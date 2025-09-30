Chinese state-sponsored cyber-espionage group RedNovember has likely breached the State Security Agency (SSA) of South Africa, a report from intelligence company Recorded Future indicates.

Recorded Future reported that security researchers at its Insikt Group have seen evidence of at least one South African organisation falling victim to RedNovember.

At the same time, it said Insikt Group identified a state security organisation in Africa as a likely new victim of the Chinese threat actor.

Since South Africa was the only African country identified as a likely victim of a RedNovember attack, it stands to reason that the state security organisation in question is the SSA.

MyBroadband contacted the spokesperson for minister Khumbudzo Ntshavheni for confirmation. Ntshavheni is the minister in the Presidency responsible for state security. She did not respond by publication.

According to Insikt, RedNovember leverages open-source tools and exploits Internet-facing devices to target government, intergovernmental, and private sector organisations globally.

It also noted that the state-sponsored cyber-espionage group was previously tracked as TAG-100 and overlapped with a group called Storm-2077.

“In July 2024, Insikt Group publicly reported on TAG-100, a threat activity group conducting suspected cyber-espionage activity,” the researchers stated.

TAG-100 used the open-source, multi-platform Go backdoor Pantegana. At the time, Insikt did not attribute this activity to a particular country.

“However, after reviewing all available evidence, we assess that TAG-100 is highly likely a Chinese state-sponsored threat activity group,” said Insikt.

“Accordingly, Insikt Group now tracks this group under the designation RedNovember.”

Between June 2024 and July 2025, RedNovember targeted perimeter appliances of high-profile organisations globally using Pantegana and Cobalt Strike as part of its intrusions.

“The group has expanded its targeting remit across government and private sector organisations, including defence and aerospace organisations, space organisations, and law firms,” the researchers said.

“Insikt Group identified new likely victims, which include a ministry of foreign affairs in central Asia, a state security organisation in Africa, a European government directorate, and a Southeast Asian government.”

RedNovember also targeted at least two United States (US) defence contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia.

“We observed RedNovember reconnoitring and likely compromising edge devices for initial access,” Insikt said.

Devices targeted included SonicWall, Cisco Adaptive Security Appliance, F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, and Fortinet FortiGate instances.

RedNovember also targeted Outlook Web Access instances and Ivanti Connect Secure VPN appliances.

“RedNovember’s activity exemplifies the ability to combine weaponised proof-of-concept exploits with open-source post-exploitation frameworks such as Pantegana, lowering the entry barrier for less-capable threat actors,” said Insikt.

“It also allows higher-tier groups to refrain from using customised tools during operations in which they are less concerned with being detected or in which heightened attribution obfuscation is desirable.”

Past unconfirmed attack on SSA

This is not the first time there have been unconfirmed reports of a compromise at the State Security Agency.

In October 2023, the Information Regulator said it was investigating a potential breach at the SSA following a Sunday World article published earlier that month.

The article blind-quoted an anonymous “operative” claiming they suspect American or Russian intelligence of that attack.

The source reportedly said they also couldn’t rule out “internal forces” as South Africa’s political situation was “very volatile” at the time.

In addition to the alleged SSA hack, a group called Snatch claimed responsibility for a breach of the Department of Defence around the same time.

Following reports about the breach in August 2023, the Department of Defence issued a statement claiming it was ‘fake news’. However, it soon retracted its statements to investigate the matter further.

It later again denied its network was hacked, saying the incident was the work of “criminal syndicates within the cyberspace” aided by information leaked from the department.