Security4.01.2025

Cybercriminals take aim at South Africa

Throughout the year, South Africa’s public sector experienced several cyberattacks that rendered many state entities’ critical infrastructure unusable for long periods.

The year kicked off with a bang, with Orange Cyberdefense senior security researcher Wicus Ross telling MyBroadband that South Africa’s cyber extortion victim count increased by 107% from Q2 2023 to Q1 2024.

“For the period analysed, Africa saw the second-highest increase globally as a percentage,” said Ross.

In addition, Allianz’s recent cyber security report for 2024 placed South Africa 14th among the countries hardest hit by data breaches because of its average recovery cost of R49 million for such an attack.

A data breach refers to the unlawful exposure of confidential and sensitive information. Attackers often obtain this information to extort their victims.

Such a breach could result from a ransomware attack, which involves encrypting the victim’s data and extorting them for a decryption key.

Similarly, cybersecurity firm Sophos’ State of Ransomware in South Africa report for 2024 found that the mean ransom payment made by firms was R17.9 million compared to the average recovery cost of R19.44 million.

The recovery cost excludes all ransom payments.

The report was based on a survey of 330 IT and cybersecurity firms conducted between January and February this year.

The first major infiltration of public systems occurred in February when the Government Employees Pension Fund (GEPF) suffered a cyberattack.

While the GEPF initially claimed that no data was compromised during the breach and payments were unaffected, it did have to shut down its systems as a preventative measure.

However, the claim that no data was compromised was false. The ransomware gang LockBit released a 668GB archive that it said contained data it stole from the agency in March 2024.

The GEPF released a statement shortly afterwards saying it was “extremely concerned” to hear about the data breach.

It said its administrator, the GPAA, had told it no data breach had occurred.

Around the same time, the Department of Public Works and Infrastructure (DPWI) accounting system suffered breaches in March, April, and November this year, with an estimated R55 million lost due to the attacks.

This is according to Carol Phiri, chairperson of the Portfolio Committee on Public Works and Infrastructure, who recently was scathing of the department’s Sage financial system.

She said the breaches led to four employees being suspended. However, three have since returned to work.

The Minister of Public Works and Infrastructure, Dean Macpherson, acknowledged the issue and said the Sage system was unfit for purpose and should never have been acquired.

Macpherson said the department should have worked with existing systems within the National Treasury or used off-the-shelf alternatives.

It is unclear why Sage is being blamed for the breaches.

Asked for comment, Sage Africa and Middle East managing director Pieter Bensch told MyBroadband they were aware of the remarks made in the Parliamentary Portfolio Committee.

“We take these concerns seriously and are engaging with the department and relevant stakeholders to gather more information, investigate the issues raised, and understand the specific incidents mentioned as quickly as possible,” said Bensch.

“Ensuring the integrity and reliability of our solutions remains a top priority, and Sage continues to take all necessary steps to ensure compliance with all regulatory and government requirements to uphold the highest standards for our customers.”

In June, the National Health Laboratory Service (NHLS) was forced to shut down its IT systems after a hacking group called BlackSuit broke into its servers and stole 1.2 terabytes of data.

The data included third-party information, customers, clients, and patient information.

In addition, the shutdown affected the NHLS’ emails, website, and system for retrieving and storing patients’ lab test results.

Besides stealing data, NHLS CEO Koleka Mlisana said the group had erased large portions of data, including backups.

Fortunately, she noted that there was no evidence that patient data had been erased.

Work is being done locally to bring cybercriminals to justice.

This is according to Orange Cyberdefense South Africa MD Dominic White, who said several breakthroughs were happening behind the scenes through collaboration between law enforcement and cybersecurity professionals.

White has argued that helping to put criminals in jail is something cybersecurity professionals should help with.

Besides bringing justice for victims, there is evidence to suggest that cyberattacks are reduced overall after a major law enforcement operation.

In one case, a bust of a dozen or so cybercriminals in South Africa led to a significant drop in domestic phishing attacks, preventing thousands of victims from being scammed.

Another major success story in this regard was Operation Jackal, an international crackdown on members of the notorious Black Axe gang in 2022 coordinated by Interpol.

According to Interpol, Black Axe and associated groups are responsible for the majority of the world’s cyber-enabled financial fraud.

While only two suspects were arrested in South Africa, they were high-level figures in the organisation who were wanted for online scams that extracted $1.8 million (R32.7 million) from victims.

Globally, there were 75 arrests, 49 property searches, and millions intercepted in bank accounts.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter