South Africa’s websites are under attack
Cybersecurity group Trellix has warned that South Africa’s government websites are coming under attack.
The group’s latest data on cyber threats in the South African landscape for the second quarter of 2023 revealed that 26% of all threat activity it detected was directed at government systems.
Business service providers followed closely at 16%; wholesalers’ networks at 14%; and 12% on utilities’ systems. Most threat activity peaking on Mondays and Fridays, it said.
“Government organisations remain the primary targets for threat actors looking to infiltrate South African IT systems.
“Despite not experiencing a significant surge in detections since the first quarter, we have noticed a worrisome trend of specialised, well-equipped and highly skilled threat actors,” said Carlo Bolzonello, country lead at Trellix South Africa.
“What’s even more alarming is their interconnection with extensive networks and potential state support, indicating a coordinated and sophisticated approach to their malicious activities.”
Trellix’s data revealed that the Lazarus Group and Daggerfly Advanced Persistent Threats (APT) Group were among the most notable threat actors that have recently ramped up targeted efforts to infiltrate critical South African systems.
The Lazarus Group, historically associated with a North Korean state-sponsored APT syndicate, initially operated as a criminal group, with its earliest known attacks reported between 2009 and 2012.
It has since been linked to the North Korean government by the US Cybersecurity and Infrastructure Security Agency (CISA).
Lazarus deploys tools and capabilities used by broader HIDDEN COBRA operations (cyber activity by the Korean Government), which include:
- DDoS botnets: for denial-of-service attacks;
- keyloggers: to record what users’ input;
- Remote access tools (RATs): allowing anonymous unauthorised users access; and
- Wiper malware: to erase data from the system.
Lazarus is notorious for executing spear-phishing campaigns aimed at accessing and stealing account credentials and financial data, as well as employing “living off the land” techniques, using file-less malware and legitimate system tools.
On the other hand, the Daggerfly APT, suspected to have affiliations with China, has been exhibiting heightened activity in Africa, with a particular emphasis on targeting telecommunications organisations, Trellix said.
This threat actor’s primary objective is information gathering leveraging the following methods:
- PlugX loaders, which abuse any desktop remote software; and
- Living off the land tooling (like PowerShell, BITSAdmin and GetCredManCreds), which is heavily used for long-term campaigns that can go undetected for extended periods.
“What makes some of the tools used by threat actors so destructive is their trail obfuscation capabilities,” Bolzonello said. “They employ various techniques, such as hiding backdoors and manipulating time stamps, skilfully giving the impression that their malicious artifacts date back as far as ten years ago. This renders the analysis process exceedingly challenging for investigating teams.”
“What is even more concerning is that these adversaries are highly proficient in evasion tactics, leaving organisations believing they have eliminated the threats, when in reality, they may still lie concealed,” he said.
Growing problem
South Africa has become increasingly vulnerable to cyber attacks with many cybersecurity experts warning of growing cases of online threats.
Sophos’ State of Ransomware in South Africa 2023 report found that ransomware attacks are increasing in the country, where 78% of South African organisations were struck by a ransomware attack last year.
The government is also vulnerable to these, which was seen when the Department of Justice suffered such an attack in September 2021.
Ransomware attacks involve cybercriminals gaining access to systems and encrypting potentially valuable files, locking users out of their data.
System files are left intact so that users may access the system and see the “ransom note” left behind.
The ransom note may contain a demand for payment, in cryptocurrency, for a method to decrypt the files. It may also not mention a specific amount but direct users to a chat service on the dark web to negotiate a fee.
Attackers also often exfiltrate data from compromised systems and threaten to leak it online unless victims pay.
The Department of Justice attack raised concerns that people’s most sensitive information could be at risk, as the Master’s Office handles everything from child support payments to deceased estates.