Cybersecurity: South African companies are ripe for hackers

First published in the Daily Maverick 168 weekly newspaper.

State-owned port and rail operator Transnet will feel the impact of the cyberattack it suffered for some time to come. Although movement in and out of SA’s ports, which had been at a near-standstill for most of the week, had eased by 29 July, there was still little known about the source of the hack and what the final economic toll would be on the country’s already fragile economic recovery.

By then, experts were warning that other state-owned companies should be on the lookout for similar incursions. Exporters and importers in the meantime were left counting the cost of unmoved goods, as the delays at the ports stranded thousands of cargo containers.

“There has been a breakthrough following the IT security breach,” the Public Enterprises Ministry announced triumphantly late on Wednesday. “Transnet has managed to fully restore operations at the ports, which enables the country’s supply chain and logistics system to resume normal operations,” the ministry said, adding that a preliminary assessment had found that no data had been compromised.

Still, little detail was given about what led to the hack, which caused Transnet’s ports arm, TPT, to declare a week-long force majeure late on 26 July, invoking the costly contractual clause that would effectively absolve it of any liability for not being able to provide promised services to its clients because of an “act of God”.

Shipping and trucking companies, freight forwarders, fruit growers targeting the lucrative overseas market and miners banking on the surge in global commodity prices to reverse a decade-long slump were anxious for the details. They want to pass on the information to customers and give legs to assurances that future deliveries would not suffer the same fate as they did on 22 July.

Transnet’s rail operations were disrupted by the unrest and violence that engulfed KwaZulu-Natal and Gauteng two weeks ago, forcing it to temporarily close its Natcor North-South line, which is a vital conduit for fresh produce and minerals.

The closing of ports, especially the Durban port, which is responsible for more than two-thirds of containers shipped into and out of the country, added to the pain.

The chief executive of the Fresh Produce Exporters’ Forum, Anton Kruger, said the delay at ports would compound the revenue losses for fruit sellers.

“The cyberattack has a huge impact on the export of fresh produce. The port terminals are not operational and thus no stock could be loaded. It’s peak citrus export season. We have already lost about 12 days, given the KZN unrest coupled with the cyberattack,” Kruger said.

Gavin Kelly, CEO of the Road Freight Association, said cargo ferried by trucks was also feeling the pinch.

“This is creating massive delays and creating unreliability of the movement of goods across all modes of transport,” Kelly said. Costing about R5,000 a day, trucks stuck at the port gates would begin to consider giving up and returning goods to the sender as the cost mounted, Kelly said.

“The gates to ports are closed, which means no trucks are moving in either direction. The manual processes being used are also creating problems in terms of operations. Road freight operators already have a huge backlog resulting from last week’s civil unrest.”

Between January and May, South Africa recorded R734-billion’s worth of exports, led by sales of vegetables, fruits and mining minerals, on its way to a record trade surplus and healthier-than-expected tax receipts, boosting economic growth and taking enough pressure off the Treasury for it to reinstate relief for the unemployed and businesses hit by the recent unrest.

A large chunk of that windfall was threatened by the cyberattack on Transnet. Shipping experts are already warning that the episode may see exporters and importers bypass South African ports in favour of alternatives such as Maputo in Mozambique, Walvis Bay in Namibia or Dar es Salaam in Tanzania.

“It will take a great deal to recover, not only in terms of repair and replacement, but in terms of investor confidence,” said Dave Watts of the South African Association of Freight Forwarders.

South Africa is no stranger to cyberattacks and ransomware stings, and the hit on Transnet showed some of the hallmarks of hacks elsewhere in the world that are led by mainly eastern European syndicates targeting state entities and large companies for quick cash.

“Cyberattacks, and ransomware in particular, have become serious in recent months, impacting transport and critical infrastructure providers and public and private sector organisations in every other sector,” said Brett Callow, a threat analyst at global cybersecurity firm Emsisoft.  

“South African organisations are obviously not immune and could be targeted either by state-sponsored groups, or for-profit criminal enterprises. In either case, the attacks can paralyse targeted organisations and, as the Colonial Pipeline incident demonstrated, result in massive disruption.”

In its press statements, Transnet has referred darkly to an “IT disruption”, but has given little information about how it happened and how much damage has been done.

A maritime researcher at the Institute for Security Studies SA, Denys Reva, told DM168 that the attack on Transnet was likely on its Navis system.

“In the Transnet instance, it seems the attack has disrupted the Navis container operating system, which helps optimise the releasing and accepting of containers,” said Reva.

“If they [Transnet] say no data was compromised, that leaves the question of exactly what happened. If you’ve been able to restore everything from backups, it wouldn’t take almost a week to do it.”

Nonetheless, the intrusion saw Transnet’s website rendered non-functional, email communications dead, payroll systems at risk, and, most importantly, it was unable to operate the software that tracks the thousands of containers that make landfall at ports daily.

The latter has now been almost entirely restored, but it is unknown whether it remains vulnerable, or if the attack was an inside job.

The cargo onboarding system would typically operate on a closed network, making it harder to penetrate from the outside.   

Cybersecurity experts have been loath to speculate about what may have happened, but some believe that the attack bears the hallmarks of a global trend in which hackers target large utilities and government agencies, piggy-backing on social unrest such as the looting and vandalism that spread throughout the country following the arrest of former president Jacob Zuma.

In May, hackers hit top US fuel pipeline operator Colonial Pipeline, shutting down its entire network in one of the worst cyber incidents yet. And South Africa is no stranger to ransomware raids on state and commercial infrastructure.

In 2019, hackers attacked the Johannesburg City Council, disrupting power supply to dozens of residents and demanding ransom in Bitcoin to restore the system, in the same year that top commercial banks were hit by a “distributed denial of service” attack. In 2020, a justice department fund of money held by the courts in trust on behalf of minors, unborn heirs and missing or absent persons, was also targeted.

“The natural progression of these attacks would be to start attacking those systems in utilities in mining companies and in manufacturing companies. So there is a risk to human life, because when manufacturing processes are disrupted or interrupted, for example something like the Koeberg [nuclear power plant], it can be really dangerous,” the African cybersecurity team at global consultancy Deloitte told DM168. DM168

This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Exclusive Books and airport bookstores. For your nearest stockist, please click here.