darrenolivier

darrenolivier, 10 days ago

The recordings show good performance from the SANDF Combat Team Charlie troops, remaining calm and providing clear radio instructions even in the middle of an ambush from several directions & IEDs.

This is the sort of thing SANDF PR should be highlighting. Great scoop by DW!

darrenolivier, 10 days ago

And excellent work by the deployed SANDF forces, who had to suddenly transition from withdrawal mode back to combat operations with far too few vehicles and other equipment available. That was not an easy operation.

darrenolivier, 11 days ago

@gadgeteer That call from SAMSA is interesting. Seems someone got the wires crossed on the responsible agency.

darrenolivier, 10 days ago

@gadgeteer That's so ridiculous. It seems there's been a lot of effort to roll out new customer-side SOS alert and notification services without enough thought and development of the actual operational response side.

darrenolivier, 8 months ago

@danie10 @singe @sigstart That should be assumed.

South Africa has done the same. It had a very embarrassing situation in 2005 when a South African Secret Service handler and his entire network of highly placed officials were rounded up, even though SA and Zim were very close at the time. It happened again in Mozambique in 2021, just before we sent troops there.

SITA had some good initial capabilities as it was originally formed from the DoD, SAPS, and DOSE's IT departments.

darrenolivier, 8 months ago

@danie10 @singe @sigstart On the upside, judging by what those trawling through the archive are posting there’s nothing SECRET or TOP SECRET yet. Just RESTRICTED and CONFIDENTIAL. But there’s potentially a lot more data coming.

If the correct rules were followed there shouldn’t be anything TS/S, but then again if the correct rules were followed there wouldn’t be a breach of this magnitude and people wouldn’t have stored personal files on work systems…

darrenolivier, 8 months ago

@singe @danie10 @sigstart Thanks. That’s really bad. It would mean that either document security has been lax and those files have been allowed on the regular networks, which is not unheard of, or that the group got into the segregated networks too.

darrenolivier, 8 months ago

@singe @danie10 @sigstart Meanwhile the DoD remains in denial. There’s no way this is a leak from an individual.

darrenolivier, 8 months ago

@singe @danie10 @sigstart Great question. As spin goes it’s amateurish stuff.

darrenolivier, 8 months ago

@singe @danie10 @sigstart Agreed, but I’m entirely unsurprised and I’ve long said that we should assume that any competent state has mostly unlimited access to these types of DoD and other government systems. The warnings about poor security, inadequate skills, and outdated systems have been ignored for years. There was a CSIR team doing very basic vuln scans of government’s IP space a few years ago. They found tons and were told to stop.

darrenolivier, 8 months ago

@singe @suqdiq @danie10 @sigstart Yes. Though I’ve seen some claims that Snatch is a GRU front operation. That might explain the timing of the release just before the BRICS summit.

darrenolivier, 8 months ago

@suqdiq @singe @danie10 @sigstart Not saying it’s impossible, just that it elevates the seriousness and scope of the breach if so.

darrenolivier, 8 months ago

@singe @danie10 @sigstart DoD IT systems are managed by CMIS within the DoD and SITA from the outside, but neither really have the specialist skills for the role. SITA used to, as it was formed partially from the DoD’s previous IT division, but it has become much more generically corporate focused of late.
Many of the DoD’s enterprise systems are woefully outdated. Including ancient and unpatched IIS servers.

darrenolivier, 8 months ago

@danie10 @singe @sigstart There is definitely some level of magical thinking and denial going on there, judging by the conversations I’ve had.

The top brass for the most part also don’t have the best understanding of technology, given their age.

The DoD also still generally insists on treating IT purchases like other systems with irregular acquisitions & upgrades to on-prem SITA-managed systems rather than adopting a constantly updated managed services model.

darrenolivier, 8 months ago

@singe @suqdiq @danie10 I can’t say I can see a clear rationale either, it’s just an additional factor.

Three potential reasons:

1. Putin is more upset at being effectively disinvited from the summit than was let on, and this is a retaliation.
2. This may have been another arm of the Russian government retaliating for a perceived slight, both for this and Ramaphosa’s more Ukraine-friendly comments.
3. It was just a target of opportunity, Snatch was independent, and the timing is meaningless.

darrenolivier, 8 months ago

@singe @suqdiq @danie10 We should be treating 3) as the most likely scenario while not discounting 1) and 2) entirely IMO.

But, yes. If this group was in DoD networks for months and months there’s no doubt there are nation state APTs doing the same.

darrenolivier, 8 months ago

@mensrea @singe @danie10 @sigstart If I can add some context.

There are two main types of networks in the DoD. The standard enterprise network, called the ‘Black’ network, that hosts Outlook, the intranet, network shares, and all your normal enterprise stuff. That’s what was likely hit.

Then there are multiple air gapped ‘Red’ networks for TS/S material & operational systems. They’re not meant to be connected to the Black network anywhere & I assume are still safe.

darrenolivier, 8 months ago

@mensrea @singe @danie10 @sigstart According to protocols there should never be any TS/S material stored on any ‘Black’ network or computer. Only RESTRICTED and CONFIDENTIAL material. But in practice that hasn’t been as controlled as it should’ve been.

I don’t think this is a breach of the DoD’s core ‘Red’ networks based on what I’ve seen so far.

darrenolivier, 8 months ago

@danie10 @singe @suqdiq Sure, and I have no doubt that China and Russia have been spying heavily on South Africa. We’d be naive to believe otherwise.

Releasing the material publicly is another matter though.

darrenolivier, 8 months ago

@mensrea @singe @danie10 @sigstart The ‘Black’ network/intranet is mostly run by SITA along normal enterprise lines.

The Red networks are mostly managed by internal SANDF personnel, such as those in CMIS, and cleared contractors to my knowledge.

darrenolivier, 8 months ago

@singe @suqdiq @danie10 I generally agree, but I also think it's unlikely that Russian intelligence has no knowledge of or influence over this group. That nothing has been done so far seems to imply that they're okay with it, which has interesting geopolitical implications.

darrenolivier, 8 months ago

@singe @suqdiq @danie10 An insider isn't impossible, but as far as I know even with how lax security is nobody internal should've been able to access this much using their normal permissions. Not even the sysadmins.

darrenolivier, 8 months ago (edited 8 months ago)

@singe @suqdiq @danie10 Turns out SITA issued an urgent R7.6m tender in March this year to Cyber1 Solutions for "Darktrace Network Detection and response tool On-Premise NDR licences and maintenance and support Department of Defence (DoD) for twelve months."

I can't imagine why that would've been done except as a response to this attack.

darrenolivier, 8 months ago

@singe @suqdiq @danie10 Thanks! It was a bit lucky, I came across it while looking for something else entirely.