Transnet ransomware attack

Last updated

Transnet ransomware attack
Durban harbor.jpg
Port of Durban affected in the cyberattack
Date22 July 2021
Time SAST
LocationFlag of South Africa.svg  South Africa
TargetShipping infrastructure

On 22 July 2021, Transnet became a victim of a ransomware attack. [1] [2] [3] The attack caused Transnet to declare force majeure at several key container terminals, including Port of Durban, Ngqura, Port Elizabeth and Cape Town. [4] [5] [6] The attack was the first time that the "operational integrity of the country's critical maritime infrastructure has suffered a severe disruption" leading the Institute for Security Studies (ISS) to call its impact "unprecedented" in South African history. [7]

Contents

The ISS speculated that Transnet was withholding details about the attack as it was an issue of national security and because the attack might cause legal liabilities for the company. [7] Bloomberg News stated that the attackers encrypted files on Transnet's computer systems thereby preventing the company from accessing their own information whilst leaving instructions on how to start ransom negotiations. [8] The Bloomberg article quotes a source from the cybersecurity firm Crowdstrike Holdings Inc. which states that the ransomware used in the attack was linked to "strains known variously as “Death Kitty,” “Hello Kitty” and “Five Hands.”" and likely originated from Russia or Eastern Europe. [8] The Department of Public Enterprises stated that none of Transnet client's data had been compromised in the attack. [9]

The timing of the attack, which followed closely after the 2021 South African unrest following former South African President Jacob Zuma's imprisonment, caused speculation that the two events might have been part of a coordinated effort to disrupt economic activity in the country. [7] [10] The authorities stated that the two events were likely unrelated. [7]

Background

The Durban port handles 60% of South African container traffic. [11] [12] [13]

Timeline

Related Research Articles

<span class="mw-page-title-main">Durban International Airport</span> Former commercial airport of Durban, South Africa (1951–2010)

Durban International Airport was the international airport of Durban from 1951 until 2010, when it was replaced by King Shaka International Airport, 60 kilometres (37 mi) to the north. The airport is co-located with AFB Durban.

<span class="mw-page-title-main">Transnet</span> South African rail, port and pipeline company

Transnet SOC Ltd is a large South African rail, port and pipeline company, headquartered in the Carlton Centre in Johannesburg. It was formed as a limited company on 1 April 1990. A majority of the company's stock is owned by the Department of Public Enterprises, or DPE, of the South African government. The company was formed by restructuring into business units the operations of South African Railways and Harbours and other existing operations and products.

<span class="mw-page-title-main">Transnet Freight Rail</span> Railway operator in South Africa

Transnet Freight Rail is a South African rail transport company, formerly known as Spoornet. It was part of the South African Railways and Harbours Administration, a state-controlled organisation that employed hundreds of thousands of people for decades from the first half of the 20th century and was widely referred to by the initials SAR&H. Customer complaints about serious problems with Transnet Freight Rail's service were reported in 2010. Its head office is in Inyanda House in Parktown, Johannesburg.

<span class="mw-page-title-main">Port of Cape Town</span> Seaport of the city of Cape Town, South Africa

The Port of Cape Town, South Africa, is situated in Table Bay.

<span class="mw-page-title-main">Crime in South Africa</span> Overview of crime in South Africa

Crime in South Africa includes all violent and non-violent crimes that take place in the country of South Africa, or otherwise within its jurisdiction. When compared to other countries South Africa has notably high rates of violent crime and has a reputation for consistently having one of the highest murder rates in the world. The country also experiences high rates of organised crime relative to other countries.

<span class="mw-page-title-main">Port of Durban</span> Major shipping terminal in Durban, South Africa

The Port of Durban, commonly called Durban Harbour, is the largest and busiest shipping terminal in sub-Saharan Africa. It handles up to 31.4 million tons of cargo each year. It is the fourth largest container terminal in the Southern Hemisphere, handling approximately 4.5 million TEU in 2019.

<span class="mw-page-title-main">Herman Mashaba</span> South African politician

Herman Samtseu Philip Mashaba is a South African politician, entrepreneur and the current president of ActionSA, a party he launched on 29 August 2020. He served as the Mayor of Johannesburg from 2016 to 2019. He is the founder of the hair product company Black Like Me. He is famous in South Africa for his background: he grew up struggling against poverty, and claims to have struggled against the apartheid government, to open his own hair business, which became the biggest hair brand in South Africa, making him a millionaire. He publicly backed Mmusi Maimane in the Democratic Alliance leadership race. He wrote the autobiography Black Like You and his campaign manager, Michael Beaumont, recently published a biography called "The Accidental Mayor". Mashaba refers to himself as a libertarian and "capitalist crusader" whose highest value is "individual freedom."

The Gupta family is a wealthy and influential business family from India, with close ties to former South African President Jacob Zuma and his administration. The family's most notable members are the brothers Ajay, Atul, and Rajesh "Tony" Gupta—as well as Atul's nephews Varun, and US-based Ashish and Amol. The family's business empire in South Africa spanned a variety of industries, including mining, media, and technology. The family name has become synonymous with corruption in South Africa as well as undue influence, and state capture. They have been sanctioned by multiple countries for their activities, with investigations ongoing in both South Africa and the United States. Many prominent South Africans and politicians have been linked to the family's alleged corrupt activities, including members of the ruling African National Congress (ANC) party. The Gupta family has since fled South Africa and has been spotted in Switzerland, the United Arab Emirates (UAE), and Vanuatu.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Magdalena Franciszka Wierzycka is a Polish-South African billionaire businesswoman. She is the co-founder and CEO of Sygnia Ltd, a financial services company. She is the richest woman in South Africa, and is also known for her anti-corruption activism. In 2020, the magazine Forbes listed her among "Africa's 50 Most Powerful Women".

