Ransomware Targeting Infrastructure Hits Telecom Namibia

The telecommunications provider for the African nation of Namibia suffered a significant ransomware attack late last year, becoming a visible symbol of the merging of two trends in the region: increasing attacks on critical infrastructure and the growing threat of ransomware.

Last month, Telecom Namibia alerted customers that a successful attack by the ransomware-as-a-service (RaaS) group Hunters International led to users' information being leaked online. The company is working with law enforcement agencies and third-party incident responders to uncover additional details, CEO Stanley Shanapinda said in a Dec. 16 statement.

"Initially, it appeared that no sensitive information was compromised, but recent analyses confirmed that some customer data was compromised," he said. "The threat was contained about three weeks ago and further attacks on our systems and third parties were prevented, [but the exposed information] was leaked on the dark web ... after we refused to negotiate to pay any ransom that may have been demanded."

Namibia is not alone in becoming a target for cyberattackers focused on profiting off of compromised infrastructure systems. In June, South Africa's National Health Laboratory Service (NHLS) suffered a ransomware attack that disrupted systems, deleted backups, and took weeks for the government-run network of healthcare testing laboratories to recover. In July, Hunters International exfiltrated more than 18GB of data from the Kenyan Urban Roads Authority (KURA). The same month, the Nigerian Computer Emergency Response Team (ngCERT) warned that the Phobos RaaS group had targeted critical cloud services serving the country's organizations, with at least one successful compromise.

Telecoms, Critical Infrastructure in the Crosshairs

Overall, ransomware accounted for a third of successful attacks in the region, including attacks on energy firm Eneo in Cameroon in January 2024 and industrial organizations in Egypt and South Africa throughout the year, according to data from Positive Technologies, a cybersecurity firm that operates in the region.

The telecommunications and manufacturing sectors were also heavily targeted, with each sector accounting for 10% of successful attacks, says Alexey Lukatsky, managing director and cybersecurity business consultant at Positive Technologies.

"These attacks are driven by factors such as rapid digital transformation, geopolitical tensions, and inadequate cybersecurity measures protecting critical infrastructure," he says. "The increasing volume of user data and expanding digital networks make sectors like telecommunications particularly attractive targets for cybercriminals seeking financial gain or engaging in cyber espionage."

The trend will continue in 2025, because the rapid digitization across multiple industries continues to outpace implementation of cybersecurity measures, Lukatsky says. The result: a growing attack surface area that remains vulnerable.

"Sectors such as energy, telecommunications, and manufacturing will continue to be prime targets for cybercriminals and APT groups, motivated by financial gain, data theft, or geopolitical objectives," he says.

The Age of RaaS

The rise of ransomware-as-a-service offerings has also accelerated attacks on critical infrastructure, says Avinash Singh, a computer science lecturer and head of the Intelligent Cyber Forensics Lab at the University of Pretoria in South Africa. RaaS has taken off in Africa, partly because some ransomware gangs appear to be using African organizations as testbeds for their latest attacks, according to an October 2024 report.

"The RaaS model allows attackers to focus on high-value targets, such as large corporations or critical infrastructure providers, where the potential ransom payout is significantly higher," Singh says. "Cyberattacks on critical infrastructure remain among the most lucrative for cybercriminals, as these systems provide essential public services, and their disruption can cause significant societal and economic damage."

In addition, ransomware groups are not targeting just African businesses and government agencies, but also those organizations' third-party suppliers, Singh says. Distributing malicious versions of popular software has become a popular way to infect personal and business devices in the region. A March 2024 attack targeting members of a popular Discord community, for example, infected developers with information-stealing malware by compromising a developer's account and poisoning the repository.

Many of the threats affecting African developers are the same as those affecting the global cyber landscape, he says.

"Over the years, threat actors have demonstrated a broad array of tactics, techniques, and procedures, including hijacking GitHub accounts, malicious Python packages, setting up fake Python infrastructures, and employing sophisticated social engineering strategies," Singh adds.

African organizations need to work to improve the cyber awareness of their employees and customers and establish secure practices while pursuing digitization, he recommends. The risks posed by cyberattacks will likely only increase, as the geopolitical tensions rise in the region and worldwide, according to Singh.

"While Africa may not be a prime target compared to other continents," he says, "many geopolitical factors can influence cyber threat activities, particularly when state-sponsored actors are involved."