As was highlighted at the Public-Private Partnerships (PPP) for Defence & Security conference on 07 March 2025, there is a large emphasis on boosting South Africa’s defensive capabilities going forward; however, one key area that — in our view — did not get the necessary attention was cyber.
Who are we? MWR CyberSec is a South African cyber security consultancy with research and bespoke consultancy at the core of what we do. Solving our clients’ unique cyber security challenges and ensuring they are more resilient to cyber-attacks is why we exist and continue to exist.
Some foundational concepts are useful for fully understanding cyber-attacks, so we’ll speed run them. The Lockheed Martin Cyber Kill Chain is a model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective and, at a high-level, details the seven steps that Advanced Persistent Threat (APT) groups often follow during their attacks.
An APT group is a highly skilled and organised team of cyber attackers that conduct prolonged and targeted campaigns to infiltrate specific organisations or nations, aiming to achieve various goals such as: data theft, financial gain, disruption of operations, intelligence gathering, espionage, amongst others.
For APTs, so-called zero-day exploits are the holy-grail because they enable these attackers to infiltrate systems undetected, maintain prolonged access, and extract valuable information without triggering security defences and in a way that bypasses protection mechanisms wholesale. A zero-day exploit is a vulnerability that is unknown to developers and has no available fix, making it a prime target for cyber attackers to exploit before it is patched. As a side-note, to quantify their value, depending on the software systems targeted, zero-day exploits can easily sell for $10 million on exploit development markets.
Cyber-attacks to further a nation states goals have for a long while been the ideas of movies and fiction. However, in the near past (the last decade) this has rapidly moved from an ephemeral idea into real-world actions and scenarios that could play out in pursuit of a nation’s geopolitical goals. We have taken some time in our introductory article to unpack some of these below.
Around 2010, one of the most prevalent examples of cyber warfare and the weaponisation was in full effect, namely the Stuxnet worm. Stuxnet was a powerful computer worm, designed by U.S. and Israeli intelligence, that was used to derail a key part of the Iranian nuclear program by destroying the centrifuges that Iran was using to enrich their uranium. When Stuxnet infected a computer, it would check if it was connected to specific types of Programmable Logic Controllers (PLCs) manufactured by Siemens. PLCs are a fundamental element of many industrial control systems, in this case uranium centrifuges. If no PLCs were detected, the worm did nothing. However, if PLCs were detected, Stuxnet then manipulated the PLCs, which would result in the centrifuges being spun irregularly, and thus damaging or destroying them. After deploying Stuxnet, it was successful and ultimately set the Iranian nuclear program back approximately 2 years.
The only reason Stuxnet was discovered, was because it accidentally spread beyond the Iranian nuclear facility. One of the more notable bits related to Stuxnet is that PLCs are commonly air gapped (i.e. disconnected from external networks, especially the internet) as a hard defensive mechanism. Stuxnet was coded to spread via USB and it would spread to the computers controlling the PLCs via this mechanism. The fundamental take-away from this attack is that even highly secured areas, against an adversary that is dedicated and committed to the cause, are hard to detect and defend successfully 100% of the time.
In a similar manner, could a relatively innocuous piece of tech be used in ways unexpected. A simple question jumps to mind, is it possible to hack a Jeep Cherokee wirelessly from a number of kilometres away? The answer is yes. It was done by two researchers in 2015 who put a journalist behind the wheel and demonstrated their control over the vehicle from a distance. The journalist recounted the experience vividly: “I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold”. The researchers were able to fully take control of the vehicle using only a laptop and an internet connection, leading to them toying with the likes of the air-conditioning, radio, and windshield wipers. But it goes beyond this, the researchers were able to cut all power to the drive train rendering the car useless on the highway and no means to move. They were still able to take this a step further by cutting the Jeep’s brakes, leaving the journalist frantically pumping the pedal as the SUV slid uncontrollably into a ditch.
Furthermore, the control of the vehicle enables surveillance too, providing the capability of tracking a targeted Jeep’s GPS coordinates, measuring its speed, as well as dropping pins on a map to trace its route. If you want to see more, the full video of this endeavour was uploaded to WIRED’s blog. This is an interesting attack avenue as it explores hacking cars, which just about everyone uses in some shape or form on a daily basis and are incorporating more of this sort of technology into them, but regardless back to the more military focused incidents.
