Cybersecurity threatscape for African countries: Q1 2023–Q3 2024

In recent years, cyberthreats have become one of the most serious challenges facing governments, organizations, and individuals globally, and African countries are no exception. The rapid development of digital technologies and the spread of Internet access in the region create new opportunities for users, but also for cybercriminals. Additionally, Africa's rich natural resources are driving industrial growth in the region, which is another motivation for cybercriminal interest. As the region's digital development is progressing faster than the implementation of cybersecurity laws and regulations, critical information infrastructure is at risk.

During the Q1 2023–Q3 2024 period, the region faced numerous cyberthreats, including cyberattacks on critical infrastructure, data breaches, and online fraud. In the context of increasing digitalization, it is essential to understand the current cyberthreats facing African countries and the protective measures needed to prevent future cyberattacks.

This study examines cyberattack statistics in the African region over the specified period, the main methods of cyberattack, their consequences, and possible solutions for strengthening digital security.

• Typically, organizations in the region are subject to cyberattacks using malware (43%) and vulnerability exploitation (18%), while individuals are usually targeted with malware (53%) and social engineering (33%).
• Government agencies and financial organizations are the primary targets among organizations, with 29% and 22% of all successful cyberattacks in the region being aimed at these sectors, respectively. Analysis of dark web platforms confirms that these organizations are of the greatest interest to attackers, with mentions in 19% and 13% of listings, respectively.
• According to data from open sources, a significant portion of cyberattacks in the region occurred in South Africa (22%) and Egypt (13%), while dark web listings frequently concerned the targets in South Africa (25%), Nigeria (18%), and Algeria (13%).
• The dark web is frequently used to sell access to networks of major African companies (74%), with financial organizations, government agencies, and industrial enterprises making up a substantial portion of targets. The average cost of access is approximately $2,970.

In recent years, the African region has shown significant progress in telecommunications and digital technologies. The most digitally developed countries in Africa are considered to be Nigeria, Egypt, South Africa, and Kenya, with Internet user numbers reaching 103 million, 82 million, 45 million, and 23 million, respectively, according to data from January 2024. Meanwhile, according to Equinix data, the proportion of Internet users in Africa in 2023 was about 43% of the total population, which is 13% higher than the previous year's figure.

Digital development in the region is also supported at the legislative level. In 2020, The Digital Transformation Strategy for Africa was developed, setting out a ten-year vision for the development of telecommunications networks, expanding Internet access across the region, implementing digital platforms and services, and ensuring information security. Additionally, in December 2022, during a summit of African leaders in the USA, the Digital Transformation with Africa (DTA) initiative was launched, aimed at expanding access to digital technologies, increasing literacy, and encouraging a favorable digital environment throughout the region. As a result, significant growth in the number of Internet users and the introduction of new digital solutions is expected.

Currently, one promising direction for digital development is the adoption of cryptocurrencies, which we can also see in Africa. Furthermore, Nigeria, Kenya, and South Africa were among the top 10 leaders in the Global Crypto Adoption Index in 2020, and by 2024, Nigeria ranked 2nd in this rating. Typically, cryptocurrency is used here to store savings, exchange currency, pay salaries, and transfer money abroad. In Nigeria, cryptocurrency is legally permitted, and crypto exchangers licensed by the Central Bank of Nigeria are operating in the country. It's noteworthy that in 2021, a ban on cryptocurrency transactions was introduced in Nigeria due to risks associated with money laundering and financing terrorism, but this ban was officially lifted in 2023. Other countries where cryptocurrency is legalized include the Central African Republic, Ghana, Senegal, and Tanzania.

E-services are also actively developing in the region. Countries such as Ethiopia, Kenya, and Senegal feature numerous platforms in the e-commerce sector. For example, Kenya has the M-Pesa service, which allows users to purchase goods and services, pay government fees and utility bills, and make other transfers. E-government websites and related portals operate in Ethiopia, Egypt, Senegal, Ghana, South Africa, Tanzania, and Burkina Faso.

