New details about Transnet cyberattack
Transnet has been the victim of a ransomware attack, eNCA journalist Sli Masikane has reported.
The report stated that Transnet employees received notices to disconnect all their devices from the state-owned logistics company’s network and not to access their emails on their phones.
Masikane also posted a screenshot of the ransomware note left by the attackers containing an address to a chat service on the dark web.
News emerged yesterday from within the freight and logistics industry in South Africa that Transnet had been the victim of a cyberattack and its IT systems were offline.
This led to speculation regarding whether Transnet was hit with a regular ransomware attack or whether the attack is related to the recent public violence in South Africa.
President Cyril Ramaphosa has characterised the riots and looting that gripped parts of KwaZulu-Natal and Gauteng earlier this month as a failed insurrection.
The acting minister in the Presidency, Khumbudzo Ntshavheni, said during a recent media briefing that government is currently treating the attack on Transnet as unrelated to the insurrection.
“We are investigating, and when information comes to the fore, we will either confirm or dispel whether the incident is related,” Ntshavheni said.
Masikane posted screenshots of two messages that were reportedly sent to Transnet employees yesterday. The first stated:
URGENT! Please communicate to all your teams to shutdown all laptops, desktops &
tablets connected to the domain. Also DO NOT access emails on your phones until further notice. No MS Teams meetings until further notice
The second message was as follows:
Good Morning All. Urgent message from ICTM. Transnet systems have been hacked and compromised. Please disconnect from the Transnet network immediately untill advised
otherwise. This impacts remote access via APN/VPN (3g or home Wifi) or direct access via LAN if you are in the office. This will also include Outlook (emails). You can continue to
only work offline on your machine.
MyBroadband visited the address and tried to contact the attackers, but the chat service prompts for an account name and password.
We received no other response to the messages we posted on the chat service than the login prompt.
Transnet downplayed the severity of the impact on its operations, saying that its freight rail, pipelines, engineering, and property divisions reported normal activity.
It said port terminals are operational except for container terminals, as the Navis system on the trucking side has been affected.
However, Transnet also admitted that the Ports Authority only continues to operate because vessels moving in and out of the port are being recorded manually.
According to Transnet’s statistics for June 2021, it processed 13,135 containers per day at its terminal facilities.
The economic impact of an extended outage of its IT systems would be devastating.
Navis issued a statement emphasising that its system was not the source of the disruption affecting Transnet.
It said in its statement that Transnet shut down all its systems, including the servers running Navis’ N4 application, as a precautionary measure.
“Navis […] is in close contact with the Transnet team as they work to identify and isolate the cause of the disruption and restore operations,” the company stated.
Jayson O’Reilly, the head of Atvance Intellect’s cybersecurity division, told Bruce Whitfield on 702 that unless Transnet was properly prepared for a cyberattack, it could take weeks or even months to recover its systems.
O’Reilly said that how quickly Transnet recovers from the attack depends on how well it has been practising standard IT hygiene:
- Has Transnet been applying regular security patches to its systems?
- Does it have recent backups, and were those backups kept in a location where the attackers couldn’t corrupt them?
He noted that when looking at the recent example of the attack on Virgin Active in May 2021, it took them six to eight weeks to get their systems up and running.
O’Reilly said that the recent civil might have painted a target on South Africa’s back.
“The reality is — we were in the news for seven days,” said O’Reilly.
“That’s exactly the kind of media attention cybercriminals look for.”
O’Reilly said that the attackers might not have set out to target Transnet specifically.
“A lot of these attacks are built on machine learning,” he said.
“They don’t know who they’re attacking in many cases until the vulnerability is flagged and they get into the organisation and use their reconnaissance techniques”.
According to O’Reilly, ransomware groups tend to run sophisticated, well-funded environments.
“They are multi-jurisdictional, and they anonymise their activities,” he said.
However, just because the attackers have sophisticated capabilities, that does not mean the attack they used against Transnet was advanced.
“We’d like to think that they are really advanced attacks, but in some cases, they are the simplest social engineering attacks,” said O’Reilly.
“They are looking at soft targets. They are looking at people that are not managing their environments.”
O’Reilly said that there had been a trend of ransomware gangs targeted national governments, such as the recent attack on Colonial Pipeline in the US.
Bloomberg reported that the hack that took down the largest fuel pipeline in the US and led to shortages across the East Coast resulted from a single compromised password.
“They are looking at how they can bring down critical infrastructure, and that is becoming a worrying factor that we’re seeing across the globe,” said O’Reilly.
“Whether they think they can get money or not and whether they understand our economy or not — they are going to try.”
MyBroadband has repeatedly tried to reach Transnet for comment but received no response from the state-owned company.