DM168

INVESTIGATION

Cyberattacks: South Africa, you’ve been hacked

(Credit: Gallo Images / Unsplash)

Recent cyberattacks on South Africa have shown how vulnerable the country is to cybercriminals and ransomware assaults, which pose a threat to people, the economy and infrastructure.

Online crooks are increasingly targeting South Africa, which now has the third-highest number of cybercrime victims in the world. This costs about R2.2-billion annually.

In the first quarter of this year, South Africa was also the worst affected on the continent in terms of targeted ransomware attacks, which can affect critical infrastructure.

This is according to Interpol’s African Cyberthreat Assessment Report released in October.

It comes as the Department of Justice and Constitutional Development recovers from a debilitating ransomware attack that unfolded in September, affecting all its electronic systems.

Transnet and its division that operates SA’s biggest ports was also the target of a cyberattack earlier this year that affected crucial systems.

And the National School of Government was previously targeted by criminals, while the private hospital group Life Healthcare was targeted last year in an attack that affected admissions systems and email servers.

These incidents paint a worrying picture of how vulnerable South Africa is to cybercriminals and even cyberwarfare.

A possible example of cyberwarfare, showing how far-reaching and detrimental it can be to residents, is the attempted poisoning of a water plant in Florida in the US earlier this year. It was reported a hacker increased sodium hydroxide levels in the water supply that reached a town of 15,000 people.

The attack was thwarted.

This week malicious cyberactivities also made global headlines – and this had suspected links to South Africa.

The US Department of Commerce’s Bureau of Industry and Security added four companies – two Israeli, one Russian and one in Singapore – to its Entity List; in other words, to its trade restriction list.

“NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers,” a statement said.

“Positive Technologies (Russia) and Computer Security Initiative Consultancy Pte Ltd (Singapore) were added to the Entity List based on a determination that they traffic in cybertools used to gain unauthorised access to information systems, threatening the privacy and security of individuals and organisations worldwide.”

Israel’s NSO Group developed Pegasus spyware and in 2018 the Canadian-based Citizen Lab, involved in “investigating digital espionage against civil society”, reported that suspected Pegasus-infected devices were traced to 45 countries, including South Africa.

Reports recently emerged that President Cyril Ramaphosa may have been among those spied on via his phone.

Red flags have previously been raised about South Africa and cybercrime.

Deputy Police Minister Cassel Mathale, in the 2019/20 South African Police Service Annual Report, acknowledged it as an evolving problem.

“The Fourth Industrial Revolution (4IR) implies significant technological advancements for the country and the continent, but also involves significant risk,” he said.

“The threat to the South African economy and population posed by the malicious and criminal targeting of cyberspace is significant and must be countered and acted upon.”

According to the October 2021 Interpol report, there is a “critical absence of cybersecurity protocol, cyber-resilience as well as mitigation and prevention measures for individuals and businesses” in Africa.

There are more than 500 million internet users across the continent. Kenya has the most online citizens, followed by Nigeria, then South Africa, with about 56% of its population online. Mobile banking, used widely in these countries, was flagged.

“It poses a significant future threat, with the rise in malicious apps on mobile devices exploiting increasing vulnerabilities,” the report said.

“The growing rate of digital transformation within the African region is facilitating the emergence of new attack vectors and opportunities for cybercriminals.”

It said that from January 2020 to February 2021 a multinational cybersecurity software company, Trend Micro, recorded millions of threat detections – 679 million email ones, 8.2 million file ones and 14.3 million web ones.

“More specifically, South Africa had 230 million threat detections in total, while Kenya had 72 million and Morocco 71 million,” it said.

“In South Africa, 219 million detections were related to email threats. South Africa also had the highest targeted ransomware and BEC [business email compromise] attempts.

“The exploitation of these vulnerabilities within South Africa was further highlighted by [Irish-based company specialising in IT services] Accenture, who identified that South Africa has the third highest number of cybercrime victims worldwide, at a cost of R2.2 billion a year.”

