The ransomware attack on Transnet’s IT infrastructure that caused activity at South Africa’s ports to slow to a crawl was an act of cyberwarfare, Rapport and its sister paper City Press reported.
The papers quoted Noëlle van der Waag-Cowling, cyber programme lead at the Security Institute for Governance & Leadership in Africa at Stellenbosch University, who said that ransomware gangs often acted on behalf of other states or third parties.
Van der Waag-Cowling said that the attack might have been launched from within South Africa.
According to her, the attack on Transnet was in a different class to similar attacks seen in South Africa on healthcare institutions, City Power, and the Civil Aviation Authority.
She said that the major difference is that the attack on Transnet was a systemic cyberattack.
It caused a cascading, systemic failure at a regional and national level, including economic damage and food insecurity, which could lead to societal instability.
For these reasons, the Transnet attack is not a mere cybercrime, said Van der Waag-Cowling.
Stephen Osler of NClose told the Sunday papers he believed the Transnet attack was unlikely to be politically motivated.
Osler said that the main motive of this type of attack is profit.
One example is the REvil ransomware group that operates out of Russia, which earned $100 million last year, Osler said.
Transnet was hit by a ransomware attack on 22 July, resulting in the state-owned rail, port, and pipeline company shutting down its computer systems.
The company told staff not to use laptops, desktops, and tablets connected to the Transnet domain and not access work emails from their personal devices.
Transnet declared force majeure on 27 July. Force majeure is a common clause on contracts that frees all parties from liability when an extraordinary event occurs.
Information security firm Crowdstrike said that the ransomware note found on Transnet’s systems was similar to others they had seen in recent months.
It is linked to ransomware strains known as “Death Kitty,” “Hello Kitty,” and “Five Hands,” said Adam Meyers, vice president of intelligence at Crowdstrike.
These strains were recently found targeting Polish video game maker CD Projekt and exploiting security vulnerabilities in SonicWall products.
The attack on Transnet caused operations at its container terminals to grind to a near-standstill.
With its IT systems shut off, Transnet had to fall back on manual systems to handle incoming and outgoing ships, and the moving of containers.
The Durban Container Terminal, Pier 2 is currently doing an average of 160 container moves per hour against the target of 150 moves pic.twitter.com/Qc2Pld4oq0
— Transnet SOC Ltd (@follow_transnet) July 30, 2021
Public Enterprises Minister Pravin Gordhan said on Wednesday that Transnet had fully restored operations at its ports after reinstating its automated terminal-operating system.
Transnet’s statistics for June 2021 show that it normally processes around 13,135 containers per day at its terminal facilities.
Durban’s Pier 1 and Pier 2 container terminals are responsible for over 7,500 of that daily quota.
In a Twitter post on Friday, the state-owned logistics operator said it averaged 160 container moves per hour — or 3,840 per day — at Pier 2 at the Durban container terminal.
Speaking to City Press and Rapport, United National Transport Union spokesperson Sonja Carstens said Transnet had mostly restored port operations. Still, many other systems at Transnet are not close to ready.
According to the reports, the Transnet Port Terminals email system was available again on Thursday. More than 7 million emails had piled up since Transnet took its systems offline on 22 July.
While Transnet’s Freight Rail and National Port Authority staff can view their emails, they can’t open them yet. Email systems for Transnet Pipelines, Properties, and Engineering are still not available.
Carstens also said that Transnet staff worked through last weekend to ensure the institution paid the salaries of its 54,000 employees.