Cybercriminals hack ZESA and have control of critical systems and terabytes of sensitive data?

Leonard Sengere Avatar
Hwange ZESA

Could there be more to the broken ZPC website than we initially thought? Could the actual situation be much worse than a 404 error on a website? It’s possible. Let’s talk about it.

There is a gang of cybercriminals that call themselves the Everest Ransomware group. As the name suggests, they specialise in ransomware.

Everest’s ransomware is designed to encrypt files on the victim’s computer and then demand a ransom payment in exchange for the decryption key. The group also threatens to leak the victim’s data if the ransom is not paid.

In addition to ransomware attacks, Everest also engages in initial access brokering. This means that they sell access to compromised systems to other cybercriminals, who can then use the access to launch their own attacks.

The group has claimed to have compromised the systems of major organisations, such as AT&T, the largest provider of mobile telephone services in the United States. They have also claimed to have compromised NASA and other aerospace companies.

Closer to home, Everest claims to have hacked Eskom down in South Africa.

The same Everest group is now claiming that they attacked ZESA Holdings.

ZESA hacked?

ZESA Holdings

Today, the servers of the entire infrastructure of ZESA HOLDINGS (90% Country Electricity Manufacture) were attacked, including divisions ZETDC, ZENT, Powertel, ICS, IPMP, Smartvend, various oracle servers, big part of backups were also attacked.

Terabytes of internal (and interesting) data has been exfiltrated to our servers

  1. Internal financial data (Including WorldBank’s data and Indian Bank transactions and documents)
  2. Various system documents of partners, such as Indra(ES) and Inhemeter(CN)
  3. Employee’s Personal data
  4. Smartvendor customer data and previous customer personal data

The general managers of the company were re-notified about this situation. In order to restore systems and prevent the publication of data and subsequent damage, the person in charge should contact us using the instructions as soon as possible.

Apparently, Everest posted the above message on the dark web and it was picked up by some cybersecurity firms that have been following the activity of the group for years. I am not about to mess around on the dark web trying to verify that they made the claim and get myself on an Interpol watchlist.

We can trust that cybersecurity firms are telling the truth and then consider what that would mean. We have reached out to ZESA and will update you when we get a response.

Before we explore all this, do note that it may not be true. We mentioned above that Everest claims to have attacked AT&T in October 2022 but AT&T denied the claims. Do note though that many organisations pay these ransoms in secret to avoid reputational damage. AT&T could have paid.

What Everest is claiming

ZESA Holdings has a number of subsidiaries:

  • Zimbabwe Power CompanyΒ (ZPC) which is responsible for power generation
  • Zimbabwe Electricity Transmission and Distribution CompanyΒ (ZETDC) which distributes
  • ZESA EnterprisesΒ (ZENT), theirΒ investment branch
  • PowerTel Communications (Private) Limited, an internet provider

Everest claims to have attacked the servers of the holding company and its subsidiaries, except for the power generation unit, ZPC. They say they have copied all the data stored on those servers. In addition, they still retain access to the systems and may be holding some of it hostage too.

If true, they have access to sensitive data. There is the financial and employee data mentioned there.

If you couldn’t care less about the about, what about your data that is apparently part of the haul Everest has? If you are connected to the national grid or were once connected, Everest has data on you.

What can they do with it though, except damage the reputation of an organisation that has a terrible one to begin with? – you probably don’t care.

Unpacking the acronyms and unfamiliar terms

Regardless, here is what some of the other acronyms in their statement mean:

ICS – they are probably referring to the Industrial Control System. It is a type of computer system that is used to control industrial processes. ICSs are used in a variety of industries, including power generation.

Interesting fact – ICSs have been attacked by criminals and rival governments in recent years. The Stuxnet attack on Iran’s nuclear program and the Triton attack on the Ukrainian power grid are good examples.

IPMP stands for IP Network Multipathing. It is a feature in some operating systems that allows you to group multiple network interfaces into a single logical interface. This can be useful for improving network performance and reliability.

SmartVendΒ is a web-based vending management system for utility companies.Β In other words, it is a prepayment electricity vending system.

Staying on SmartVend, this vending system is supplied by the Chinese company, Inhemeter. The Everest ransomware group claims to have the system documents of Inhemeter and other ZESA partners.

For those so inclined, here are the functions and system architecture of SmartVend

Not a new hack

This is not the first time we have heard about Everest hacking ZESA. It’s been a few years since we first heard of it. Hence why Everest says “The general managers of the company were re-notified about this situation.”

It appears ZESA has not paid up and so Everest is re-threatening them. Why would ZESA refuse to pay? There are a number of possible reasons:

  • Everest is lying and ZESA has not been compromised
  • ZESA has been hacked but believes there is little Everest can do to disrupt their operations. In other words, that they are mostly analog as to be invulnerable to cyber-attacks.
  • ZESA does not have the money but is scrambling to pay

I’ll let the engineers school us on what could actually be going on here. The fact that Everest seems to have been struggling to get ZESA to pay makes for an interesting story.

I know many of you have a better idea of what’s going on here, do let us know in the comments section below.

Also read:

ZPC website that gives us electricity generation info is down, incompetence or something else?

