The Silent Epidemic of South African Cyber Breaches

CAPE TOWN - 26 Jan 2025. Recent cybersecurity breaches in South African Organisations, which include a National Research Institution, Major Retailer, Telecom Operator and a University, have exposed serious vulnerabilities. These, investigated by Telecoms Fraud Intelligence (TFI), exhibit prevalent shortcomings in endpoint security, incident response, and data protection practices.

A Persistent Problem
Cyber intrusions do not happen overnight. In every instance investigated by TFI, attackers gained initial access by taking advantage of compromised user credentials. These credentials had typically been pilfered in phishing attacks or malware infections. Once inside, attackers moved laterally, installing malware on many devices. Due to the lack of centralised endpoint management, these intrusions typically went undetected for over a year in all four cases. During this period, sensitive information had been exfiltrated, and systems were compromised silently.

TFI's investigation discovered a recurring theme. Credentials stolen were first traded on the dark web, which led to further exploitation by other threat actors. In two instances, the breaches had progressed to ransomware. The other two instances, while avoiding ransomware, suffered enormous data leaks that leave them extremely susceptible to future targeting. Not all breaches are aimed at immediate financial gain. Others target long-term, clandestine access in order to steal proprietary or confidential data, hinting at possible industrial espionage.

In 2 of the 4 cases investigated, where TFI provided Forensic Reports based on authoritative Dark Web breach logs, the organisations denied that any breaches had occurred.

Advanced Cyber Tactics
Aside from legacy attacks, TFI investigated sophisticated methods such as SS7 exploitation and Salt Typhoon, with the assistance of international cyber security organisations. SS7 exploitation allows attackers to eavesdrop on SMS messages and voice calls without infecting the end-user device. This practice is particularly dangerous because it bypasses all forms of authentication and is effectively invisible to the user. Salt Typhoon involves traffic interception at the telecom level, which allows hackers to have access to privileged communications without employing malware. These activities indicate escalating sophistication in cyber threats and the need for greater sophistication in protections for telecommunications networks. SS7 exploitation is in the majority of the cases, such as Salt Typhoon, deployed by State Actors.

Also Read: Salt Typhoon: The Unraveling of a Global Cybersecurity Catastrophe

Poorly managed endpoints were the common denominator in all four cases. Organisations must prioritise the implementation of advanced Endpoint Detection and Response (EDR) systems and regularly update all software and operating systems.

Apart from endpoint security, the underlying data infrastructure must be protected using high-grade encryption protocols, secure access controls, and real-time anomaly monitoring. Risks associated with SS7 exploitation can be minimized by moving to secure communication platforms such as WhatsApp or Telegram. Additionally, proactive threat detection mechanisms such as Security Information and Event Management (SIEM) tools must be employed in order to identify and respond to potential threats in real time.

Human error remains a significant vulnerability.

Comprehensive employee training initiatives are necessary, equipping employees to recognize phishing attempts, avoid downloading malware, and follow best practices for safeguarding sensitive information.

The Need for a Cultural Shift
The incidents which TFI analysed exhibit a concerning organisational readiness deficit to counter cyber threats. South African organisations need to prioritise cybersecurity at every level, as a strategic necessity and not an afterthought. It requires not only technological investment but also the cultivation of a culture of vigilance where every employee understands their role in protecting the organisation.

Cybersecurity challenges of South African organisations are undoubtedly daunting, yet not insurmountable. If endpoint vulnerabilities are patched, underlying infrastructure is hardened, and threat detection and user awareness are increased, organisations will be in a position to repel even the most sophisticated attacks.

Cybersecurity cannot be an issue exclusively left to security teams or IT units anymore; it needs the active involvement of CEOs and the top leadership.

As the ultimate custodians of an organisation's reputation and assets, CEOs must make cybersecurity a strategic priority through their own engagement in understanding the risks and the measures. This not only involves providing oversight but also freeing up sufficient budgetary resources to allow cybersecurity departments to stay ahead of constantly evolving techniques employed by malicious entities. Without executive-level commitment and budget, even highly skilled teams will not be able to fend off sophisticated threats.