mybroadband.co.za
29.03.2026
By Jan Vermeulen
Statistics South Africa has become the latest government entity to fall victim to a ransomware attack by the emerging cybercrime group known as XP95.
The threat actors claim to have successfully breached the agency responsible for conducting South Africa’s census, as well as producing and disseminating other official statistics, like the Consumer Price Index.
It was established by the 1999 Statistics Act to produce comprehensive data about South Africa’s people, economy, and society to support informed decision-making by government and business.
According to XP95’s dark web leak site, the hackers have stolen 453,362 files totaling 154 GB of data from an unspecified Stats SA server.
The cyber-extortionists have demanded a ransom payment of $100,000 (R1.7 million) to prevent the public release of the stolen data.
Given their claim that it was a ransomware attack, it is possible that they left the breached server encrypted and unusable.
XP95 has set a 20 April 2026 deadline for the payment, after which the group threatens to leak the full archive online.
Based on the samples of the exfiltrated data, the hackers obtained another trove of personally identifying information from what appears to be a human resources file server.
This is similar to the attack by the same group on the Gauteng Provincial Government, which saw terabytes of personal data from what appeared to be job seekers put up for sale.
The XP95 group is a relatively new actor in the cyber-extortion space, having first emerged in March 2026 with a unique interface that mimics legacy Microsoft Windows operating systems.
“What makes XP95 stand out immediately is its leak site design,” cyber threat intelligence company DarkFeed said in an analysis published shortly after the group first emerged.
“It is a striking throwback, heavily mimicking an old desktop operating system interface complete with classic teal backgrounds, old-school folders, and a vintage taskbar.”
From the site design, it appears that the group’s name is an amalgamation of two old versions of Microsoft’s operating system: Windows XP and Windows 95.
“Stats SA is aware of a cybersecurity breach affecting one Human Resources database,” stated Semakaleng Thulare, acting DDG Statistical Support and Informatics.
“The system that was breached is exclusively the HR system available for job seekers to apply online.”
Thulare explained that the national statistics office is part of a wider government response to matters dealing with cybersecurity breaches.
“Stats SA will not pay any ransom. Deployment of state financial resources is done in line with PFMA. Stats SA will notify the information regulator and will be guided by their processes.”
Gauteng Provincial Government server breach
Screenshot of XP95 dark web leak site announcing the Stats SA breach and ransom
In the previous attack on Gauteng, the hackers claimed to have stolen 3.8TB of data and demanded a lower payment of $25,000 (around R420,000 at the time) for the release of the information.
However, in that case, the group was selling the data to third parties, rather than holding the sensitive information to ransom.
Cybersecurity experts have warned that South African government departments remain prime targets for ransomware gangs and other cybercriminals.
Orange Cyberdefense highlighted in its Security Navigator Report 2025 that cyber extortion remains a pervasive threat that is impacting organisations of all sizes and sectors.
Small and medium-sized enterprises faced a 53% rise in ransomware incidents last year, and 2025 also marked the largest ransom ever paid to a ransomware group: $75 million to Dark Angels.
“With the emergence of AI tools designed specifically for fraud, extortion, and impersonation, AI has enabled an increase in the volume and sophistication of extortion incidents across sectors,” Orange Cyberdefense stated.
“The impact of these attacks reaches beyond the immediate target, with disruptions cascading through supply chains and posing risks to larger companies.”
Orange Cyberdefense also observed growing cynicism, as criminals no longer avoid critical services such as healthcare.
“We need resilience-building strategies to counter these risks,” the company stated.
“This includes the implementation of robust recovery protocols and reliable backup systems to reduce downtime and data loss after an attack.”
nytimes.com
By Chris Buckley and Adam Goldman
Sept. 28, 2025
Fears of U.S. surveillance drove Xi Jinping, China’s leader, to elevate the agency and put it at the center of his cyber ambitions.
American officials were alarmed in 2023 when they discovered that Chinese state-controlled hackers had infiltrated critical U.S. infrastructure with malicious code that could wreck power grids, communications systems and water supplies. The threat was serious enough that William J. Burns, the director of the C.I.A., made a secret trip to Beijing to confront his Chinese counterpart.
He warned China’s minister of state security that there would be “serious consequences” for Beijing if it unleashed the malware. The tone of the meeting, details of which have not been previously reported, was professional and it appeared the message was delivered.
But since that meeting, which was described by two former U.S. officials, China’s intrusions have only escalated. (The former officials spoke on the condition of anonymity because they were not authorized to speak publicly about the sensitive meeting.)
American and European officials say China’s Ministry of State Security, the civilian spy agency often called the M.S.S., in particular, has emerged as the driving force behind China’s most sophisticated cyber operations.
