Transnet ransomware attack

{{Short description|2021 cyberattack attack on the Transnet}}

{{Use South African English|date=July 2021}}

{{Use dmy dates|date=July 2021}}

{{Infobox event|title=Transnet ransomware attack|convicted=|reported injuries=|reported missing=|reported property damage=|burial=|displaced=|inquiries=|inquest=|coroner=|arrests=|suspects=|accused=|charges=|casualties3=|trial=|verdict=|convictions=|sentence=|publication_bans=|litigation=|awards=|url=|blank_label=|blank1_label=|blank2_label=|website=|reported deaths=|casualties2=|image=Durban harbor.jpg|coordinates=|image_upright=|image_alt=|caption=Port of Durban affected in the cyberattack|native_name=|native_name_lang=|english_name=|time=SAST|timezone=|duration=|date=22 July 2021|venue=|location={{flag|South Africa}}|also_known_as=|casualties1=|type=|theme=|cause=|motive=|target=Shipping infrastructure|first_reporter=|budget=|patron=|organisers=|filmed_by=|participants=|outcome=|notes=}}

On 22 July 2021, Transnet became a victim of a ransomware attack.{{Cite web |last1=Viljoen |first1=John |last2=Njini |first2=Felix |date=27 July 2021 |title=Transnet declares force majeure at SA ports over cyberattack |url=https://www.news24.com/fin24/companies/transnet-declares-force-majeure-at-sa-ports-over-cyber-attack-20210727 |access-date=2021-07-27 |website=Fin24 |language=en-US}}{{Cite web|last=Toyana|first=Mfuneko|date=2021-07-26|title=BUSINESS MAVERICK: Transnet cyberattack puts employees' salaries at risk while backlogs at ports mount|url=https://www.dailymaverick.co.za/article/2021-07-26-transnet-cyberattack-puts-employees-salaries-at-risk-while-backlogs-at-ports-mount/|access-date=2021-07-27|website=Daily Maverick|language=en}}{{Cite web |last=de Wet |first=Phillip |date=27 July 2021 |title=Ships are starting to bypass SA ports as Transnet tells customers and staff of 'sabotage' |url=https://www.businessinsider.co.za/transnet-admits-it-was-hacked-as-ships-start-skipping-south-africas-ports-2021-7 |access-date=2021-07-27 |website=News24}} The attack caused Transnet to declare force majeure at several key container terminals, including Port of Durban, Ngqura, Port Elizabeth and Cape Town.{{Cite web|last=Shead|first=Sam|date=2021-07-27|title=South Africa port operations halted and workers reportedly put on leave after major cyberattack|url=https://www.cnbc.com/2021/07/27/transnet-halts-port-operations-in-south-africa-after-major-cyberattack.html|access-date=2021-07-27|website=CNBC|language=en}}{{Cite web |last1=Mokhoali |first1=Veronica |last2=Ntshidi |first2=Edwin |date=24 July 2021 |title=Ntshavheni: Govt still believes cyberattack at Transnet unrelated to unrest |url=https://ewn.co.za/2021/07/24/ntshavheni-govt-still-believes-cyberattack-at-transnet-unrelated-to-unrest |access-date=2021-07-27 |website=ewn.co.za |language=en}}{{Cite web |title=Transnet declares a force majeure |url=https://www.enca.com/business/transnet-declares-force-majeure |access-date=2021-07-27 |website=www.enca.com |language=en}} The attack was the first time that the "operational integrity of the country's critical maritime infrastructure has suffered a severe disruption" leading the Institute for Security Studies (ISS) to call its impact "unprecedented" in South African history.{{Cite web |last=Reva |first=Denys |date=2021-07-29 |title=Cyber attacks expose the vulnerability of South Africa's ports |url=https://issafrica.org/iss-today/cyber-attacks-expose-the-vulnerability-of-south-africas-ports |access-date=2021-08-02 |website=ISS Africa |language=en}}

The ISS speculated that Transnet was withholding details about the attack as it was an issue of national security and because the attack might cause legal liabilities for the company. Bloomberg News stated that the attackers encrypted files on Transnet's computer systems thereby preventing the company from accessing their own information whilst leaving instructions on how to start ransom negotiations.{{Cite web |last1=Ryan |first1=Gallagher |last2=Burkhardt |first2=Paul |date=29 July 2021 |title='Death Kitty' Ransomware Linked to South African Port Attack |url=https://www.bloomberg.com/news/articles/2021-07-29/-death-kitty-ransomware-linked-to-attack-on-south-african-ports |access-date=2021-08-02 |website=Bloomberg News |publisher=}} The Bloomberg article quotes a source from the cybersecurity firm Crowdstrike Holdings Inc. which states that the ransomware used in the attack was linked to "strains known variously as “Death Kitty,” “Hello Kitty” and “Five Hands.”" and likely originated from Russia or Eastern Europe. The Department of Public Enterprises stated that none of Transnet client's data had been compromised in the attack.{{Cite web |last=Naidoo |first=Suren |date=2021-07-29 |title=Data 'has not been compromised' in Transnet cyber attack, says Gordhan's department |url=https://www.moneyweb.co.za/news/economy/data-has-not-been-compromised-in-transnet-cyber-attack-says-gordhans-department/ |access-date=2021-08-02 |website=Moneyweb |language=en}}

The timing of the attack, which followed closely after the 2021 South African unrest following former South African President Jacob Zuma's imprisonment, caused speculation that the two events might have been part of a coordinated effort to disrupt economic activity in the country.{{Cite web|date=28 July 2021|title=Call to 'connect dots between insurrection modus operandi and crippling Transnet cyber attack'|url=https://www.iol.co.za/news/politics/call-to-connect-dots-between-insurrection-modus-operandi-and-crippling-transnet-cyber-attack-8d48c4e9-a3a7-4140-81de-5597a20a430b|access-date=2021-08-02|website=www.iol.co.za|language=en}} The authorities stated that the two events were likely unrelated.