Hackers coming after Eskom and Transnet

Law firm Webber Wentzel has warned that South Africa is not immune to conflict-related cyber risks, with major state-owned enterprises such as Eskom and Transnet vulnerable to cyberattacks.

This is true for the country’s financial services sector, ports, energy infrastructure, and telecommunications networks, which are all potential targets or collateral victims of state-sponsored cyber activity.

Webber Wentzel partners Sandra Sithole and Raynold Tlhavani explained that the ongoing conflict between the US/Israel and Iran comes with far-reaching consequences.

This is because, according to Sithole and Tlhavani, modern-day conflicts are characterised by their interconnectedness.

“For example, a missile strike in the Red Sea affects freight rates in Durban, sanctions on Russia affect the reinsurance of South African cargo, Iranian drone attacks on United States’ naval assets trigger cyber countermeasures that cascade into civilian infrastructure,” they said. 

Therefore, the ongoing Middle East conflict could lead to consequences that extend far beyond the usual concerns, like limiting trade.

One threat Sithole and Tlhavani highlighted was cyber risk and insurance, explaining that geopolitical conflict has fundamentally altered the cyber risk landscape.

“State and state-sponsored actors and proxies have developed and deployed sophisticated cyber capabilities that are used as instruments of warfare, espionage, and economic coercion,” they said. 

“The interconnectedness of global digital infrastructure means that cyber weapons deployed in one conflict can cause collateral or deliberate damage to commercial and civilian targets far from the theatre of war.”

They warned that South Africa, despite not being directly involved in the war, is not insulated from conflict-related cyber risk.

“The country’s financial services sector, ports, energy infrastructure (particularly Eskom and Transnet), and telecommunications networks are all potential targets or collateral victims of state-sponsored cyber activity,” they warned. 

This risk is not merely based on predictions, with Sithole and Tlhavani pointing to a ransomware attack on Transnet in 2021 as proof of South Africa’s vulnerability.

Transnet ransomware attack

Sithole and Tlhavani said Transnet became a victim of a significant ransomware attack in July 2021, which paralysed port operations for several days. 

This attack came a week after the July 2021 unrest, which amplified its impact and extended its associated delays.

According to UN Trade and Development (UNCTAD), the cyberattack forced Transnet to declare force majeure, with port workers obliged to manually track ship movements and use a paper-based clearance process for cargo at ports. 

“Processing time for imports increased significantly at the Port of Durban, which accounts for 60% of Southern Africa’s containerised trade,” UNCTAD said.

At the time, the Institute for Security Studies called the attack’s impact “unprecedented” in South African history.

Bloomberg reported that cybersecurity experts linked the attack to a series of high-profile data breaches likely carried out by crime gangs from Eastern Europe and Russia.

The hackers reportedly left a ransom note on Transnet’s computers, claiming they encrypted the company’s files, including a terabyte of personal data, financial reports and other documents. 

The note instructed the logistics utility to visit a dark web chat portal to enter negotiations.

Sithole and Tlhavani said that while this attack on Transnet was attributed to criminal actors, “it demonstrated the vulnerability of critical logistics infrastructure”.

They explained that, since 2022, the Russia-Ukraine conflict has been accompanied by an unprecedented level of cyber activity, with these developments likely to be seen in the Middle East conflict as well.

“The Iran-Israel-US confrontation has similarly been accompanied by significant cyber dimensions,” they said.

This includes reported Iranian attacks on Israeli water infrastructure, US and Israeli cyber operations against Iranian nuclear programme systems, and Iranian-affiliated groups targeting US financial institutions.

Sithole and Tlhavani pointed to multiple vulnerabilities that make South Africa a potential target for consequences stemming from the Middle East conflict.

This includes South Africa’s trade-dependent economy, its integration into global reinsurance markets, its exposure to commodity and energy price volatility, and its vulnerability to conflict-related cyber activity.

These factors, they said, all ensure that the consequences of geopolitical conflict are felt locally through premium rates, reinsurance capacity, claims experience, and policyholder financial stress.