South Africa under attack

At least ten South African government departments or their related entities suffered substantial cyberattacks in the past five years, sometimes due to a lack of properly secured systems and insider involvement.
In the most recent incident, a ransomware attack took down the South African Weather Service’s (SAWS’s) IT systems, including its website, emails, and aviation and marine services.
SAWS plays a vital role in monitoring weather patterns and events, which are critical to many industries and South African society at large.
Since the attack, it has been forced to publish weather forecasts and warnings via its social media channels.
The attack was the work of the Russia-linked group RansomHub, which is known for infiltrating vulnerable systems and networks, stealing data, and encrypting files, leaving organisations locked out of their infrastructure.
A European Repository of Cyber Incidents (EuRepoC) study found that South Africa was the second most targeted country in Africa regarding cyberattacks against political actors.
Its analysis detected 21 such incidents in South Africa since 2000, with Egypt being the only country on the continent that suffered more attacks.
While there have been far more than 21 major cyberattacks in South Africa in the past two decades, EuRepoC only counts incidents that fit certain criteria.
Firstly, it must violate the CIA triad of information security, meaning the system’s Confidentiality, Integrity, or Availability must have been compromised.
In addition, the incident must have been publicly reported, have a political dimension, or be against critical infrastructure.
Minister in the Presidency Khumbduzo Ntshaveni has acknowledged that South Africa is seeing an increase in cybercrime and cyberattacks, with ransomware being the most prevalent threat.
She said that the issue was affecting both government and private entities.
Ntshavheni maintained that the State Security Agency was aware of the constant threat of cyberattacks and was attempting to migrate against them.
Orange Cyberdefense South African managing director Dominic White believes that progress has been made in bringing cybercrime syndicates to justice, thanks to collaboration between law enforcement and cybersecurity experts.
The table below provides a summary of the major cyberattacks suffered by South African government entities over the past few years.
Victim | Date of incident | Nature of incident | Alleged perpetrator | Impact |
---|---|---|---|---|
Transnet Fell under the Department of Public Enterprise, now under Department of Transport | July 2021 | Ransomware attack | Likely Russia or Eastern Europe-linked group | – Broad system lockout, including websites and payroll – Force majeure declared due to impact on ports clearance systems, causing near standstill in import and export processes |
Department of Justice and Constitutional Development (DoJ & CD) | September 2021 | Ransomware attack | Unknown | – DoJ’s e-mail system, bail services, child maintenance payments, online court paper filing, recording and transcription of court proceedings, Master’s Offices taken offline or disrupted – Switchover to manual systems impacting deceased estates, curatorships, orphan affairs managed by the state – 1,200 files with personal details of department’s clients compromised |
Department of Defence (DoD) | Starting in 2022 | Data breach with extortion threat | Snatch | – 1.6TB data stolen, including military contracts, employee data, and information allegedly related to country’s security – Data included personal information of President Cyril Ramaphosa |
Department of Public Works and Infrastructure (DPWI) | May, July, and November 2024 | Insider-driven heist | Unknown | – Estimated R55 million stolen through rogue payments |
Companies and Intellectual Property Commission (CIPC) Falls under Department of Trade, Industry, and Competition | Starting from 2021 | Data breach with extortion threat | Claimed to have no affiliation | – Passwords and personal information of employees and clients exfiltrated – Hacker access to company registrations |
International Trade Administration Commission of South Africa (ITAC) Falls under Department of Trade, Industry, and Competition | January 2024 | Ransomware attack | Unknown | – Personal information fo employees, service providers, importers, exporters, and “other stakeholders” potentially stolen |
Government Pensions Administration Agency (GPAA) Falls under Government Employee Pension Fund | February 2024 | Data breach with extortion threat | LockBit | – 668GB data stolen, including personal information of all government employees |
National Health Laboratory Service (NHLS) Falls under Department of Health | June 2024 | Data breach with extortion threat | BlackSuit | – 1.2TB data stolen, including client and patient information – IT system shutdown affecting emails, website, and lab test result retrieval and storage |
South African Social Security Agency (Sassa) Falls under Department of Social Security | Unknown | Identitify theft and digital fraud | N4aughtySec and others | – Claimed at least R185 million stolen through fraudulent grant payments |
South African Weather Service (SAWS) Falls under Department of Environmental Affairs | January 2025 | Ransomware attack | RansomHub | – IT system offline, impacting website, emails, and aviation and marine services – Weather information critical to aviation and marine services provided through alternative channels – General weather advisories provided over social media |