The South African government has now become the main target for global threat actors, with less focus now being put onto the private sector. This is according to findings presented at the recent Q1 2023 Trellix Cyber Threat Intelligence Briefing: Update for South Africa, March 2023.
The data, measured and recorded by Trellix’s Advanced Research Center (ARC) team and Cyber Threat Management engineers, showed that global threat actors have not relented on their assault on South Africa systems, even in the early months of the year. Even more alarming, government has emerged as attracting more than a third of all attacks, with the education sector a distant second, followed by financial services, utilities, wholesale, media, consumer products, and the services sector.
The data accounts for all files, both malicious and innocuous measured on the firm’s extended detection and response (XDR) platform, which is integrated with multiple existing security systems to provide a holistic, yet simpler view of threats across the entire technology landscape.
“With the threat landscape constantly changing, and threat actors adapting their tactics daily, organisations both large and small must also adapt their cybersecurity strategies to keep in step with the increasingly automated, smart tools deployed by threat actors from inside and outside the country’s borders,” says Carlo Bolzonello, country manager for Trellix South Africa.
“What we do know is that although it may be growing at a very slow pace, the South African economy is quickly adopting more advanced technology across commerce, service delivery and communication. This transition might leave gaps of exposure for various groups to test weakness left open, as old systems make way for more modern ones,” he says.
The number of total files detected shrunk from over 1.9 million in January 2023, to under 1.8m in February and 1.6m in March.
In a seemingly positive trend, this was further down from the 2.6m detected in August 2022, 2.4 in September and 2.7 m October. All along, threat campaigns have been on the rise, from just over 5 000 files, to over 20 000 and back down to over 10 000 between August and October of last year.
Top attacks launched by threat actors during Q1 2023 included Mustang Panda, APT40, Backdoor Diplomacy, ATP10, Lazarus, Winnti Group, Naikon, Vice Society and FIN7.
Notable attacks observed were: UNC4191, a cyber espionage operation coming out of Southeast Asia, leveraging USB devices carried by users as the initial infection point, Advanced Persistent Threats (APT) – namely: APT27, APT39, APT28, APT41 – which are typically nation state-backed groups gaining unauthorised access to computer networks, remaining undetected for long periods while mining highly sensitive information; and Common Raven, which commonly targets the SWIFT payment infrastructure utilised by major financial institutions.
“With the rapidly advancing sophistication of threat actors and the ushering of near-unlimited resources from the highest levels of business and politics, South African private and public institutions will need to adopt an equally persistent attitude towards their online defences,” Bolzonello adds.