This country also stood out on the continent in terms of ransomware. “South Africa was the country most heavily affected by targeted ransomware in the first quarter of 2021, with a variety of families such as Crysis, Nefilim, Ryuk, Clop, and Conti ransomware,” the report said.

Some of South Africa’s most crucial departments have recently been the targets of effective online hijackers.

Enrico Calandro, co-director at Cybersecurity Capacity Centre for Southern Africa, told DM168 that, because it was not yet publicly known who was behind the attacks, it was not clear if these were opportunistic or specifically targeted.

“Utilities and other national critical infrastructures, as well as IT systems of state departments, are vulnerable to attacks because of the essential services they offer – be it water or electricity supply, transport in the case of Transnet, or public services,” he said.

“They are often exclusive suppliers of these services, thus offering a single point of failure.”

In one of the most recent cases, the Justice and Constitutional Development Department was hit in September when its “IT systems were encrypted and unavailable to officials and the public and affecting all of the department’s electronic systems”.

The trickle-down effect was immense, with the running of courts affected and payments to maintenance beneficiaries delayed.

“Focused support continues to be given to courts across the country to ensure that court proceedings are not negatively affected by the IT system challenges,” a statement at the time said.

An IT team was worked with others and introduced standard procedures for manually operated court recording technology systems.

“The Master’s Offices around the country continue to, as interim measure, use a manual process to provide bereaved families, in exceptional cases, where there is a need to access funds from the deceased’s banking account for burial costs,” the statement said.

By October the department had managed to stop the spread of malware.

An assessment of “1,200 files containing personal information that may have been compromised during the attack” had been completed.

Two months earlier, on 22 July, Transnet and Transnet Port Terminals was targeted, resulting in it declaring force majeure at container terminals.

Some operations had to be switched to manual.

Some experts have observed that the attack against Transnet caused a cascading, systemic failure at a regional and national level, including economic damage and food insecurity, which could lead to societal instability and therefore it could be an act of cyberwarfare.

The Transnet attack happened the same month as the attempted insurrection events centred in KwaZulu-Natal, some of which were fuelled on social media platforms including Twitter.

Parliament later heard that “cyber capabilities are seriously lacking” in the police service and Hawks.

“Much of the [Kwazulu-Natal related] unrest happened on social media and governmental departments were concerned about manipulation of social media posts,” minutes of a September meeting, about an oversight visit to that province, in Parliament said.

“Due to the fact that the Cybercrimes Act 19 of 2020 is not yet in operation, they [the authorities] had to use the Electronic Communications Act 36 of 2005.”

Ramaphosa signed the Cybercrimes Act into law earlier this year, but it was not immediately operational.

Calandro told DM168 that acts that disrupted critical infrastructure amounted to “an armed attack” and could be considered cyberwarfare.

“Some experts have observed that the attack against Transnet caused a cascading, systemic failure at a regional and national level, including economic damage and food insecurity, which could lead to societal instability and therefore it could be an act of cyberwarfare,” he said. “However, only governments, organs of the state, or state-directed or state-sponsored individuals or groups can engage in cyberwarfare.

“Other experts instead observed that the Transnet ransom note was similar to others seen in recent months, linked to ransomware strains known variously as ‘Death Kitty’, ‘Hello Kitty’ and ‘Five Hands,’” Calandro said.

It was reported the attack could have been carried out by Eastern European or Russian criminals. This week a Transnet official told DM168 there were no new developments to report.

In an October 2021 response to Parliamentary questions about the cyberattack, Public Enterprises Minister Pravin Gordhan provided some details.

He said that all information and communications technology systems had been shut down to stop the spread of malware.

“Some servers and some workstations that were online at the time of the attack were encrypted by the ransomware…

“It was a ransomware attack. There is a criminal investigation in progress.”