Want to pay for ZESA using USD? Here’s all you need to know

,

32 comments

  1. Problem Child

    Going into the elections, the government made the electorate believe the power woes were over. The article is enlightening, and I extracted this angle in your possible reasons – lies being peddled by ZanuPF because judging by the power cuts of late, we might be going back right where we started.

    1. Anonymous

      *expected this angle…

      1. Hoodnut

        My question remains the same. What is the worth of Zimbabwean customers data, what can they do with it because about 90% of our private data is very much useless to them on the greater scheme of things.

        1. Leonard Sengere

          I kind of agree. Zimbabweans don’t really care about their data leaking. Hence Zim organisations are not worried about criminals accessing user data as much as companies in other countries do.

          1. Dzviti

            Ok soo my name, address and meter number are in the hands of some gangsters! Please enlighten me what they could possibly do with that data that I should be losing my sleep over! Meanwhile pass me a 20 Everest pack so that I smoke it while I wait for your response! πŸ€”πŸ€”πŸ€”

            1. Traindriver

              My brother you’re ungovernable πŸ˜‚

    2. Problem Child

      *expected this angle…

    3. 3Petabytes

      Identitt theft and use for online criminal activities… there’s no PII that’s useless unless you’re a fool to think so

    4. Leonard Sengere

      We have to expect that we’re being lied to constantly. I do not expect anything less than that from politicians especially during election season.

    5. Anonymous

      Shame ‘problem child’ you are in such pain to see things running smoothly in the country.

      Prepare for greater pain when the Zanu PF you accuse lying romps home to a landslide victory.

  2. Geralt of Rivea

    Hopefully all my debts are gone from the ZESA records thanks to Everest

    1. Leonard Sengere

      If only ZESA had gone fully paperless. Those records are probably still in some lever arch file in a backroom somewhere.

  3. Hoodnut

    My question remains the same. What is the worth of Zimbabwean customers data, what can they do with it because about 90% of our private data is very much useless to them on the greater scheme of things.

  4. Deadbeat dad

    So they hacked them before – threatened to leak the info – didn’t do so but now they will? “Hey, it’s us again… Remember when we said we would totally leak stuff if you didn’t pay us and then we didn’t. We still have that stuff! This time we will leak it. We tried being reasonable with you guys but this time we are not playing around!”

    1. Leonard Sengere

      πŸ˜‚πŸ˜‚ They probably realised ZESA is almost analogue and their access to systems doesn’t really do anything. They will also realise that nobody cares about meter numbers leaking in these parts.

      1. Tkt

        I think if they did access such details, they can really cause harm to ZESA by crediting power units to various individuals, create fake invoices, make the Firm lose millions if not billions merely by giving away free energy
        Kkkkk

  5. Zimbabwe Electricity Supply Authority

    The only Everest we are aware of ifodya.
    Sincerely, ZESA

    1. Leonard Sengere

      🀣 Kwete zvemakombiyuta izvi.

      1. Tkt

        Anyway, how do I access the DarkNet

        1. Soja

          Tor browser

          1. Reaven

            Then what…. Tor is just a gateway to the deep web. You need to know the specific site address you want to visit…

  6. 3Petabytes

    Until ZESA confirms and notifies the public about the breach, them we can fully acknowledge this

    1. Leonard Sengere

      I agree with cyber-net, they won’t admit unless and until Everest leaks some data that they shouldn’t have as proof.

  7. The Empress

    This is why we have to dump the US$!
    When we were only using the toilet tissue that we call the Zim $(ZWL) we never had to deal with such nonsense! The fact that the ZWL was constantly losing value and not worth the effort, is besides the point!
    Now ever since we got hackers coming to Zimbabwe? First it was Nat foods now ZESA comrades it’s just not worth it!
    Bring back the ZWL!

    1. Leonard Sengere

      Guess dollarisation comes with its own problems. We have old equipment running old software, a lax attitude on cyber security and millions of USD to play with. We are a sitting duck.

  8. Cde che

    Zesa could have been hacked but they are afraid to say it to the public or they have been instructed to keeo quite by their bosses at munhumutapa. I also believe that customers data they have is not useless like some are saying on this platform. It can be used. I’m more interested in info about zesa deals

    1. Leonard Sengere

      I agree that they won’t readily admit anything.

      The customer data they have can be used, yes, but ZESA would only feel the pressure if Zimbos would be on their case about the data leaking. If Zimbos are chill about it, as they will be, it will be a non-event. Worse still, consider that most Zimbabweans have none of their details over at ZESA. The majority in the rural areas don’t have access to electricity. In the urban areas, most people are renting and do not have their names and addresses on any ZESA server.

      I’m with you on the ZESA deals, the partner information that’s mentioned. Should make for interesting reading if leaked.

  9. Magetsi

    Word says “it’s True”

  10. Pizol Ma Nizol

    Shame, they hacked a useless system. Like we care, meter number and address. And then what

    1. Reaven

      On customers side it might feel like its nothing. Take some time to think about it in ZESA perspective… They really on that data to cross reference any issues.

  11. Byron W

    They can ask for help, I’m no professional but we can help help

    1. CONNECT

      If only they could do nice things like hacking Such organizations as Zec then we be interested not Zesa we really don’t care 2 sense about it

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.