[BreachExchange] Transnet Undergoes Apparent Ransomware Hack

[Sophia Kingsbury]

https://www.itnewsafrica.com/2021/07/transnet-undergoes-apparent-ransomware-hack/

South Africa’s logistics and port operator Transnet has been the victim of
an apparent ransomware attack, with its IT systems, websites and Navis
container terminal OS going offline yesterday morning.

The hack was first identified when several stakeholders in the freight
industry were not able to access the container terminals at the Durban port
in KwaZulu-Natal (KZN).

“There was a memo issued to staff on Thursday morning that their terminal
computers had been hacked and it came from the Transnet IT system. They
said that they were working on it, but by Thursday afternoon the system was
still offline,” said one stakeholder, quoted by The Sowetan.

“Some operations, including rail, has gone manual but the end result is
that no import containers are able to be processed or loaded onto the
trucks.”

“After last week’s disaster of the looting and riots, this is catastrophic.
If it is an intentional shutdown, it is equal to industrial sabotage and
will bring the economy to its knees,” they said.

“Transnet systems have been hacked and compromised,” reads the alleged
internal document which further advises employees to disconnect from the
Transnet network immediately until advised to do otherwise.

“Please communicate to all your teams to shutdown all laptops, desktops &
tablets connected to the domain,” it reads.

A screenshot of an alleged ransomware declaration document is also included
reading, “Unfortunately, your files have been encrypted and attackers are
taking over 1 TB of your personal data, financial reports and money other
documents.”

“Do not try recover files yourself,” it continues. “You can damage them
without special software.”

“We can help recover your files and prevent your data from leaking or being
sold on the darknet,” it reads with the hackers willing to decrypt a
single, non-important file for free to “convince you of our honesty.” A
prime example of classic ransomware modus operandi.

As notable with other ransomware attacks, the threat actors have included
contact info, telling relevant people to contact them through the TOR
Browser, a free proxy-relaying online communication platform made to
conserve anonymity and allow untraceable interactions. A favoured software
of dark web communities and internet privacy advocates.

Transnet spokesperson Ayanda Shezi said all business continuity plans have
been activated following the attack.

“Operations across the group are continuing, with the freight rail,
pipelines, engineering and property divisions reporting normal activity.
Port terminals are operational across the system, with the exception of
container terminals, as the Navis system on the trucking side has been
affected,” Shezi said.

“In the Eastern Cape, terminal operations have been halted by inclement
weather and will continue manually once it is safe to do so. The Ports
Authority continues to operate, and vessels moving in and out of the ports
are being recorded manually. Customers have been made aware of the
disruption and are being engaged throughout the process.”

Transnet is currently working to reduce site downtime and disruptions to
customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210723/06a1d6e8/attachment.html>