Cybersecurity threats in South Africa – why attackers keep targeting local businesses
By Adrian Ephraim
A Kaspersky researcher who tracks the world’s most patient attackers says local businesses are not being beaten by Hollywood style hacks, but by stolen passwords, trusted suppliers and a stubborn belief that security is something you buy.
“Our job is finding the needle in the haystack,” says Omar Amin, a senior security researcher in Kaspersky’s Global Research and Analysis Team, who sifts through millions of pieces of telemetry to pull out the attacks that matter, the quiet espionage campaigns, and the loud, expensive ransomware hits. He was in Cape Town and Johannesburg recently to share what that haystack is telling him about South Africa. His message is not a comforting one. The country is, and will remain, an attractive target.
A target by design
“If you run infrastructure, manage money, manage logistics or operate industrial systems, you are part of a target surface,” Amin says. South Africa also hosts a steady flow of foreign nationals whose data sits inside local government, energy, telecom and financial systems. The advanced persistent threat groups he tracks follow opportunity rather than borders. “They are not region locked,” he says. A shift in geopolitics or a single high profile event can swing their attention here within months.
That helps explain the run of public sector breaches, from the attacks on Stats SA and the Gauteng provincial government claimed by a group calling itself XP95, to a recent breach at a local dental provider. Amin is careful, because dark web data is hard to verify and criminals often chase clout. But the noise itself does damage. Once South African data is seen changing hands, more attackers come looking.
Loud ransomware, silent spies
Amin draws a sharp line between the two threats people tend to blur. “Ransomware wants the victim to know: we encrypted your systems,” he says. “The espionage groups want the opposite. Please don’t notice us, let us infiltrate in silence.” With ransomware, “the downtime is a weapon.” With espionage, “the silence is the weapon,” and time is everything. “Six months is bad. A year is a disaster. More than a year is catastrophic.” What unites them is rarely glamorous. Stolen credentials, phishing and exposed servers open most of the doors.
The weakest link
The threat that worries him most is the one a business cannot fully control. “What a company cannot prevent is the supply chain attack, because it all comes from the outside,” he says. Attackers break a trusted supplier first, often a managed IT provider with access to dozens of clients. “If they manage to impact one, now it’s game over.” Their real weapon is patience, researching every vendor a target relies on and working through them one by one.
Common sense over budget
His advice is unfashionably basic: multifactor authentication, phishing training, a full inventory of internet facing assets, prompt patching, and watching the dark web for leaked credentials. “Stolen credentials are behind most of the attacks, in Africa and all over the globe,” he says. For smaller firms without big budgets, he is reassuring. “It’s not about money at all. It’s about common sense,” he says. “Don’t expose your sensitive data to the internet. Don’t download cracked software, because that’s often where stolen credentials come from.”
AI scales the threat
On artificial intelligence he is measured. “It’s not magic. You can’t just tell AI to go compromise a government entity,” he says. What it does is scale the work. Attackers use it to write flawless phishing in local languages, run faster reconnaissance and generate malware. “They research videos of executives on YouTube, and in two minutes they can clone the entire voice,” he says. Yet he warns against writing these groups off as amateurs. “The human operator still matters. AI just makes the attacks faster.”
Spend on people, not just tools
This is his real message to South African boards. Security is not a shopping list of products. “If you have to invest in something, invest in your security teams,” he says. “Whatever stack you have, the people are what matter most in preventing these attacks.” In a country so attractive to attackers, that is the decision he wants boards to stop delaying.