In recent disclosures, officials revealed another immense, yearslong intrusion by hackers who have been collectively called Salt Typhoon, one that may have stolen information about nearly every American and targeted dozens of other countries. Some countries hit by Salt Typhoon warned in an unusual statement that the data stolen could provide Chinese intelligence services with the capability to “identify and track their targets’ communications and movements around the world.”
The attack underscored how the Ministry of State Security has evolved into a formidable cyberespionage agency capable of audacious operations that can evade detection for years, experts said.
For decades, China has used for-hire hackers to break into computer networks and systems. These operatives sometimes mixed espionage with commercial data theft or were sloppy, exposing their presence. In the recent operation by Salt Typhoon, however, intruders linked to the M.S.S. found weaknesses in systems, burrowed into networks, spirited out data, hopped between compromised systems and erased traces of their presence.
“Salt Typhoon shows a highly skilled and strategic side to M.S.S. cyber operations that has been missed with the attention on lower-quality contract hackers,” said Alex Joske, the author of a book on the ministry.
For Washington, the implication of China’s growing capability is clear: In a future conflict, China could put U.S. communications, power and infrastructure at risk.
China’s biggest hacking campaigns have been “strategic operations” intended to intimidate and deter rivals, said Nigel Inkster, a senior adviser for cybersecurity and China at the International Institute for Strategic Studies in London.
“If they succeed in remaining on these networks undiscovered, that potentially gives them a significant advantage in the event of a crisis,” said Mr. Inkster, formerly director of operations and intelligence in the British Secret Intelligence Service, MI6. “If their presence is — as it has been — discovered, it still exercises a very significant deterrent effect; as in, ‘Look what we could do to you if we wanted.’”
The Rise of the M.S.S.
China’s cyber advances reflect decades of investment to try to match, and eventually rival, the U.S. National Security Agency and Britain’s Government Communications Headquarters, or GCHQ.
China’s leaders founded the Ministry of State Security in 1983 mainly to track dissidents and perceived foes of Communist Party rule. The ministry engaged in online espionage but was long overshadowed by the Chinese military, which ran extensive cyberspying operations.
After taking power as China’s top leader in 2012, Xi Jinping moved quickly to reshape the M.S.S. He seemed unsettled by the threat of U.S. surveillance to China’s security, and in a 2013 speech pointed to the revelations of Edward J. Snowden, the former U.S. intelligence contractor.
Mr. Xi purged the ministry of senior officials accused of corruption and disloyalty. He reined in the hacking role of the Chinese military, elevating the ministry as the country’s primary cyberespionage agency. He put national security at the core of his agenda with new laws and by establishing a new commission.
“At this same time, the intelligence requirements imposed on the security apparatus start to multiply, because Xi wanted to do more things abroad and at home,” said Matthew Brazil, a senior analyst at BluePath Labs who has co-written a history of China’s espionage services.
Since around 2015, the M.S.S. has moved to bring its far-flung provincial offices under tighter central control, said experts. Chen Yixin, the current minister, has demanded that local state security offices follow Beijing’s orders without delay. Security officials, he said on a recent inspection of the northeast, must be both “red and expert” — absolutely loyal to the party while also adept in technology.
“It all essentially means that the Ministry of State Security now sits atop a system in which it can move its pieces all around the chessboard,” said Edward Schwarck, a researcher at the University of Oxford who is writing a dissertation on China’s state security.
Mr. Chen was the official who met with Mr. Burns in May 2023. He gave nothing away when confronted with the details of the cyber campaign, telling Mr. Burns he would let his superiors know about the U.S. concerns, the former officials said.
The Architect of China’s Cyber Power
The Ministry of State Security operates largely in the shadows, its officials rarely seen or named in public. There was one exception: Wu Shizhong, who was a senior official in Bureau 13, the “technical reconnaissance” arm of the ministry.
Mr. Wu was unusually visible, turning up at meetings and conferences in his other role as director of the China Information Technology Security Evaluation Center. Officially, the center vets digital software and hardware for security vulnerabilities before it can be used in China. Unofficially, foreign officials and experts say, the center comes under the control of the M.S.S. and provided a direct pipeline of information about vulnerabilities and hacking talent.
Mr. Wu has not publicly said he served in the security ministry, but a Chinese university website in 2005 described him as a state security bureau head in a notice about a meeting, and investigations by Crowd Strike and other cybersecurity firms have also described his state security role.
“Wu Shizhong is widely recognized as a leading figure in the creation of M.S.S. cyber capabilities,” said Mr. Joske.
