A look at the evolving threat landscape

The past year has seen rapid growth in the demand for internet access across Africa. As in the rest of the world, the pandemic extended its grip into all corners of the continent, and more people than ever were forced to work remotely.  This resulted in more people than ever connecting to the internet — 43% of the total African population of 1.37 billion, according to the InternetWorldStats website.

Unfortunately, weak networks and a lack of robust cybersecurity policies and enforcement, coupled with explosive demand for access and services, present a ripe target for cybercriminals. The cost implications are dramatic. Kenyan cybersecurity company Serianu estimated that the cost to African GDP (gross domestic product) was in the region of US$4.1 billion in 2021.

The African Union Mechanism for Police Cooperation (AFRIPOL) studied the African cybercrime landscape and pinpointed the five areas of greatest concern on the continent:

• Ransomware: Cybercriminals shut down critical computer systems of businesses, hospitals and public institutions, then demand payment, usually in the form of cryptocurrencies, to restore functionality;
• Botnets: Attacks in which networks of compromised machines are used to automate large-scale cyberattacks.
• Online scams via phishing: Fake emails or text messages from apparently legitimate sources which are used to trick individuals into revealing compromising information;
• Digital extortion: Victims are tricked into sharing sexually compromising images which can then be exploited for the purposes of blackmail;
• Business email compromise: Sophisticated cybercriminals gain access to email systems to steal information about corporate payment structures, then find ways to trick employees into transferring money into the hackers’ bank accounts;

“We are witnessing an upsurge in activities related to Cybercrime, especially in this COVID-19 pandemic period,” writes Tarek Sharif, executive director of AFRIPOL, in the agency’s recent African Cyberthreat Assessment report.

“The loss of jobs related to this pandemic and the low economic growth recorded has opened up opportunities for criminal organizations. Hence the special attention that the African Union Commission is paying to the fight against all forms of organized crime: money laundering, transnational crime and cybercrime,” Sharif said.

Despite some rays of light emerging, the bad news still seems to outweigh the good. In 2021, “South Africa had 230 million threat detections in total, while Kenya had 72 million and Morocco 71 million,” according to AFRIPOL.

New security alliances are forming

Nevertheless, most governments and regulatory bodies on the continent have woken up to security threats and are treating cybersecurity with the seriousness that it deserves. The GDPR rules from the EU, and South Africa’s very own POPI legislation, have led to a wave of stricter regulation across the continent.

It’s not only at a legislative level where there has been movement. Key organizations and businesses across all sectors of the industry have been collaborating to find common ground and share insights and strategies to fight the threat of cybercrime. One such organization in South Africa is the recently formed Cybersecurity Digital Alliance, a cross-industry network of prominent players in the cybersecurity field.

It seems clear that reports of data breaches and hacks will continue to emerge, but there are also very strong indications that African data security and cyber-responses to crime are growing in sophistication and are increasingly able to respond in ways that minimize the threat and allow companies and individuals to conduct more and more of their online business securely.

Here below are some of the key data breaches and security stories that have occurred in the largest sub-Saharan African economies in the last two years.

Transnet suffers a ‘Death Kitty’ ransomware attack

In July 2021, when global supply chains were buckling under the weight of the pandemic and transport costs were soaring, South Africa’s Transnet, the state-owned rail and ports operator, suffered a ransomware attack that took all its operations offline and forced a shutdown of critical imports and exports from the country. According to news service Bloomberg, ‘The hackers left a ransom note on Transnet SOC Ltd.’s computers, seen by Bloomberg News, claiming they encrypted the company’s files, including a terabyte of personal data, financial reports and other documents. The note instructed the firm to visit a chat portal on the dark web to enter negotiations.”

The nature of the breach led experts to believe that it had originated in either Eastern Europe or Russia, but thanks to the resilience of its data backup and recovery systems, Transnet managed to become operational again after two weeks without having to pay any ransom.

Experian suffers massive breach

The Experian data breach in August 2020 was one of the largest to occur in Africa. Data on 24 million people was exposed. To put that in context, it is estimated that there are 40 million South Africans over the age of 18, and that 11 million of those South Africans are unbanked. That leaves 29 billion bank accounts in total, which means data on more than 80 percent of all bank account holders in the country were exposed. That’s staggering.

Experian is one of the world’s largest credit data firms, a company that promises its clients that it can “unlock the potential of data and offer solutions to optimise your customer relationships.”

The company, and all of its major clients, responded quickly and early indications are that the threat has been contained. The banks noted in emails to their clients that the information stolen included ID numbers, physical addresses and contact details. On its website, Experian explains that “an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available. We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.”

The company went on to say that “the individual’s hardware being impounded and the misappropriated data being secured and deleted.”

While it seems that the damage has been contained and the suspect identified, wary consumers are being asked to change their passwords and tighten up all their online security.

SA’s Postbank replaces 12 million bank cards

Postbank, South Africa’s Post Office Bank, was forced to replace some 12 million bank cards at a cost of $58 million after insiders compromised the personal data of millions of account holders by copying a master key. The data was compromised in a 2018 breach, but the story of the breach and card replacement programme did not become public until June 2020, when South Africa’s Sunday Times broke the story.

In the months after the breach, the bank detected about 25,000 fraudulent transactions in their system. Between 8 million and 10 million cardholders were affected and, besides stealing a total of $3.2 million from their accounts, the hackers could have also exfiltrated the personal information of an additional 1 million customers.

