management.
- Roles and responsibilities between Postbank and the South African Post Office were unclear.
- Key personnel responsible for managing the applications and infrastructure lacked the necessary skills to properly manage the environment.
- Postbank had an inappropriate APN inventory, with poor allocation and access management.
- Direct access to the IGPS database was allowed, while monitoring of database access was lacking. The IGPS service provider had full access to the system, which conflicted with the practice of “least privilege” access.
- There was inappropriate access, logging and monitoring controls on the Interchange and Postilion applications. Multiple VPNs were used to access the network, without appropriate logging and monitoring procedures in place.
- The Domain Controller application (managed by the Post Office), which is the main server responsible for managing access to the network, was compromised as a result of a keylogger.
- The access management practices at Postbank and the Post Office were weak, thereby allowing the threat actor/s to gain access to passwords of general and privileged users.
“With weak logging and monitoring controls, lack of accountability and consequence management, it is difficult to identify the specific individuals performing malicious activities and hold them accountable,” said KPMG.
KPMG’s help was enlisted by the communications department to investigate the matter following an anonymous tip-off that alleged the attacks and thefts were “enabled internally”.
In a statement on Tuesday, the communications department said communications minister Solly Malatsi had referred the KPMG report to the Hawks “in an effort to ensure those responsible for these crimes are brought to book”.
“What makes this cash theft more repugnant is that some of this money was stolen from vulnerable social grant beneficiaries and ordinary South Africans who were saving for a better future. We will use the full might of the law to fight anyone who dares to rob citizens,” Malatsi said.
