Cyberattacks Disrupt Johannesburg and South African Banks in Coordinated Extortion Campaign
In late October 2019, a series of cyberattacks targeted critical infrastructure in South Africa, crippling municipal services and financial institutions in a coordinated extortion effort. Hackers demanded Bitcoin ransoms, exploiting vulnerabilities in both public and private sector systems.
Ransomware Paralyzes Johannesburg’s Services
On October 24, 2019, the City of Johannesburg fell victim to a ransomware attack, encrypting key systems and disrupting essential services. The attackers, who demanded 4 Bitcoin (≈ R500,000 or $37,000 USD), claimed to have backdoors into the city’s network and threatened to leak stolen data if the ransom wasn’t paid. The attack was strategically timed to coincide with month-end processes, affecting bill payments, supplier transactions, and the 112 emergency call center South Africa’s equivalent of 911. While the city refused to pay, recovery efforts were underway to restore full functionality.
DDoS Attacks Target Major Banks
Simultaneously, Standard Bank and ABSA faced distributed denial-of-service (DDoS) attacks, flooding their networks with traffic to disrupt online services. Unlike ransomware, these attacks did not breach customer data but caused transaction delays and intermittent downtime, particularly on payday, impacting salary deposits. The South African Banking Risk Information Centre (SABRIC) confirmed that such attacks are typically extortion-driven, with hackers demanding Bitcoin to halt the assaults. Banks responded by bolstering defenses rather than paying the ransom.
Impact and Response
The attacks highlighted the growing threat of cyber extortion, demonstrating how hackers exploit timing and critical infrastructure for maximum disruption. While Johannesburg and the banks worked to mitigate the damage, the incidents underscored the vulnerability of both public and private entities to modern cyber threats. Investigations into the attacks’ origins and methods remain ongoing.
Source: https://www.thesslstore.com/blog/cyber-attacks-hit-the-city-of-johannesburg-and-south-african-banks/
City of Johannesburg cybersecurity rating report: https://www.rankiteo.com/company/city-of-johannesburg
Standard Bank South Africa cybersecurity rating report: https://www.rankiteo.com/company/standard-bank-south-africa
Absa Group cybersecurity rating report: https://www.rankiteo.com/company/absa
"id": "CITSTAABS1782779964",
"linkid": "city-of-johannesburg, standard-bank-south-africa, absa",
"type": "Ransomware",
"date": "4/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'residents and businesses '
'relying on municipal services',
'industry': 'public sector',
'location': 'Johannesburg, South Africa',
'name': 'City of Johannesburg',
'type': 'municipality'},
{'customers_affected': 'banking customers experiencing '
'transaction delays',
'industry': 'banking',
'location': 'South Africa',
'name': 'Standard Bank',
'type': 'financial institution'},
{'customers_affected': 'banking customers experiencing '
'transaction delays',
'industry': 'banking',
'location': 'South Africa',
'name': 'ABSA',
'type': 'financial institution'}],
'attack_vector': ['exploited vulnerabilities', 'network flooding'],
'data_breach': {'data_encryption': 'ransomware encryption (City of '
'Johannesburg)',
'data_exfiltration': 'threatened (City of Johannesburg)',
'type_of_data_compromised': 'threatened data leak (City of '
'Johannesburg)'},
'date_detected': '2019-10-24',
'date_publicly_disclosed': '2019-10-24',
'description': 'In late October 2019, a series of cyberattacks targeted '
'critical infrastructure in South Africa, crippling municipal '
'services and financial institutions in a coordinated '
'extortion effort. Hackers demanded Bitcoin ransoms, '
'exploiting vulnerabilities in both public and private sector '
'systems.',
'impact': {'brand_reputation_impact': 'undermined trust in public and private '
'sector cybersecurity',
'data_compromised': 'threatened data leak (City of Johannesburg)',
'operational_impact': 'disrupted municipal services and banking '
'transactions',
'systems_affected': ['bill payments',
'supplier transactions',
'112 emergency call center',
'online banking services']},
'initial_access_broker': {'backdoors_established': 'claimed by attackers '
'(City of Johannesburg)'},
'investigation_status': 'ongoing',
'lessons_learned': 'The attacks highlighted the growing threat of cyber '
'extortion and the vulnerability of public and private '
'entities to modern cyber threats.',
'motivation': 'extortion',
'post_incident_analysis': {'root_causes': 'exploited vulnerabilities in '
'public and private sector systems'},
'ransomware': {'data_encryption': 'true (City of Johannesburg)',
'data_exfiltration': 'threatened (City of Johannesburg)',
'ransom_demanded': '4 Bitcoin (≈ R500,000 or $37,000 USD)',
'ransom_paid': 'false'},
'response': {'containment_measures': 'bolstered defenses (banks), recovery '
'efforts (City of Johannesburg)',
'recovery_measures': 'restoring full functionality (City of '
'Johannesburg)'},
'title': 'Cyberattacks Disrupt Johannesburg and South African Banks in '
'Coordinated Extortion Campaign',
'type': ['ransomware', 'DDoS']}