Google’s latest threat intelligence advisory details that state-aligned actors from China, Russia and Iran are escalating operations and targeting defence entities globally.
Experts note South Africa is vulnerable to external attacks, as it doesn’t have enough budget or the technology to defend critical infrastructure.
Industry commentators note there are systemic weaknesses in how SA protects critical infrastructure – from the national grid, to ports and water supply. The South African National Defence Force (SANDF) has primary responsibility for protecting systems related to the national grid, ports and water supply.
This comes as Google flagged eight Russia-linked actors deploying malware, phishing and credential-harvesting tactics in coordinated attacks. China-linked cyber criminals are exploiting zero-day vulnerabilities in edge devices targeting defence industrial infrastructure.
Meanwhile, Iranian threat actors are using spoofed job portals and fake employment offers to gain footholds in defence-related environments.
These campaigns, Google says, don’t just attack core defence systems and infrastructure, but are also targeting subcontractors and small suppliers with weaker cyber defences, using them as softer entry points to larger programmes.
The internet search giant also notes that state-sponsored actors and hacktivist groups are showing increasing interest in autonomous vehicles and drones as these platforms play a larger role in modern warfare.
Not immune
Just because SA hasn’t been singled out by these particular actors doesn’t mean it’s not at threat, says Christopher Steyn, channel manager of key accounts at Sophos.
“That said, South Africa does experience a high volume of cyber incidents – including serious breaches affecting government departments, state-owned entities and critical infrastructure – which shows the risk is very real,” he adds.
South African organisations faced an average of 2 145 cyber attacks per week, a 36% increase year-on-year in January alone, according to Check Point Research.
“In general, ageing systems, limited cyber skills and uneven security practices mean organisations in strategic sectors could be vulnerable to sophisticated espionage actors, even if they aren’t being singled out,” says Steyn.
Towards the end of last year, DefenceWeb reported that defence and military veterans minister Angie Motshekga assured Parliament that the SANDF employs robust cyber measures as part of its warfighting arsenal.
According to Motshekga, in a written reply to a question from the IFF, cyber capabilities are inherent within SANDF warfighting and are addressed in both the South African Military Strategy and Joint Force Employment Strategy. She attributed the “robust cyber measures” to escalating attacks on military command and control systems globally.
However, Motshekga acknowledged a critical constraint in that funding remains a challenge. She noted that equipping Cyber Command with advanced technology is a priority to have a global competitive and resilient cyber defence capability that will defend South African cyberspace and carry out cyber warfare.
Follow the money
The Department of Defence receives R57 billion for the 2025/26 financial year. Command and Control is allocated R281.7 million – just 0.49% of the defence budget. Command and Control is the responsible unit within the SANDF for Cyber Control, which is tasked with securing military communications, information systems and electronic systems.
According to the Institute of Race Relations (IRR), the limited information released to Parliament reinforces a troubling impression: that Cyber Command remains small, under-resourced and peripheral to the force’s main warfighting units.
Writing for the IRR, Ricardo Teixeira says the SANDF has limited technology – running on the 1970s COBOL system – and doesn’t have enough funding. He raises the concern that SA’s strategic environment makes underinvestment increasingly perilous. “The country is exposed to the full spectrum of cyber threats, from ransomware gangs to state-backed espionage.”
Teixeira also notes that “critical national infrastructure such as the electricity grid, ports and water supply is especially vulnerable to disruption during conflict or political crises, as has been demonstrated by previous cyber attacks”.
Mark Walker, director at T4i, points to the lack of funding and skills as the core issues. Severe cutbacks to defence spending overall have forced consultative cyber security programmes to be scaled back significantly.
“Simultaneously, defence threats have both widened and deepened significantly across the entire cyber landscape, from physical frequency spectrum attacks, to targeted drone warfare and IP-based intelligence,” says Walker.
An illustration of a cyber attack emerged from SANDF operations in the Democratic Republic of Congo. Reports from the now-terminated Southern African Development Community Mission in the DRC indicate SANDF troops encountered GPS and mobile signal jamming in the Goma area both before and after combat operations.
Adrian Schofield, veteran ICT commentator, observes that state resources generally lag far behind in terms of readiness to respond to hostile activity. While there are encouraging signs in some departments – the South African Revenue Services and Department of Home Affairs show progress – “too many other entities at all levels are still exposed to an unacceptable level of risk in preventing cyber attacks”.
Christopher Thornhill, CEO of Phangela Group, extends the concern beyond government. The private sector is equally unprepared, though the public sector moves slower given that legislation must pass through multiple government levels. “Government… that is a slow monster.”
Steyn warns that ageing systems, limited cyber skills and uneven security practices mean organisations in strategic sectors could be vulnerable to sophisticated espionage actors, even if they aren’t being singled out.
Share