A huge step-up in the cyber warfare area has been playing out as part of the Russia Ukraine conflict. The best example of this is the suspected Russian attack on the Viasat KA-SAT network that shut down communications that Kyiv, Ukraine heavily relied upon. The Russian operation resulted in an immediate and significant loss of communication in the earliest days of the war for the Ukrainian military, which relied on Viasat’s services for command and control of the country’s armed forces. The interesting part, this attack was initially launched 1 hour before Russians invaded Ukraine in February 2022. The attack was executed with a new strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems and routers. In the cross-fire of this targeted attack, remote control of 5800 wind turbines belonging to Enercon in Central Europe was also affected. This scenario demonstrated a real example of how cyber-attacks can be targeted and timed to amplify military forces on the ground by disrupting and even destroying the technology used by enemy forces. The Danish defence minister stated that, “The cyber threat is constant and evolving.
Cyber-attacks can do great damage to our critical infrastructure, with fatal consequences”, further highlighting the importance of cyber defence and incident response capabilities. These capabilities don’t explicitly end at the terrestrial. There are companies who can be incredibly technically advanced in the solutions they provide; however, they are not immune to cyber breaches. Cyber security is often neglected until the inevitable happens, they are breached. Russia has attempted attacks against the Starlink systems in order to jam the internet service in Ukraine.
A Belgian cyber security researcher was able to breach Elon Musk’s Starlink satellite system using a simple Raspberry Pi device in conjunction to other electronic components costing the equivalent of 500 ZAR. This is a prime example of the fact that hacking does not always follow the “traditional” path of compromising an individual’s computer or an organisations server, but can instead begin with targeting embedded electronic systems in hardware-based attacks.
A notable ATP group to mention is that of the “Volt Typhoon” group, which has been linked to the Chinese government and active since 2021. The existence of this particular APT group surfaced publicly in May 2023, when Microsoft reported that the group, had targeted US critical infrastructure in espionage operations, and lay dormant within their infrastructure for as long as 5 years. Specifically, this APT group was targeting Operation Technology (OT) systems using zero-day exploits, to pre-position themselves for future attacks of sabotage. This group even demonstrating critical capabilities in compromising Microsoft to see the level of detail that the organisation had on them, during the course of Microsoft raising these events publicly.
In early 2024 the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory that raised concerns about the potential for these threat actors to use their network access for highly disruptive effects in the event of potential geopolitical tensions and/or military conflicts. It is critical to note that no impact from this attack was witnessed in any of the systems they were found to have compromised. This largely indicates a co-ordinated effort, from a highly sophisticated state sponsored actor pre-positioning for maximum damage to enhance geopolitical outcomes. It was noted through the investigation that activity related to this threat actor had gone back, in some cases, in excess of 10 years. Once again highlighting why cyber defensive capabilities are so important. Can you imagine the fallout had this ATP group been able to disrupt critical infrastructure, power stations, water supplies and government infrastructure, within the United States.
MWR has long spoken of the need for organisations to assume that at some point they will be breached, and prepare as such. The reality is an organisation can only prepare for compromise, by having a robust, encompassing and sound cyber security strategy and a capable suite of armaments to deal with this unfortunate scenario. The three pillars of people, process and technology need to be soundly practiced, complementary in all they do and have the ability to rapidly work to contain, eradicate and recover from a cyber security compromise. Unfortunately, in our experience, often the hardest phase for an attacker to complete is the initial phase to gain access. Once in a target environment it is far too common that organisations have minimal controls and restrictions within their internal network. We therefore advise our clients to work backward. Understand what you have that an attacker would want access to, and structure controls, defences and barriers from this point outward towards the external perimeter. Performing this exercise will give you a view you never had of your internal network and how an attacker is likely to target you. This ultimately makes you more robust against their attacks.
From MWR’s experience, what we can say is that you do not want to end up in a position where you have to perform incident response activities to eradicate the threat actor. However, you want to prepare as if you will end up there someday. It can prove to be a very challenging endeavour whilst potentially incurring financial and reputational damage as a result of such a breach. As an example, IBM’s 2024 Cost of a Data Breach report shows data breaches in South Africa cost 53.10 million ZAR per incident, on average. The main driving factors of these costs are business disruption, post-breach customer support as well as remediation. In addition to this non-compliance with regulations also contributes to this number. It is substantially easier to be proactive when it comes to security rather than being forced to become reactive to such events.
Companies developing new technology face near constant attempts to breach their security. Unfortunately, those companies without mature cyber security environments may never realise a breach has occurred, let alone actually respond in an appropriate manner until it is too late. Real-world attackers essentially have “unlimited” time, and if advanced and persistent enough, they will find a way in. Would you be able to respond and eliminate the threat before substantial amounts of damage can be caused, or would you rather take the proactive approach and diminish the chances of ever having to be in such a position?
