Dark clouds over SA Weather Service after phishing leads to ransomware attack

Initial reports indicate that a phishing email led to the devastating ransomware attack that brought the South African Weather Service (SAWS) to a standstill in January 2025, the agency’s CEO, Ishaam Abader, has said.

Abader was giving a report on the agency’s performance to the Parliamentary Portfolio Committee on Forestry, Fisheries, and the Environment, together with SAWS chairperson Sandika Daya.

Daya told the committee that the cyber attack was a baptism of fire, particularly for the new members of the SAWS board.

However, she assured that important lessons were drawn from the experience and that, together with SAWS management, they had already made great progress to ensure the agency does not find itself in the same predicament.

Daya explained that the cyber attack derailed SAWS’s operations, leading to a “disappointing regression” in fourth-quarter performance.

The SA Weather Service’s performance plummeted from achieving 90.91% of its targets in Q3 to a low of 36.36% in Q4, which Daya said was the poorest performance SAWS had recorded in a very long time.

“Needless to say, the January 2025 cyberattack had everything to do with this uncharacteristically poor performance,” Daya said.

“When we, as the current board, took the baton from our predecessors, it would have been our desire to keep the momentum and either maintain or improve on the notable Q3 performance results, but sadly this was not meant to be.”

SAWS told MyBroadband in January that a group called RansomHub was behind the attack on its IT systems.

Like many ransomware gangs, Russia-linked RansomHub infiltrates vulnerable systems and networks, steals any data it can find and then encrypts the files, often bringing down an organisation’s entire IT infrastructure.

This allows them to use a double-extortion method to coerce victims into paying them after an attack — firstly, to regain access to their systems, and secondly, to not leak or sell their stolen data online.

SAWS said at the time that RansomHub had not demanded a specific amount for a file decryptor and protection against a further leak.

This was not unusual, as many ransomware gangs direct victims to dark web instant messaging applications to negotiate terms.

IT systems shut down as precaution

Questioned about the attack by the committee, Abader said they took immediate steps to guard against permanent data loss by shutting down all IT services.

However, they found that approximately 94% to 96% of the agency’s server environment had been encrypted.

Abader said software, configuration data, and related processes from the research server environment were lost. A lot of data was also corrupted.

He said SAWS was rebuilding its server environment and redeveloping lost scripts. The cyber attack also destroyed the SAWS message handling system, which had to be rebuilt.

Following the attack, there were gaps in historical climate data, specifically data going back to 2021. Other data was lost due to faulty instruments and power interruptions.

Abader told MP that SAWS was using backup tapes and disks to retrieve historical data and restore climate databases.

This is a slow and tedious process due to errors on some backup media, and he said they were working with a service provider to recatalogue and re-index them.

He said a large percentage, roughly 70%, of functionality has been brought back online through backups.

Following the cyber attack, SAWS is recruiting a security specialist as a Chief Information Security Officer after the previous one left, and a service provider is offering interim security advice.

Any new servers brought up are equipped with necessary protections, including firewalls, multi-factor authentication, and endpoint security.

Data is being backed up in multiple places and on various media, and SAWS is also exploring alternative backup methods, like hard copies and cloud backups.

Additionally, SAWS is undertaking a complete audit with the Auditor-General and will bring in an external company via internal audit to determine the exact vulnerabilities and confirm the cause of the attack.