Looks like South Africa’s primary electricity provider Eskom was hit by not just one, but two security breaches. One was due to an unsecured database that leaked customer data online. The second breach came along with a malware infection disguised as a downloader for The Sims 4 game.
Eskom is South Africa's electricity company which supplies approximately 95 % of the region's electricity, and approximately 45 % of the electricity used across entire Africa.
Unsecured database leaked customer data
On February 5, 2019, a security researcher named Devin Stokes sent a public tweet to Eskom stating that customer data was exposed publicly.
“You don't respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view! You are unnecessarily exposing YOUR customers' data!”, Stokes tweeted.
The researcher also added a screenshot of the database that contained customer and service related data. The exposed customer data included customers’ names, and payment card details such as card type, partial card number, and CVV number. The service-related data included account IDs, start and end service dates, and meter information.
Eskom’s billing software database was left open for weeks without any password protection which resulted in the data leak.
AZORult infected Eskom’s systems via a fake Sims 4 game downloader
Another security researcher under the name ".sS.!" uncovered a security breach that was caused by an AZORult infection. The researcher warned Eskom via a Twitter post that one of its employee who downloaded the Sims 4 game installer, ended up installing the malware.
“Dear @Eskom_SA. Please investigate on your user ‘mg@eskom[.]co[.]za’. There is a trojan on here machine. All her credentials were stolen. (Including here company credentials),” .sS.! Tweeted.
“She installed a fake The Sims 4 installer….,” .sS.! Tweeted. However, Eskom replied to the researcher’s tweet stating, “Please note that this is not a valid Eskom email address”.
Later, Eskom acknowledged the malware infection and replied to the researcher's tweet stating, “This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention.”
The security researcher ".sS.!" told BleepingComputer that Eskom ’s internal network was compromised by AZORult info-stealer and that the stolen data indicates that it belongs to a user who has access to Eskom's internal network.
The stolen data includes Eskom network login credentials, corporate email accounts, a screenshot of the victim's desktop during the AZORult installation, and other sensitive data.
“Eskom’s Group IT is conducting investigations to determine whether sensitive Eskom information was compromised as a result of this incident. We will comment fully once the investigation is concluded,” Eskom told BleepingComputer.