Along with the development of the digital sector in the region, measures to protect modern technologies are being developed. For instance, Ethiopia has developed a digital transformation strategy called Digital Ethiopia 2025, which outlines the path for telecommunications development, the digitization of government services, and the introduction of innovative technologies such as artificial intelligence. The project also includes a section dedicated to ensuring cybersecurity, proposing the use of international experience to identify best practices for addressing information security challenges. Additionally, Egypt has released a cybersecurity strategy with a development plan until 2027, which includes strengthening legal measures, protecting critical infrastructure, and supporting cybersecurity research and development (including cloud service protection, cryptography, and malware analysis). However, it is important to note that technological advancements enable attackers to use new and more sophisticated methods for cyberattacks, often outpacing the developed protective measures.

Thus, the increase in new users, the transition of government and other organizations to digital technologies, and the vulnerabilities of existing protective mechanisms in the face of continually evolving cyberattack methods lead to a rise in successful cyberattacks on the African continent. According to Check Point, the number of cyberattacks on enterprises in Africa increased by 20% in the first quarter of 2024 compared to the same period last year. For example, in the first half of 2024, there were 4,623 attempted cyberattacks targeting government and private organizations in Ethiopia, which represents a 115% increase compared to the same period in 2023. 

During the period under review, the share of cyberattacks on organizations constituted 89% of all successfully executed cyberattacks, while cyberattacks on individuals accounted for 11%. Government agencies and financial organizations are the primary targets of cybercriminals in the region, accounting for 29% and 22% of all successful cyberattacks on organizations, respectively.

Government

Year after year, government organizations remain one of the most attractive targets for cybercriminals. According to our data, the share of successful cyberattacks on this sector worldwide was 15% in 2023. Cyberattacks on government agencies in the region are often perpetrated by APT groups (46%). These groups primarily focus on long-term covert cyberattacks aimed at information collection and cyberespionage. For example, in the spring of 2024, a series of cyberattacks targeting the governments of African and Caribbean nations were recorded. The APT group SharpPanda was behind the cyberattack, whose main objective was to conduct cyberespionage and obtain confidential information. Their method involved using compromised email accounts of high-ranking officials in Southeast Asia to send phishing emails aimed at infecting new targets in these two regions.

The government sector is also targeted by hacktivists (18%). In July 2023, the online platform eCitizen, which provides government services and information to the citizens of Kenya, suffered a DDoS attack for which the group Anonymous Sudan claimed responsibility. For several days, key services were unavailable, including those related to obtaining passports, visas, and driver's licenses. At the same time, a database containing 2 million records, allegedly stolen from the Egyptian Ministry of Health and Population, was put up for sale on a dark web forum.

According to data from dark web forums, cybercriminals are most attracted to the government sectors of Nigeria (27%), Algeria (17%), Ethiopia (12%), and South Africa (12%). Listings related to the government sector generally aim to give away information for free (66%). For example, one dark web forum post contained confidential data from the Ethiopian Ministry of Regional Trade and Integration, allegedly breached due to a cyberattack carried out by the hacktivist group ThreatSec in October 2023.

Finance

The financial sector ranks second in terms of the share of successful cyberattacks in the region (22%). In this case, cybercriminals are primarily interested in the financial gain they can achieve from such cyberattacks. For example, in January 2023, a database belonging to South Africa's PostBank was put up for sale on a dark web forum. The database contains over 10 million lines of confidential information, presumably about the bank's customers, including personal data, card information, and transaction history.

In November 2023, experts reported a cyberattack on Toyota Financial Services in Europe and Africa. The Medusa ransomware group claimed responsibility for the cyberattack. As proof of the success of the cyberattack, the criminals published fragments of data on their website, including financial documents, personal user information, and more. The cyberattack was apparently carried out by exploiting a vulnerability in Citrix NetScaler, registered as CVE-2023-4966 and known as CitrixBleed.

Another incident was reported at the end of June this year—a cyberattack on BGFIBank Gabon. The Bianlian ransomware group claimed responsibility for the cyberattack, which resulted in the theft of data constituting commercial secrets. To support their claim, Bianlian posted a fragment of the stolen information.

In 2023, two major financial institutions were hit by ransomware attacks: the TransUnion credit organization and the Development Bank of South Africa. The system breach at TransUnion was executed by the N4ughtySecTU group, which demanded a ransom for the stolen confidential information. Previously, in March 2022, the company had already faced threats from N4ughtySecTU when they threatened to publish 4 TB of stolen data unless a ransom of $15 million was paid. The cyberattack on the Development Bank of South Africa was carried out by the Akira group, which deployed ransomware to encrypt the company's servers, logs, and documents.

Dark web listings related to cyberattacks on the financial sector have affected Algeria, Ghana, Cameroon, Nigeria, Uganda, Ethiopia, South Africa, and other countries. Most of these listings are aimed at selling data and access (64%). For example, one dark web ad sells access to the Bank of Ghana's system.

On June 24, 2024, an ad was posted on a dark web platform about a breach of data from the Senegalese bank Cosna Afrique Bank, allegedly containing information about clients and their credit cards. The author of the post notes that this database was already published on the dark web a week before, but he is willing to sell it at a lower price of $5,000.

Manufacturing

One in ten successful cyberattacks on organizations in the region targeted the manufacturing sector. When achieved, the main objectives of these cyberattacks—to disrupt the core activities of manufacturing enterprises and to steal confidential information—can negatively impact not only the company itself but also the entire industry or region.

In January 2024, the Cameroonian energy company Eneo suffered a cyberattack that significantly damaged its computer system. Eneo representatives did not provide details about the breach but reported that the operation of some applications was suspended to implement protection measures.

On March 5, 2024, a major campaign targeting industrial organizations around the world, including in South Africa and Egypt, was revealed. According to experts from Dark Reading¹, two ransomware groups, GhostSec and Stormous, were responsible for carrying out the cyberattacks. They used a new version of the ransomware GhostLocker 2.0 and a double extortion technique, in which the attackers demanded a ransom from the victim not only for decrypting the data but also for not disclosing the breach.

Telecommunications

Telecommunications, like manufacturing, have been successfully targeted in one out of every ten cyberattacks on organizations in the region. Moreover, the number of cyberattacks on telecommunications companies is increasing each year. This trend is driven by several factors, including the advancement of digital technologies and the growth of Internet access and mobile communications in the region. The emergence of new clients for telecom operators increases the volume of user data these companies have, which in turn attracts attackers seeking to gain financial profit through stealing users' personal and payment information for ransom. In addition, APT groups and hacktivists carry out cyberattacks on the telecom sector for cyberespionage purposes and to disrupt the operations of the companies. For example, on February 6, 2024, the hacktivist group Anonymous Sudan attacked major mobile providers in Uganda. Airtel, MTN, and Uganda Telecom were subjected to DDoS attacks, which disrupted their core operations. According to the group, the cyberattack was aimed at companies supporting the Rapid Support Forces in the civil war in Sudan.

In November 2023, telecom companies in Egypt, Sudan, and Tanzania were targeted in a cyberattack by the APT group Seedworm. The attackers aimed to conduct cyberespionage and obtain confidential information. The cyberattack involved the use of the MuddyC2Go spyware, launched via PowerShell command shell.

In cyberattacks on organizations, criminals most often target computers, servers, and network equipment (65%). This indicates a low level of infrastructure security within companies, specifically vulnerabilities in the network perimeter and configuration flaws in externally accessible services.

Every fourth cyberattack on organizations targeted web resources (27%), and half of these cases were DDoS attacks. For example, the hacktivist group Mysterious Team Bangladesh attacked the Ethiopian Ministry of Health in March 2023, and in early May of the same year, they carried out a series of DDoS attacks on the web resources of various institutions in the region, including an energy company, government agencies (including the Ethiopian government portal), and financial organizations.

The most common method of executing cyberattacks on organizations and individuals during the period under review was the use of malware. In August 2023, it was reported that the South African Ministry of Defense suffered from a malware-based cyberattack. The Snatch Team ransomware group claimed responsibility for the cyberattack and the theft of 200 TB of data from the Ministry. They used a brute-force method to penetrate the network and then, to avoid malware detection, rebooted Windows PCs in safe mode, preventing the launch of any antivirus or security software. The data was then encrypted, after which the group demanded a ransom from the victim.

In nearly every third successful cyberattack on organizations in the region, cybercriminals used ransomware. For example, in November 2023, a ransomware cyberattack resulted in a breach of confidential information from the Es Saadi Hotel in Morocco. The MEOW group used malware of the same name to encrypt files and subsequently add the .MEOW extension to their names. The stolen data was published on the group's portal. The portal also included information from the Nigerian commercial bank Wema Bank.

