Security3.02.2025

South Africa under attack

At least ten South African government departments or their related entities suffered substantial cyberattacks in the past five years, sometimes due to a lack of properly secured systems and insider involvement.

In the most recent incident, a ransomware attack took down the South African Weather Service’s (SAWS’s) IT systems, including its website, emails, and aviation and marine services.

SAWS plays a vital role in monitoring weather patterns and events, which are critical to many industries and South African society at large.

Since the attack, it has been forced to publish weather forecasts and warnings via its social media channels.

The attack was the work of the Russia-linked group RansomHub, which is known for infiltrating vulnerable systems and networks, stealing data, and encrypting files, leaving organisations locked out of their infrastructure.

A European Repository of Cyber Incidents (EuRepoC) study found that South Africa was the second most targeted country in Africa regarding cyberattacks against political actors.

Its analysis detected 21 such incidents in South Africa since 2000, with Egypt being the only country on the continent that suffered more attacks.

While there have been far more than 21 major cyberattacks in South Africa in the past two decades, EuRepoC only counts incidents that fit certain criteria.

Firstly, it must violate the CIA triad of information security, meaning the system’s Confidentiality, Integrity, or Availability must have been compromised.

In addition, the incident must have been publicly reported, have a political dimension, or be against critical infrastructure.

Minister in the Presidency Khumbduzo Ntshaveni has acknowledged that South Africa is seeing an increase in cybercrime and cyberattacks, with ransomware being the most prevalent threat.

She said that the issue was affecting both government and private entities.

Ntshavheni maintained that the State Security Agency was aware of the constant threat of cyberattacks and was attempting to migrate against them.

Orange Cyberdefense South African managing director Dominic White believes that progress has been made in bringing cybercrime syndicates to justice, thanks to collaboration between law enforcement and cybersecurity experts.

The table below provides a summary of the major cyberattacks suffered by South African government entities over the past few years.

VictimDate of incidentNature of incidentAlleged perpetratorImpact
Transnet

Fell under the Department of Public Enterprise, now under Department of Transport
July 2021Ransomware attackLikely Russia or Eastern Europe-linked group– Broad system lockout, including websites and payroll
– Force majeure declared due to impact on ports clearance systems, causing near standstill in import and export processes
Department of Justice and Constitutional Development (DoJ & CD)September 2021Ransomware attackUnknown– DoJ’s e-mail system, bail services, child maintenance payments, online court paper filing, recording and transcription of court proceedings, Master’s Offices taken offline or disrupted
– Switchover to manual systems impacting deceased estates, curatorships, orphan affairs managed by the state
– 1,200 files with personal details of department’s clients compromised
Department of Defence (DoD)Starting in 2022Data breach with extortion threatSnatch– 1.6TB data stolen, including military contracts, employee data, and information allegedly related to country’s security
– Data included personal information of President Cyril Ramaphosa
Department of Public Works and Infrastructure (DPWI)May, July, and November 2024Insider-driven heistUnknown– Estimated R55 million stolen through rogue payments
Companies and Intellectual Property Commission (CIPC)

Falls under Department of Trade, Industry, and Competition
Starting from 2021Data breach with extortion threatClaimed to have no affiliation– Passwords and personal information of employees and clients exfiltrated
– Hacker access to company registrations
International Trade Administration Commission of South Africa (ITAC)

Falls under Department of Trade, Industry, and Competition
January 2024Ransomware attack Unknown– Personal information fo employees, service providers, importers, exporters, and “other stakeholders” potentially stolen
Government Pensions Administration Agency (GPAA)

Falls under Government Employee Pension Fund
February 2024Data breach with extortion threatLockBit– 668GB data stolen, including personal information of all government employees
National Health Laboratory Service (NHLS)

Falls under Department of Health
June 2024Data breach with extortion threatBlackSuit– 1.2TB data stolen, including client and patient information
– IT system shutdown affecting emails, website, and lab test result retrieval and storage
South African Social Security Agency (Sassa)

Falls under Department of Social Security
UnknownIdentitify theft and digital fraudN4aughtySec and others– Claimed at least R185 million stolen through fraudulent grant payments
South African Weather Service (SAWS)

Falls under Department of Environmental Affairs
January 2025Ransomware attackRansomHub– IT system offline, impacting website, emails, and aviation and marine services
– Weather information critical to aviation and marine services provided through alternative channels
– General weather advisories provided over social media
Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter