How Africa became the testing ground for cyber warfare
Africa has become a major battleground for state-affiliated cyber criminals, with firms in the region frequently targeted by sophisticated attacks before they reach Europe and the US
Cyber criminals are using Africa as neutral territory in which to test their latest tactics and tools, according to a security expert based in the region, who claims the continent is a perfect nursery for nascent threat campaigns.
Cyber attacks typically have been used to target high value organizations in developed nations, but testimony from security professionals in Africa suggests this dynamic is shifting dramatically.
Guy Golan, CEO and cofounder of South African-based security firm Performanta, told ITPro Africa is becoming a hotbed for cyber crime, providing hackers with a wide variety of targets with varying levels of cyber resilience.
These organizations, Golan said, represent prime targets to test and refine their attacks.
Golan described how after he founded Perfomanta in 2010, the security community, and the technology sector more generally, had exhibited a tendency to overlook Africa as a region of interest due to its markets being comparatively underdeveloped in relation to others.
“At that time Africa was basically not important to anyone, and still to a degree it’s not really important. Everybody was looking from a market perspective towards the US, Europe, Asia, but not Africa.”
But Golan said a few notable incidents led him to suspect there was more going on beneath the surface. He relayed how he began to notice his South Africa-based SOC operatives would frequently report observing threat campaigns that would go on to wreak havoc in the US well before their counterparts around the world.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
For example, in 2017 when WannaCry began tearing through organizations globally, his Africa-based SOC caught the early signs of the attack 11 hours before it was picked up by other security analysts around the world.
Golan continued, adding that in the case of the NotPetya malware campaign, the Performanta SOC saw evidence of the attacks 22 days before it was actually launched in the Western Hemisphere.
Explaining how this might be possible, Golan speculated that popular threat intelligence tools used today do not collect data on cyber attacks taking place in Africa as it is a smaller market for them - and to collect this level of information it would take significant investment.
What makes Africa such a perfect attack incubator?
Data published by Check Point Research corroborate Golan’s claims Africa is becoming an increasingly popular target for cyber criminals around the world.
Over the course of Q2 2024, the region experienced the highest volume of attacks, according to Check Point, with 2,960 weekly attacks per organization, marking a 37% increase from the same period in 2023.
Golan explained this result by describing Africa as a “cradle” for hackers, where they can develop and test new attack techniques.
He argued that the region offers something of a neutral territory for nation-state threat actors based in China, Russia, North Korea, and beyond, to test their latest methods on the latest Western technologies.
“If you look at the level of the banking or insurance companies in South Africa as an example, they are above the poverty line, they’ve got [large] budgets and they are very sophisticated in the way they defend,” he said
“So from [state-affiliated hackers’] perspective they’re testing those tools on companies that are sophisticated, that have westernized technologies, westernized methods, and westernized affiliations.”
Not only can the threat actors refine their techniques, but it allows nations to get a better understanding of the security posture of many Western organizations, using their defensive strategies to inform future attacks
He offered the example of one client, a major African bank that is owned by the major Chinese bank ICBC.
“This is the most attacked bank in Africa, and not only that, it’s attacked mostly by China and its affiliates. The interesting thing is that the CISO visits China once a quarter and tells [the shareholders] what happened in an attack,” he reported.
“[The CISO] reports what happened back to the shareholders, so now they can make their tools of attack more sophisticated and pinpointed.”
Golan added that this reflects a stark change in the way cyber adversaries from nations such as China have previously developed, noting the switch from a scattergun approach to a more targeted manner of refining their methods.
“A decade ago China’s way of testing their methods was spray and pray, they went with a shotgun approach and scanned as many devices as possible, as many domains as possible, and seeing what comes back. Today the methods are way more innovative.”
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.