In 2013, Mr. Wu pointed to two lessons for China: Mr. Snowden’s disclosures about American surveillance and the use by the United States of a virus to sabotage Iran’s nuclear facilities. “The core of cyber offense and defense capabilities is technical prowess,” he said, stressing the need to control technologies and exploit their weaknesses. China, he added, should create “a national cyber offense and defense apparatus.”
China’s commercial tech sector boomed in the years that followed, and state security officials learned how to put domestic companies and contractors to work, spotting and exploiting flaws and weak spots in computer systems, several cybersecurity experts said. The U.S. National Security Agency has also hoarded knowledge of software flaws for its own use. But China has an added advantage: It can tap its own tech companies to feed information to the state.
“M.S.S. was successful at improving the talent pipeline and the volume of good offensive hackers they could contract to,” said Dakota Cary, a researcher who focuses on China’s efforts to develop its hacking capabilities at SentinelOne. “This gives them a significant pipeline for offensive tools.”
The Chinese government also imposed rules requiring that any newly found software vulnerabilities be reported first to a database that analysts say is operated by the M.S.S., giving security officials early access. Other policies reward tech firms with payments if they meet monthly quotas of finding flaws in computer systems and submitting them to the state security-controlled database.
“It’s a prestige thing and it’s good for a company’s reputation,” Mei Danowski, the co-founder of Natto Thoughts, a company that advises clients on cyber threats, said of the arrangement. “These business people don’t feel like they are doing something wrong. They feel like they are doing something for their country.”
databreaches.net Posted on September 8, 2025 by Dissent
Some data breaches make headlines for the number of people affected globally, such as a Facebook scraping incident in 2019 that affected 553 million people worldwide. Then there are breaches that affect a country’s entire population or much of it, such as a misconfigured database that exposed almost the entire population of Ecuador in 2019, an insider breach that compromised the information of almost all Israelis in 2006, a misconfigured voter database that exposed more than 75% of Mexican voters in 2016, and the UnitedHealth Change Healthcare ransomware incident in 2024 that affected more than 190 million Americans.
And now there’s Vietnam. ShinyHunters claims to have successfully attacked and exfiltrated more than 160 million records from the Credit Institute of Vietnam, which manages the country’s state-run National Credit Information Center. Vietnam National Credit Information Center is a public non-business organization directly under the State Bank of Vietnam, performing the function of national credit registration; collecting, processing, storing and analyzing credit information; preventing and limiting credit risks; scoring and rating the credit of legal entities and natural persons within the territory of Vietnam; and providing credit information products and services in accordance with the provisions of the State Bank and the law.
While those affiliated with ShinyHunters bragged on Telegram that Vietnam was “owned within 24 hours,” ShinyHunters listed the data for sale on a hacking forum, and provided a large sample of data from what they described as more than 160 million records with “very sensitive information including general PII, credit payment, risks analysis, Credit cards (require you’re own deciphering of the FDE algorithm), Military ID’s, Government ID’s Tax ID’s, Income Statements, debts owed, and more.”
DataBreaches asked ShinyHunters for additional details about the incident, including how many unique individuals were in the data, because the country’s entire population is slightly under 102 million. ShinyHunters responded that the data set included historical data. They stated that they did not know how many unique individuals were involved, but were pretty sure they got the entire population.
Because this incident did not seem to be consistent with ShinyHunters’ recent campaigns, DataBreaches asked how they picked the target and how they gained access. According to ShinyHunters, they picked the target because it held a massive amount of data. The total amount or records (line) across all tables was like 3 billion or more, they said, and they gained access by an n-day exploit. On follow-up, DataBreaches asked whether this was an exploit that CIC could have been able to patch. There was no actual patch available, Shiny stated, as the software was end-of-life.
In response to a question as to whether the CIC had responded to any extortion or ransom demands, ShinyHunters stated that there had been no ransom attempt at all because ShinyHunters assumed they would not get any response at all.
DataBreaches emailed the CIC to ask them about the claims, but has received no reply by publication. If CIC responds to DataBreaches’ inquiries, this post will be updated, but it is important to note that there is no confirmation of ShinyHunters’ claims at this point, however credible their claims may appear.
It is also important to note that this post has referred to this as an attack by ShinyHunters and has not attributed it to Scattered Spider or Lapsus$. When DataBreaches asked which group(s) to attribute this to, ShinyHunters had replied, “It wasn’t a Scattered Spider type of hack … so ShinyHunters.” ShinyHunters acknowledged that they need to deal with the name situation, but said, “I don’t know how to fix the name problem considering for years everyone thought both are completely different groups.”
The attack is just the latest in a string targeting the multilateral body in recent years.
Japan's space agency was hit with a cyberattack but the information the hackers accessed did not include anything important for rocket and satellite operations, a spokesperson said on Wednesday.
