DESPITE the adoption of the Cybercrimes Act in 2023, South Africa still has significant gaps in its capabilities as cyber attacks on institutions, including government entities, starts to become a frequent occurrence with the South African Weather Service (SAWS) the latest target.
The SAWS Information and Communication Technology (ICT) systems went down on January 26 following a security breach by criminals.
Aspects of critical services including aviation and marine were all interrupted. The SAWS email system and website, which is the hub of critical weather information, were also affected.
The attack was the second in the space of two days after an initial attempt had failed.
SAWS’ chief executive Ishaam Abader said they were still working to recover their systems.
“We are still in the early stages of recovery. It took other organisations that fell victim to this kind of crime anything from weeks to months or more to recover fully. We hope to be back on our feet sooner,” Abader said.
Last year, the National Health Laboratory Service (NHLS) had to rebuild and restore some of its critical information technology infrastructure and systems affected by a cyber attack. The Companies and Intellectual Property Commission (CIPC) was also hacked.
In 2023, the Western Cape Provincial Parliament (WCPP) suffered a data breach.
SAWS spokesperson, Oupa Segalwe said an investigation by their cyber security service provider found that the RansomHub group was responsible for the data breach.
“It appears they gained entry into the SAWS’ network through a phishing email. RansomHub’s modus operandi involves the encryption of a victim’s systems. During encryption, the victim loses all access to their systems. The group then proceeds to demand a ransom in exchange for decryption, failing which the group would publish the victim’s confidential information on the dark web. Thus far, no specific amount has been demanded as a ransom. To the Saws’ knowledge, none of its information has yet been published on the dark web.
“SAWS’ Internet services were initially restricted to contain the spread of the ransomware, the firewall was systematically locked down to minimise external connections to untrusted or high-risk destinations, the firewall was also patched, the latest and more modern antivirus – with extended detection and response – was installed in all devices, patch fixes to operational servers were applied, zero-trust permissions on the internet breakout were applied and the network was segregated where new servers were being built,” he explained.
According to Segalwe, ICT experts working on the restoration of the compromised ICT systems on Friday, got the SAWS aviation website back online for the first time since the attack.
“This has enabled the aviation industry to access limited, but critical services, including products such as the international significant weather charts, wind charts, domestic and international flight documentation, research products and RADAR images via the website.”
Segalwe said a criminal case was under investigation.
Police did not respond to requests for comment by deadline.
Maher Yamout, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT) said the SAWS data was listed on the Ransomhub criminal leak site recently.
“The Ransomhub criminal leak site… listed the weather entity of South Africa recently, thus confirming that RansomHub is responsible for this attack. Ransomhub is the new prominent Ransomware-as-a-Service (RaaS) group in 2024 (and seems to continue so in 2025) after Lockbit3 and Blackcat were disrupted by international law enforcement agencies in early 2024.”
Yamout said there are several factors that contribute to the increase in ransomware attacks globally.
“The fact that RaaS is a lucrative market for cybercriminals... increases the appetite for more ransomware-related cyber attacks, despite the disruptions made to several prominent RaaS groups in early 2024. Another important factor is the vulnerable exposure of the companies and organisations in general. For example, we know from our deep research in the RaaS Tactics, Techniques, and Procedures (TTPs) that they focus on exploiting vulnerable internet-exposed services, social engineering, and buying access from other cybercriminals. Generally speaking any enterprise falling into one or more of these risks may be found exploited by RaaS. The risk of being targeted is probably increased if the entity is high profile or more likely to pay based on the ransomed data.”
A lack of understanding on how to crack these cases and lack of skills were among the reasons police were struggling to make breakthroughs with more arrests in relation to these crimes, said Forensic crime expert Calvin Rafadi.
“The reason why there are less arrests is because our police don’t have enough skills to tackle this particular crime or good understanding on how to tackle this crime. Government institutions also need to put measures in place to mitigate such crime or invest in technology to combat such crime.”
Royal Private Investigation and Surveillance firm lead investigator John Alexander added: “We are witnessing a surge in cyber attacks targeting critical state infrastructure and data breaches. We have yet to see meaningful arrests and prosecutions. If SAPS is serious about fighting cybercrime, urgent action is needed to build real investigative capacity. Cybercrime is not a passing trend, statistics show these incidents are increasing year after year. Cyber attacks are inherently complex, and despite the adoption of the Cybercrimes Act in 2023, South Africa still has significant gaps in its capabilities.”
Cape Times