Cyber Incident Victim: Eskom Holdings SOC Ltd
Date:
Feb 2019
Location:
South Africa
Summary
Eskom Group experienced a dual security breach involving an employee’s corporate computer infected by the Azorult information-stealing Trojan via a fraudulent game downloader masquerading as The Sims 4, compromising internal network credentials, corporate email access, and sensitive business data. Separately, an unsecured database exposed customer information, redacted payment details, and meter data for weeks. Security researchers discovered both incidents, with stolen credentials traced to a user with network access, and attempted to notify the organization through social media channels amid initial denials before the company acknowledged the breaches and launched investigations into potential compromises of sensitive information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 4, 2019, South African energy supplier Eskom Group experienced two concurrent security breaches compromising sensitive operational and customer data. The first incident originated from an internal corporate computer infected with the Azorult information-stealing Trojan, which researchers traced to an employee downloading a malicious installer masquerading as The Sims 4 game from an unauthorized software distribution site. Azorult harvested network credentials, corporate email account passwords, and desktop screenshots from the infected device, exposing authentication details for Eskom's internal systems. Security researcher .sS.! identified the compromised data through routine monitoring of Azorult-infected systems and attempted to notify Eskom via Twitter on February 6, 2019, but the company initially dismissed the report as unrelated to their operations. The stolen credentials provided potential access to Eskom's corporate network, which supplies 95% of South Africa's electricity and 45% of Africa's consumption. Following persistent outreach from .sS.! and other researchers, Eskom acknowledged the infection and initiated an internal investigation through its Group IT department.
A second, unrelated breach involved an unsecured database publicly accessible for weeks prior to February 6, discovered by independent researcher Devin Stokes. This repository contained customer personally identifiable information, redacted payment card details, electricity meter data, and business-sensitive documents. Stokes made multiple unsuccessful attempts to contact Eskom through standard disclosure channels before resorting to tweeting partial database contents at the company's official account to force engagement. The exposure duration and database contents created significant privacy risks for affected customers. Eskom issued a uniform statement regarding both incidents when contacted by media, confirming investigations into potential information compromise but declining further comment pending completion of their internal review. The dual breaches collectively exposed critical infrastructure credentials, financial data, and customer records through distinct attack vectors – one involving malware-enabled credential theft and the other resulting from misconfigured data storage.