Flames of cyberattacks in SA hottest in Africa
• A hit on the International Trade Administration Commission of SA this week is the latest in a litany
News of a cyberattack on the International Trade Administration Commission of SA (Itac) hit the digital papers earlier this week. Itac issued a statement to staff and partners on Monday, confirming a breach and ransomware incident in January.
The attack reportedly caused employees to be locked out of systems temporarily, and now the personal identifiable information submitted to Itac by stakeholders inside and outside the organisation may be compromised. The organisation said it had reported the breach to the Information Regulator.
Itac joins a growing number of government and government-adjacent entities to fall victim to cybercriminals in recent months, not to mention prior incidents such as the multiple justice department breaches in the past.
As previously covered in this column, the custodian of SA business registrations and patents, the Companies & Intellectual Property Commission (CIPC) was hacked in late February.
And despite its assurances that everything had been handled, I’ve seen evidence that certain vulnerabilities and inroads remain unaddressed at the time of writing.
And let’s not forget the Electoral Commission of SA (IEC), the security compromises of which led to the early release of election candidate lists, and the Government Employees Pension Fund (GEPF), which got nailed by ransomware attackers in February.
GEPF administrator the Government Pensions Administration Agency (GPAA) initially claimed that despite the attack, data had not been compromised. This was in fact not true, which the GPAA was forced to concede in mid-March after the infamous LockBit group released almost 700GB of exfiltrated data on the dark web when the GPAA failed to cough up the required blackmail money.
MyBroadband reported on Tuesday that two months later some of the GPAA’s systems remain offline. By this week, civil servants (as clients of GEPF) still reported difficulties accessing the website and the app, according to the tech site.
WELCOME CONTRACTION
Indeed, the imaginary support group for victims is oceans-vast and growing, both private and public. Data from African cybersecurity firm Liquid C2 shows cybercrime up 62% since 2022. Complicating the picture somewhat, cybersecurity company Kaspersky reported in February that overall cyberthreat incidents in SA actually declined almost 30% in 2023 compared with the year before.
Its various metrics showed a welcome contraction of malware attacks in the region but, it cautioned in a press release, phishing attacks in SA rose 29% and mobile cyberthreats increased 104%. One wonders though, what 2025’s reports will show after the latest string of breach disclosures.
Not just Kaspersky is showing SA flames: it was found in Interpol’s 2022 Africa Cyber Threat Assessment report that SA had the most cybersecurity threats on the continent in 2022, about 230-million in total with a high incidence of targeted ransomware.
Experts warn that Africa is a particular area of interest for cybercriminals. The rapid digital uptake seen here and in our region means we have more “target surfaces” and potential victims coming online daily amid low digital sophistication.
That is not to imply only the naive fall for these scams. The point is that the tech and tactics used to gain unauthorised access to systems are evolving quickly and getting cheaper, and that our sheer number of interactions with connected tech make it harder to be sufficiently vigilant. Every email, every link, poses a risk and must be scrutinised, especially when you work in an organisation known to hold huge pools of personal information.
We also have rampant underinvestment in technology in the public sector, despite the reams of tenders floating around for equipment and providers. Ageing IT infrastructure is a significant weak point in any organisation’s cybersecurity defences, and the government tends to be chockfull of it. It also tends to be chock-full of people — that other weakness so ripe for exploiting.
BUDGET ITEM
Yes, yes, I know people are a feature of all companies, but the public service is SA’s biggest employer. Ergo, any exploit built on social engineering, for example, is statistically more likely to affect the public service. That’s the next layer on top of underinvestment in systems, not to mention the imbalance of skills as our best talent is poached into private workplaces. It’s a hunger-buster hamburger of delicious vulnerability.
Rich private companies may seem ideal targets in comparison to our public service, but just as wealthy individuals have armoured their private homes against the threat of physical ingress, cybersecurity has become a major budget item for corporates.
In contrast, imagine an undertrained, undervalued pencil-pusher in a dusty counter of some dead-end municipal service centre, equipped with outdated tech. That is a person ripe for exploiting — through bribery or extortion. With apologies for citing another Kaspersky study, its 2023 Human Factor report reads 26% of all cyber incidents over the last 24 months were caused by employees’ deliberate information security policies violations, and 11% of SA breaches by “deliberate malicious behaviour by employees”, writes ITWeb.
When you add in these nontechie risk factors, I believe we’re just seeing the tip of the iceberg — especially for public service and government data sources. Perhaps then our only option — barring a huge upgrade of tech and tech-savvy employees — is to shift focus from cybersecurity to cyberresilience. That entails taking a position that acknowledges the near inevitability of cyber breaches and asks instead how quickly we can identify, mitigate and recover from such things.
THE TECH AND TACTICS USED TO GAIN ACCESS ARE EVOLVING QUICKLY AND GETTING CHEAPER