The impact of the attack had a ripple effect. “Container volumes were delayed as a result of the cyberattack or the resulting congestion. However, most imports and exports would still be serviced through SA or neighbouring ports, albeit later than originally planned,” Gordhan said.

“Automotive vessels were delayed due to system unavailability, which was mitigated by the implementation of manual processes. Some vessels have been diverted between terminals and other delayed volumes have caught up.”

He said Transnet had been rolling out extra network security measures and this was fast-tracked.

Meanwhile, it appears the National School of Government (NSG), the state’s training institution meant to build public service capacity, was a cybercrime victim.

This week the NSG did not respond to a DM168 query about the attack. Details on that attack previously emerged in Parliament.

“The global pandemic created even further challenges for the NSG because as it was shifting its work to be more in line with technology, to deliver its services, it ended up becoming a victim of ransomware,” March 2021 Parliamentary meeting minutes said.

“The NSG was required to pay about R2-million which was unbudgeted for, because it faced a crisis of losing its ability to use its system. When the system was lost for about two months, the NSG could not generate some of the quotations for people who wanted to train virtually. Covid therefore had a major impact on its operations.”

There have been some major cybercrime crackdowns in other countries.

In September 2021, Ireland’s Garda National Cyber Crime Bureau announced it had seized domains used in ransomware attacks in an operation targeting a cybercrime group based in Russia.

A Garda National Cyber Crime Bureau statement said the seizure of domains prevents “a large number of further Ransomware Attacks across the world”.

“To date a total of 753 attempts were made by ICT [information and communications technology] systems across the world to connect to the seized domains,” it said.

“In each instance, the seizure of these domains … is likely to have prevented a Ransomware Attack on the connecting ICT system, by rendering the initially deployed malware on the victim’s system as ineffective.”

At the time, asked if South Africa had perhaps been targeted or affected in any way, Emma Farrelly of the Garda Press Office responded to a Daily Maverick query: “There is no further information being made available in relation to this investigation.”

UNDERWORLD ONLINE

  • 230 million threat detections in SA in a year
  • National School of Government targeted in ransomware attack costing around R2-million
  • All electronic services affected, and 1,200 personal files possibly compromised in Justice and Constitutional Development Department attack
  • Eastern European or Russian cybercriminals possibly behind Transnet Port Terminals attack
  • Ireland’s cybercrime police seized domains in an operation targeting a Russian group thereby preventing ransomware attacks across the world
  • US blacklists Israeli firm that supplied Pegasus spyware –` apparently traced to countries including SA – to foreign governments, allegedly to “maliciously target” figures including state officials, activists, and journalists

(Sources: Interpol’s African Cyberthreat Assessment Report, Parliamentary meeting minutes, government press releases, research)

DECODING CYBERATTACKS

Enrico Calandro, co-director at Cybersecurity Capacity Centre for Southern Africa, explains different types of attacks:

  • Malware or ‘malicious software’ is intrusive software designed to cause damage to computer systems and data, or to gain unauthorised access to a network.
  • “It may have a variety of goals. For instance, it may trick victims to provide personal data for identity theft, it could steal credit card or other financial data and information, it could take control of multiple computers to launch denial-of-service attacks, or it could infect computers and use them to mine bitcoin or other cryptocurrencies.
  • “Ransomware is a form of malware that encrypts the victim’s data and files until a ransom is paid. The demand normally involves intimidating messages which instil fear and panic into the victims, and a deadline after which the ransom might increase or the data and files will be deleted.
  • “Only after the ransom is paid [will] the attacker [provide] a decryption key to restore access to the victim’s data. In some cases, a decryption key is not sent even after the payment of the ransom. Normally, payment is demanded in virtual currency, such as bitcoins.” DM168

This article was updated on 8 November 2021 following feedback from the National School of Government. 

This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Exclusive Books and airport bookstores. For your nearest stockist, please click here.

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 1

  • Please peer review 3 community comments before your comment can be posted