Cyber Incident Victim: Eskom Holdings SOC Ltd

In March 2022, the Everest ransomware group publicly advertised the sale of root access to South Africa’s state-owned electricity utility ESKOM for $125,000 on their Tor leak site. The threat actors claimed possession of administrative privileges across ESKOM’s servers, asserting control over Linux and Windows systems, databases, backups, and employee access to point-of-sale (POS) terminal administration. They described the compromised assets as enabling comprehensive control over the company’s operations, including partnerships with a U.S.-based defense contractor. ESKOM, responsible for generating over 90% of South Africa’s electricity and supporting regional grid stability through the Southern African Power Pool, denied any security breach at the time. The gang’s initial offer included sysadmin passwords, server configurations, and development environments, framing the access as a strategic opportunity to dominate the country’s electrical infrastructure.

By October 2022, Everest escalated its demands to $200,000 for the stolen data package, accepting Bitcoin and Monero payments. The group reiterated claims of unrestricted access to all ESKOM servers, emphasizing the sale’s inclusion of administrative credentials, root access, and backup systems. Security researchers concurrently observed server disruptions at ESKOM Hld SOC Ltd, though the company did not publicly link these issues to the ransomware group’s assertions. The attackers marketed the compromised assets as a turnkey solution for influencing national electricity distribution, referencing ESKOM’s interconnected grid role in the Southern African Development Community region. No evidence of data exfiltration or encryption was disclosed in the available claims, focusing instead on the sale of access credentials. ESKOM maintained its denial of a breach throughout both incidents.