Life Healthcare announces cyberattack

In June 2020, the healthcare enterprise announced that its southern African operation had been the victim of a “targeted attack” on its IT systems. The group took systems offline in order to contain the attack. The group’s hospitals and administrative offices switched over to backup manual processing systems and continued to function, though with some administrative delays, they said.  The security incident affected admissions systems, business processing systems and email servers, which were taken offline as a precautionary measure to contain the attack, conduct investigations and remediation. The group did not report that customer data was stolen.

Nedbank hacked via social engineering

During a routine monitoring operation in February 2020, one of South Africa’s largest banks, Nedbank, discovered a security breach that affected 1.7 million of its customers. The breach was executed through a third party service provider called Computer Services Ltd, whose job it is to issue text message and Whatsapp marketing messages on behalf of the bank. The breach targeted private data of customers, including sensitive information such as:

• Name
• ID number
• Physical and email address
• Telephone numbers

In a television interview with CNBC Africa, bank CEO Mike Brown explained that “while the bank data itself was not compromised, the data could be used for social engineering. So someone could phone you and pretend to be the bank, asking for your PIN and password.”

Biggest cybertargets: Nigeria and South Africa

In a large global study entitled The State of Cloud Security 2020, the research firm Sophos made some interesting discoveries about Africa. While the value of hacks in Africa is dwarfed by the rest of the world, there are particular areas of concern in Africa and the Middle East.  “Cryptojacking [in the region] is at its highest among all regions (22%),” the report states, “as criminals spin up hundreds of virtual servers to run illegal cryptomining and escape before being discovered.”

Furthermore, South Africa (alongside Japan) is the country with the highest number of stolen cloud provider account credentials. Fifty-nine percent of South African breaches were through stolen credentials, and 39 percent through misconfiguration.

With Nigeria and South Africa being the most target-rich environments, some interesting statistics emerge.

• 86 percent of Nigerian organizations surveyed have been hit by a public cloud security incident
• In South Africa, 60 percent of organizations have experienced the same
• Misconfiguration (64 percent) in Nigeria is more likely responsible for an incident than stolen credentials (36 percent)
• South African organizations have a stronger awareness of their cloud assets. 79 percent of those surveyed are aware, as opposed to only 54 percent in Nigeria. 

Shadow Kill Hackers hit Johannesburg

In October 2019, Johannesburg woke up to the news that the city’s municipal website and billing services had been hacked by a group calling themselves Shadow Kill Hackers. The group was demanding a ransom of four bitcoins, approximately $30,000 at the time, in order to stop the group releasing all of the data they had procured onto the internet. 

A ransom note was posted to several employees of the city, which simply read “All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.” The group then posted screenshots on Twitter to prove they had hacked into the city’s Active Directory server.

The sense of dread was heightened by news that several prominent South African banks went offline at the same time, but the group put out a statement saying that the bank hack had nothing to do with them. As a precaution the city took all of its services offline while it implemented security procedures. 

Though the hack was termed as ransomware by some media outlets, technically it was not — the hacker group apparently accessed data and then used it to ask for ransom, but did not use software that encrypted data (the usual definition of ransomware). After the data breach, the city acknowledged its impact, but said it would not pay the ransom.

“The City of Johannesburg can confirm that the recent cyberattack on our ICT systems have had a significant impact on our ability to deliver services to our residents,” City Councillor Funzela Ngobeni said in a statement. “I can confirm that the City will not concede to their demands and we are confident that we will be able to restore systems to full functionality.”

In the days following the attack, city services slowly came back online, though city officials did not detail what procedures they implemented to get systems up and running again safely. Though the ransom demanded was small, relative to a big city budget, the breach showed how data breachers can bring important public services in a major city to a halt.

Operation reWired nets Nigerian scammers

In Africa’s most populous country, Nigeria, most cyberattacks go unreported and there seems to be a worrying lack of commitment from the government to take cybersecurity seriously. There have been numerous hacks of government-owned websites over the past decade, yet apparently not a lot has been done to tighten security. From the National Assembly website, to the Small and Medium Enterprises Commission, and even the Nigerian Court of Appeal — each of those critical sites has been hacked in the last few years without an effective response from the government.

Most of the cybercrime emanating from Nigeria seems to occur in the form of 419 scams and other confidence tricks but surely it is only a matter of time before larger, more sophisticated hacking becomes commonplace.

One piece of good news was the announcement in September 2019 from the U.S. Department of Justice that it had been working with the Nigerian authorities on Operation reWired to crack down on a number of business email compromise schemes, which had led to losses of over $1.3 billion in 2018. In a typical scenario, according to the FBI, two men in the U.K. and Nigeria sent emails to an executive at a company in Connecticut, in the U.S. The emails appeared to be from the company’s CEO, who was located overseas. “The purported CEO was requesting a wire transfer of funds,” the FBI said in a press release. “The email looked legitimate, so the company’s controller sent multiple wire transfers totaling more than $500,000. But as it turns out, the CEO’s email account had been spoofed—and the money went straight into accounts managed by the criminals.”

Individuals from all over the world have been arrested in the operation, including from Ghana and Kenya. The sweep resulted in the seizure of nearly $3.7 million and the disruption and recovery of approximately $118 million in fraudulent wire transfers, according to the U.S. DOJ.