Nigerian cyber attackers are going hard at South African government entities in an act of retaliation linked to the xenophobic violence in SA. (Image: iStock) There’s a memorable line in the legendary (for chronically online elder millennials) Key & Peele “Substitute Teacher” comedy sketch where the teacher confronts a student who corrected him over the pronunciation of his name. To paraphrase in the current South African context: “You done messed up March and March!”
March and March, of course, was the latest in a growing, ashamedly South African tradition of anti-immigration protests that devolve into xenophobic attacks on foreign workers and businesses across whichever metro the protest is happening. This has now inspired hacktivist groups like Nullsec Nigeria, the 404 Crew (not sure if it is the same 404 Crew that disrupted service delivery in IoT/smart city hacks in the US) and Infernalis to target Mzansi state institutions to steal data and hold it for ransom.
Daily Maverick’s friends in the dark web business, DarkNotify, can’t verify the method of attack. But since this current edition of #OpSouthAfrica — a parallel of the ongoing #OpAfrica accountability crusade by the global hacker network Anonymous — has been claimed by Nigerian threat actors, the assumption is that it involved phishing.
Precise pressure
South Africa is already losing the cyberwar across multiple fronts, and that’s only judging by the major cyberbreaches in the country in 2026.
At least we are in keeping with the global trends. According to the Palo Alto Networks’ 2026 Identity Security Landscape report, 90% of organisations surveyed experienced a successful identity-related breach in the last 12 months, with 83% suffering at least two.
Beyond that, and in keeping with the general vibes in the global tech industry, 55% of cybersecurity decision-makers cite AI-enabled identity threats — such as autonomous attack tooling and synthetic impersonations (deepfakes) — as their top concern for 2026.
So as threat actors leverage AI to identify vulnerabilities and launch attacks at machine speed, traditional, fragmented security controls are no longer sufficient. The enterprise cyberthreat environment is now dominated by non-human actors, with machine identities outnumbering human identities by what Trend Micro’s local execs described to Daily Maverick as an average ratio of 109:1.
That’s 109 AI hacks for every one done by a human.
Patchwork project
Because AI tools allow attackers to find vulnerabilities and mobilise exploit chains faster than software vendors can patch them, big-time enterprise cybersecurity vendors like Trend Micro and Cisco’s Talos division are using their global research capability to beat attackers to the punch.
Trend Micro is using its Zero Day feature in Amazon Web Services (AWS) data centres specifically for South African customers.
“Trend Micro ... discloses over 70% of all found vulnerabilities across the globe,” said Emmanuel Tzingakis, Trend Micro’s Africa and venture markets cybersecurity technical manager.
“So we discover and find 70% of those vulnerabilities and protect and disclose those vulnerabilities to vendors and protect our clients 90 days before the patch is even available.”
The system uses AI in vulnerability management to create a virtual patch that shields the customer’s environment in real-time, buying them the necessary time to test and deploy official patches without breaking production systems.
This has forced a somewhat cringey rebrand to TrendAI, but at least that aligns the company with what is quickly becoming a core business as these AI-powered enterprise attacks increase.
From Africa to the world
Allan Juma, a cybersecurity engineer at Eset East and Southern Africa, is from Kenya and has seen the cyberattack capability grow in Africa over the course of his career.
He explained that cloud workload adoption in Africa is rising rapidly, with an estimated 40-50% of organisations now utilising cloud-first workloads.
However, he warns that this shift has engendered a dangerous assumption that cloud providers (like Google or AWS) take care of all security requirements. This fallacy leads to poor cyber hygiene and misconfigurations, resulting in a high volume of cyberattacks specifically targeting African cloud environments.
The official Eset view is that for the majority of organisations across Africa, email remains a massive vulnerability. Juma affirms this by naming phishing, quishing (fake QR codes), and spam emails as primary vectors for local threat actors.
He also says that “there is a positive shift in cyber awareness at the executive level”. Juma describes conversations with chief information officers becoming “really mature”, with leaders actively seeking out specific solutions rather than just waiting to be sold to.
Yawning gap
Despite this maturity, there is a gap in the landscape regarding locally developed cybersecurity products. While Juma believes the continent has the talent to build native solutions, he says that African applications are scarce, and any future local solutions must focus on filling unique gaps specific to the African market landscape.
For companies like TrendAI, the goal of modern cyberprotection is to anticipate the actions of autonomous AI agents rather than merely cleaning up after an intrusion.
There’s also the fight against “vendor sprawl” (where fragmented tools cause an average 12-hour delay in incident response).
“We are trying to get to that place where we are being proactive and not reactive anymore to threat actors,” explains Tzingakis.
“So we are trying to anticipate what threat actors are using, like autonomous agents at the moment, and are trying to stay ahead of that … be proactive and understand how threat actors could use those agents to exploit the environment.”
According to the hackers, the #OpSouthAfrica campaign has successfully hit several major institutions, including the South African Civil Aviation Authority, the South African National Space Agency, the South African Social Security Agency, the Department of Human Settlements and the National Housing Finance Corporation.
The stolen data, in keeping with the latest trend of local breaches, includes full databases, citizens’ personally identifiable information, financial records and internal employee data.
According to the experts, the threats we see across the continent aren’t usually SQL injection and cross-site scripting. But it’s amazing what incentive and a global network of allies can do. DM