The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018. The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack.

The Port of Port Elizabeth is a port in the city of Port Elizabeth, in the Eastern Cape, South Africa. Located in Algoa Bay, it handles dry bulk, bulk liquid, breakbulk and containers, as well as providing facilities for tugs and fishing vessels.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

On May 30, 2021, JBS S.A., a Brazil-based meat processing company, suffered a cyberattack, disabling its beef and pork slaughterhouses. The attack impacted facilities in the United States, Canada, and Australia.

<span class="mw-page-title-main">2021 South African unrest</span> Riots after Jacob Zumas imprisonment, 9 to 18 July 2021

The 2021 South African unrest, also known as the July 2021 riots, the Zuma unrest or Zuma riots, was a wave of civil unrest that occurred in South Africa's KwaZulu-Natal and Gauteng provinces from 9 to 18 July 2021, sparked by the imprisonment of former President Jacob Zuma for contempt of court. Resulting protests against the incarceration triggered wider rioting and looting, much of it said to be undertaken by people not in support of Zuma and fuelled by job layoffs and economic inequality worsened by the COVID-19 pandemic policies. The unrest began in the province of KwaZulu-Natal on the evening of 9 July, and spread to the province of Gauteng on the evening of 11 July, and was the worst violence that South Africa had experienced since the end of Apartheid.

<span class="mw-page-title-main">2022 KwaZulu-Natal floods</span> April 2022 flooding in South Africa

In April 2022, days of heavy rain across KwaZulu-Natal in southeastern South Africa led to deadly floods. Particularly hard-hit were areas in and around Durban. At least 435 people died across the province, with an unknown number of people missing as of April 22. Several thousand homes were damaged or destroyed. Critical infrastructure, including major roads, transportation, communication, and electrical systems, were also impacted by the flooding, and this damage greatly hampered recovery and relief efforts. It is one of the deadliest disasters in the country in the 21st century, and the deadliest storm since the 1987 floods. The floods have caused more than R17 billion in infrastructure damage. A national state of disaster was declared.

References

  1. Viljoen, John; Njini, Felix (27 July 2021). "Transnet declares force majeure at SA ports over cyberattack". Fin24. Retrieved 27 July 2021.
  2. Toyana, Mfuneko (26 July 2021). "BUSINESS MAVERICK: Transnet cyberattack puts employees' salaries at risk while backlogs at ports mount". Daily Maverick. Retrieved 27 July 2021.
  3. de Wet, Phillip (27 July 2021). "Ships are starting to bypass SA ports as Transnet tells customers and staff of 'sabotage'". News24. Retrieved 27 July 2021.
  4. Shead, Sam (27 July 2021). "South Africa port operations halted and workers reportedly put on leave after major cyberattack". CNBC. Retrieved 27 July 2021.
  5. Mokhoali, Veronica; Ntshidi, Edwin (24 July 2021). "Ntshavheni: Govt still believes cyberattack at Transnet unrelated to unrest". ewn.co.za. Retrieved 27 July 2021.
  6. "Transnet declares a force majeure". www.enca.com. Retrieved 27 July 2021.
  7. 1 2 3 4 Reva, Denys (29 July 2021). "Cyber attacks expose the vulnerability of South Africa's ports". ISS Africa. Retrieved 2 August 2021.
  8. 1 2 Ryan, Gallagher; Burkhardt, Paul (29 July 2021). "'Death Kitty' Ransomware Linked to South African Port Attack". Bloomberg News . Retrieved 2 August 2021.
  9. 1 2 Naidoo, Suren (29 July 2021). "Data 'has not been compromised' in Transnet cyber attack, says Gordhan's department". Moneyweb. Retrieved 2 August 2021.
  10. "Call to 'connect dots between insurrection modus operandi and crippling Transnet cyber attack'". www.iol.co.za. 28 July 2021. Retrieved 2 August 2021.
  11. Swart, Nadya (27 July 2021). "Flash Briefing: SA govt reaches pay deal with unions; Transnet cyber attack; Mango suspends flights". BizNews.com. Retrieved 27 July 2021.
  12. Ginindza, Banele (26 July 2021). "SA's 'Gateway to Africa' status at risk as Transnet tries to fix IT system woes". www.iol.co.za. Retrieved 27 July 2021.
  13. Jul 2021, Moneyweb / 27 (27 July 2021). "BITRA – Update on Transnet IT disruptions - SENS". Moneyweb. Retrieved 27 July 2021.{{cite web}}: CS1 maint: numeric names: authors list (link)
  14. McLeod, Duncan (22 July 2021). "Transnet container operations hit by 'cyberattack'". TechCentral. Retrieved 27 July 2021.
  15. Naidoo, Suren (27 July 2021). "Transnet cyber attack confirmed: Port terminals division declares force majeure". Moneyweb. Retrieved 27 July 2021.
  16. Toyana, Mfuneko (27 July 2021). "Business Maverick: Transnet ports division declares force majeure on container terminals after cyber attack". Daily Maverick. Retrieved 27 July 2021.
  17. Njini, Felix; Naidoo, Prinesha (27 July 2021). "South Africa Port Operator Declares Force Majeure Over Cyber Attack". Bloomberg. Retrieved 27 July 2021.
  18. Diphoko, Wesley (27 July 2021). "Transnet website still down and chaos gets worse". www.iol.co.za. Retrieved 27 July 2021.