The South African Bureau of Standards (SABS) has suffered a major ransomware cyberattack, resulting in critical IT systems going down, Engineering News has learned.

This is not the first time the SABS IT infrastructure has been hacked, with previous incidents reported in 2023 and again in April this year.

An inside source said SABS information and communication technology (ICT) and knowledge management head Dr Thami Batyashe, who was also the acting corporate services head, has been suspended in relation to the incident, while the State Security Agency is on site trying to trace the source of the attack and mitigate its impact.

The cyberattack allegedly resulted in the organisation’s salary systems going down, with November salaries having been paid manually.

The SABS confirmed the attack, telling Engineering News that it was merely the result of “enhancing the information security based on the recommendations from the previous attack”.

“The cybersecurity experts conducted an investigation and confirmed that the SABS data has been encrypted, affecting ICT systems, hence they are down. The recovery efforts are under way,” the bureau said.

Batyashe’s suspension follows the suspension in May of the SABS security head Chris Coetzee (who had reported that he had been poisoned), certification head Katima Temba and company secretary Charles Kgoale in August, all during a period when the institution was managed in rotation by acting CEOs Lungelo Ntobongwana and Lizo Makele.

Ntobongwana has subsequently been appointed permanent COO.

National Assembly MP and Democratic Alliance (DA) Trade, Industry and Competition spokesperson Toby Chance told Engineering News on November 29 that the cyberattack comes after the SABS received a capital expenditure (capex) allocation of R9.5-million to develop and install systems to prevent such attacks after it was the target of two similar attacks in the recent past.

This amount was put onto the bureau’s capex list for the 2023/24 financial year, proposed by the executive committee and approved by the SABS board.

“Funding has been allocated for managed security services, which will be a partnership with cybersecurity experts to provide continuous support. The procurement process is underway for these services,” the SABS explained.

However, Chance alleges that there was mismanagement.

“I will be putting a question to Trade, Industry and Competition Minister Parks Tau about how many of the entities under his watch have been targets of cyberattacks in the past five years, how much has been spent on security to prevent such attacks, and how much has been spent paying off the criminals responsible for these attacks, if they have been identified,” he said.

According to the South African National Accreditation System requirements, the SABS is obliged to inform its clients about the loss of data and the potential risk of a cybersecurity breach.

If the SABS has failed to inform its clients of the latest breach, it could mean the SABS will lose its accreditation.

“Surely the COO and acting CEO need to be dismissed with immediate effect? The SABS will lose its accreditation as it still has not informed clients about the hack and the breach of company confidential information,” Chance said.

These attacks have come to the surface after Public Works and Infrastructure Minister Dean Macpherson revealed, shortly after his appointment in July, that his department had suffered R300-million worth of losses owing to cyberattacks over the past ten years.

“This trend should be a major concern to all government departments and calls into question the competence and professionalism of the State Information Technology Agency, which has responsibility for all government IT systems,” Chance said.

He pointed out that he had written to Tau three times since August and spoken to him in person about the continuing whistleblower reports of alleged mismanagement and corruption emanating from the SABS.

Tau, however, had deemed it fit to leave it up to the SABS board to intervene.

“That is unsatisfactory, as far as I am concerned, as the board might appoint Makele as the permanent CEO, which would be a very poor decision. The board itself is compromised and, in my view, the only responsible course of action is for the Minister to put the SABS under administration again to clean out the current management and board,” Chance told Engineering News.

On November 25, an anonymous open letter was sent to Tau regarding this matter, highlighting a spate of whistleblowing reports published by Chance in August that alleged “incompetent leadership” at the SABS and a “deliberate attempt to destabilise the organisation”.

The letter pointed out that the Department of Trade, Industry and Competition (dtic) had been made well-aware since August of several crises undermining the SABS, which include the loss of accreditation of the cement laboratory and the hacking of its IT systems, resulting in a total loss of data and putting at risk the private and sensitive information of employees and clients.

“The biggest question [is], why is the current executive structure still in place? While yet another executive [Batyashe] has now been suspended, the current acting CEO [Makele], the COO [Ntobongwana] and the CFO [Kholofelo Masoga] remain.

“Again, the chief corporate services officer (CCSO) reports to the acting CEO. [Makele] appointed himself as the CCSO and, [under his leadership as CCSO], the SABS has been hacked twice already,” the letter states. 

The SABS would not comment on any of its ongoing internal staffing issues.

The author of the open letter alleged that the threat to the SABS IT systems could have been mitigated by then-SABS CCSO Makele (now acting CEO) two years ago, but that the reorganisation of the SABS was designed to remove competence.

The SABS appeared to deny these allegations.

“The current leadership of the SABS has a responsibility to stabilise the business and have made a lot of progress in that respect,” the SABS stated.

The open letter, however, describes a very different scenario.

“Internal audit and risk management is a joke, and how could the Ministry approve any structure that does not have a chief risk officer or a chief information officer?” the author of the letter asks.

“More the R140-million has been paid in the last six months to ‘protect’ the SABS from cyberattacks and the Minister needs to investigate the company that was appointed and to follow the trail of money,” the author states.

However, the SABS claimed a different figure.

“So far in this financial year, we have spent less than R20-million on the information/cybersecurity enhancements at the SABS. Further robust enhancements and upgrades are planned to be concluded in the next three months,” the bureau explained.

The SABS told Engineering News that this money had been spent on the following cybersecurity enhancements:

• Containment of phishing incident;
• Implementation of multifactor authentication;
• Deployment of Entra;
• Microsoft Defender for end point;
• Mimecast support for email security;
• Microsoft licences, which included upgrading from E3 to E5 licences with security features;
• Upgrade of data core and firewall. 

However, despite these investments, the bureau’s cybersecurity remains inadequate, given the latest breach.

“Things [at the SABS] have gotten a lot worse. Customers cannot contact the SABS, no testing or certification is happening, no transactions can be processed, salaries could not be processed.

“People in South Africa are dying from food poisoning, people are about to start dying from structural defects because of a looming cement crisis and still the Ministry watches in silence,” the author of the letter asserted.

In a letter to Tau from Chance sent on October 11, which Engineering News has seen, Chance pointed out to the Minister that dtic acting director-general Malebo Mabitje-Thompson had explained during a portfolio committee meeting on October 8 that the matter was with the dtic’s internal audit department.

However, Mabitje-Thompson was unable to provide any certainty as to when this investigation would be completed.

“This is concerning, as the matter is paralysing the SABS and the list of grievances aired by the complainants is long and points to serious issues that cannot be left to fester.

“I urge you and [Mabitje-Thompson] to put pressure on the internal audit department to report back without delay and will be monitoring this on a regular basis,” Chance told Tau.

Engineering News reached out to the dtic for comment but had not received a response by the time of publication.