In every fourth successful cyberattack, cybercriminals employed spyware (25%). Typically, cyberespionage was most frequently directed against public sector organizations (29%). For instance, on July 29, 2024, reports emerged of cyberattacks on ports and maritime facilities in the Indian Ocean and the Mediterranean Sea, carried out by the SideWinder group. One of the group's primary targets was Egypt. To distribute the spyware, the attackers used targeted phishing methods, sending phishing emails with bait documents looking exactly like legitimate documents from official organizations. The group then exploited the Microsoft Office vulnerability CVE-2017-0199 to gain access to the victim's system. This enabled the loading of a malicious RTF file via a URL hidden in the document. The RTF file exploited the CVE-2017-11882 vulnerability and executed shell code to probe the victim's system. If the system met the necessary parameters, JavaScript code for remote control was then executed.

When it comes to individuals, one of the main methods of cyberattacks employed by criminals in African countries, as in the rest of the world, remains social engineering. For example, the distribution of a fraudulent Android application called SpyLoan allowed criminals to access user accounts, device information, call logs, and more. The application was downloaded 12 million times by users from various countries, including Egypt, Kenya, and Nigeria.

Most often, successful cyberattacks on African countries resulted in the cybercriminals gaining access to confidential information: this occurred in 61% of such cyberattacks. For example, on November 8, 2023, it was reported, that Fawry, a leading provider of e-payment and digital financial solutions in Egypt, was subject to a cyberattack. Experts from Dark Reading attributed the cyberattack to the LockBit ransomware group. The cyberattack resulted in the leak of personal data of the company's clients, including addresses, phone numbers, and dates of birth. In most cases, successfully executed cyberattacks on individuals also led to the breach of confidential information (53%).

For the African region, one in five (18%) successful cyberattacks resulted in the disruption of core business activities. An example of this is the 2023 cyberattack on the Central Bank of Lesotho, which caused some systems to be suspended until they were fully restored. The INC Ransom ransomware group claimed responsibility for the cyberattack.

It's important to note that the actions of cybercriminals can lead to non-tolerable events for organizations, such as disruption or suspension of their core activities. To prevent such incidents, organizations must clearly define non-tolerable events with potential devastating impact on their operational activities and regularly monitor the status of their direct and intermediary target systems.

The countries of greatest interest for cybercriminals are South Africa (25%), Nigeria (18%), and Algeria (13%). This may be due to several factors: these countries are characterized by active development of digital technologies along with a growing number of Internet users and available web resources, attracting cybercriminals seeking financial gain through cyberattacks. In addition, geopolitical factors may have played a role in the intensified wave of cyberattacks by hacktivists and APT groups in the region.

In terms of distribution by industry, the analysis of data from dark web forums also confirmed that cybercriminals' listings most frequently mention the government (19%) and financial (13%) sectors.

Analysis of listings and messages on dark web platforms revealed that cybercriminals most often publish posts related to the distribution (46%) or sale (43%) of information, indicating the presence of politically-motivated hacktivists in the region as well as cybercriminal groups focused on financial gain.

Databases are the most frequently advertised item on the dark web, accounting for 61% of listings, more than half of which (64%) offer to distribute information for free.

In every fourth listing (24%), databases are sold. For example, in May of this year, a post on the dark web was selling data from various banks located in Cameroon. The cybercriminals set a price of $100 for a database containing up to 10,000 entries and $200 for a batch of up to 20,000 entries.

In addition to ads containing databases, cybercriminals on the dark web also offer access to networks of various organizations in Africa (38%). Almost one in five posts (18%) contains an offer for access via VPN or RDP protocols. Ads are also frequently found offering access via a shell (14%) or remote access programs such as AnyDesk, RDWeb, and Citrix (8%).

The majority of posts related to access are aimed at selling it (74%). The average price is $2,970. For example, in one such post from February 29 of this year, cybercriminals offered to sell domain and enterprise administrator access of companies in the transportation sector and food industry, with the starting price set at $3,000.

In every fifth listing (18%), access is given away for free. For example, in July 2024, an unknown group published a post offering free system access to the Ugandan Ministry of Education.

