The beginning of 2023 has seen a noticeable increase in the number of threat campaigns unleashed by threat actor groups in South Africa, with government being the most targeted sector, followed by education and banking.
This is according to global cybersecurity company and extended detection and response (XDR) specialist Trellix.
The company provided a brief overview of South Africa’s cyber threat landscape and confirmed increased activity from threat actor groups including Common Raven and FIN7.
Trellix highlighted the exploits of Common Raven because it is primarily focused on the financial sector, has raked in US$11-million over a period of four years and is now escalating operations in the Southern Africa region.
FIN7 is a new threat actor entrant into the South African market. The threat actor is known to cyber security experts and is traditionally associated with financial data theft, but also for selling that data.
These threat actors use spear phishing tactics and exploit common vulnerabilities such as ProxyLogon, among other methods to infiltrate systems.
Trellix also underlined the threat actor group UNC4191 and its focus on the government and academic institutions over the past three months.
Bolzonello said the group had links to China and it stood out because of its main tactic based on weaponising the USB, which is somewhat unorthodox because the trend today is to access and control data via the cloud.
He added that this is a sophisticated group and it has put a premium on data, particularly that which speaks to China’s commercial and political ambitions abroad.
“They share malware through Active Directory and look to stage data, to exfiltrate critical data out of customer environments.”
Socio-political motives
Bolzonello said some attacks in Africa are socio-politically motivated and while the continent is grappling with a lack of cyber security skills, it is by no means the only continent with this problem.
He acknowledged that to a certain extent Africa is perceived to be an attractive target, but pointed out that different threat actor groups have different motivations.
“Africa does rely on legacy systems in operations and for threat actors the continent is almost like a training ground. There are other aspects too – for example, South African organisations are generally considered more willing to pay ransomware attackers.""
Trellix emphasised the need for business and IT leaders to know who their adversaries are, who these threat actor groups are, what they do and how they do it, as well as to ensure their security infrastructure is up to scratch.
“Threat actor groups are evolving and we have to do the same to be able to fend off and mitigate attacks,” said Bolzonello.
Share