The LockBit ransomware gang said it was behind an attack on South Africa’s government workers pension fund last month, which has hampered the organization’s operations and disrupted pension payments.

The South African Government Pensions Administration Agency (GPAA) manages the money within the Government Employees Pension Fund (GEPF) — the largest pension fund in Africa — administering the pensions of about 1.7 million government employees and pensioners as well as their spouses and dependents.

A spokesperson for GEPF told Recorded Future News that it was aware of LockBit’s claims and “extremely concerned” about the data purportedly leaked by the gang. The spokesperson noted that they were initially told by the GPAA that “no data breach had occurred” after being notified of the cyberattack on February 16.

“This morning, 12 March 2024, following the release of certain GPAA data by LockBit on 11 March 2024, the GEPF has been informed by GPAA that preliminary investigations has found that the certain GPAA systems were compromised,” the spokesperson said.

“The GPAA is investigating the alleged data breach and whether this impacts the GEPF. GPAA has reconfirmed that preventative action was taken when it became aware of the attempted access to its systems which included ‘shutting down’ all systems to isolate affected areas. GPAA further confirmed that pension payments are not affected.”

The GPAA did not respond to requests for comment. The GEPF spokesperson said it is working with the agency as well as the South African National Treasury to “establish the veracity and impact of the reported data breach and will provide a further update in due course.”

Local news outlets reported that no pension payments went out to recipients starting on February 12, and the organization’s offices were closed from February 16 to February 21. The office said in a statement that it was due to “an attempt to gain unauthorized access to [the organization’s] systems.”

Service at regional offices were restored afterward, and claims can now be submitted.

“The Government Employees Pension Fund once again apologizes for the inconvenience this has caused to the members, beneficiaries and pensioners. We reiterate that no payments were affected by this incident, and pensioners and members will receive their benefits as per their usual payment dates,” the organization said last month.

“The GEPF assures its members, pensioners, and beneficiaries that their benefits and personal information are safe, and that the administration system has not been compromised.”

South African government institutions have been battered by ransomware gangs over the last year. A state-owned bank was attacked last June. In September, South Africa’s defense department was hacked by the Snatch gang.

The gang leaked the personal phone number and email of the country’s president alongside a portion of the 1.6 terabytes of data stolen from the country’s defense systems. The government initially denied the attack before admitting that a breach did occur.

LockBit leaking old data

Although law enforcement agencies took down LockBit’s infrastructure on February 19, the group on Monday said on its leak site that it was behind the GPAA attack.

Cybersecurity expert Valéry Rieß-Marchive said that LockBit might be making new posts to maintain an appearance that it is still active, but it is simply hawking data stolen during attacks done before the takedown operation.

LockBit was the most prolific ransomware group in the world before it had its website seized as part of the international law enforcement operation led by the U.K.’s National Crime Agency (NCA), the FBI and Europol.

The gang tried to revive its floundering operation two weeks ago with a new website, and began to post dozens of victims.

Ransomware expert Allan Liska said completely shutting down LockBit was always going to be difficult due to the large number of affiliates the gang had at its disposal. The NCA said it identified 187 affiliates, but Liska said there are likely more.

Despite the continued posting from LockBit, Liska said the takedown does appear to have slowed down the group — at least for now.

“There are still attacks happening but — so far — there are a lot fewer,” he said.

“But, I also think we need to treat these new attack claims with skepticism (as with anything LockBit claims). Many, if not most, of the ‘new’ attacks posted by LockBit are recycled from before the [takedown]. [The gang’s leader] LockBitSupp is trying to save face here, but appears to be doing so, at least in part, by pretending old attacks are new.”