In recent years, Africa has been working hard to continuously develop in the digital sphere. However, this has created new opportunities for cybercriminals, which means the region continues to face cybersecurity incidents regularly. To enhance the region's cybersecurity and prevent the successful execution of future cyberattacks, we propose a number of protective measures.

How can cybersecurity be improved in the region?

Strengthening the legal cybersecurity framework

Currently, African countries are actively implementing national cybersecurity policies and strategies. However, with cyberattack methods constantly improving, attackers are able to find vulnerabilities in the deployed security mechanisms. It's important to develop and actualize cybersecurity strategies that take into account the current level of technological development and cyberthreats.

Protection of critical information infrastructure

It is essential to identify critical information infrastructure, disruption of which could cause non-tolerable events at the industry and national levels, and establish protective mechanisms for regulation. Special attention should be paid to the government, financial, telecommunications, and industrial sectors of the region. In developing approaches to ensure cybersecurity of critical information infrastructures, various methods should be combined to achieve a high level of protection against cyberattacks amid the constant evolution of technology.

Defining of non-tolerable events and identification of critical assets

To ensure the cyber resilience of an organization, it is necessary first of all to analyze the main risks and draw up a list of non-tolerable events that could cause significant damage to its activities. This will help identify critical assets and focus on protecting the most valuable resources.
The strategy developed to prevent non-tolerable events must include the necessary security measures and monitoring of network activity using modern security tools.

Compliance with general cybersecurity requirements

It is important to regularly update the systems and applications in use to eliminate identified vulnerabilities and prevent potential cyberattacks in the future. Furthermore, it is necessary to assess the effectiveness and relevance of the security mechanisms and information protection tools being applied. For example, during the period under review, instances of cyberattacks involving phishing were noted; therefore, innovative solutions for email filtering should be implemented to detect and block phishing emails. This measure is mandatory regardless of the employees' level of training, as the emergence of new technologies, such as deepfakes and generative models, can deceive even experienced and educated users.

Cooperation between government and business

To successfully implement cybersecurity projects, establishing reliable partnerships between government institutions and private companies is crucial. Cyberincident response centers have been established for this purpose, tasked with monitoring cyberthreats, developing innovative cybersecurity solutions, and helping organizations recover from cyberattacks. Such centers are already operational in half of the African countries. To optimize their work, it is recommended to create specialized divisions for different industries.

International cooperation

Strengthening international cooperation with other countries and collaborating on a common regulatory framework, along with maintaining an up-to-date database of current cyberthreats and protective measures, will enhance the security of the entire information society.
Participation in international conferences will allow experts from different fields to exchange information, helping them gain diverse perspectives on issues and determine the most effective solutions.

Employee cybersecurity training

Organizations should conduct educational activities to teach users basic security rules and techniques, for example, how to install software safely and identify phishing emails and websites. They should also provide a list of response centers or personnel to whom cybersecurity incidents should be promptly reported. Additionally, a budget should also be allocated for the development of cybersecurity professionals to enhance their skills and knowledge.
 

This report contains information about cybersecurity incidents in the African region, based on Positive Technologies' own expertise, study findings, and data from reputable sources. The analysis presented is drawn from data on cyberattacks in the following countries: Algeria, Angola, Botswana, Burkina Faso, Gabon, Ghana, Egypt, Zambia, Zimbabwe, Cameroon, Kenya, Lesotho, Libya, Mauritius, Madagascar, Malawi, Mali, Morocco, Niger, Nigeria, Senegal, Sudan, Tanzania, Togo, Tunisia, Uganda, Chad, Ethiopia, and South Africa. For the study, 350 Telegram channels and dark web forums were analyzed, where the total number of messages amounted to 184 million from 43 million users.

We believe that the majority of cyberattacks are not made public due to reputational risks, with the result that even organizations that investigate incidents and analyze activity by hacker groups are unable to calculate the exact number of cyberthreats. This research aims to draw the attention of companies and individuals who care about the state of information security to the key motives and methods of cyberattacks, and to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass cyberattack (for example, phishing emails sent to multiple addresses) as one incident, not several. For explanations of terms used in this report, please refer to the glossary on the Positive Technologies website.