South Africa’s logistics and port operator Transnet has been the victim of an apparent ransomware attack, with its IT systems, websites and Navis* container terminal OS going offline yesterday morning.
The hack was first identified when several stakeholders in the freight industry were not able to access the container terminals at the Durban port in KwaZulu-Natal (KZN).
“There was a memo issued to staff on Thursday morning that their terminal computers had been hacked and it came from the Transnet IT system. They said that they were working on it, but by Thursday afternoon the system was still offline,” said one stakeholder, quoted by The Sowetan.
“Some operations, including rail, has gone manual but the end result is that no import containers are able to be processed or loaded onto the trucks.”
“After last week’s disaster of the looting and riots, this is catastrophic. If it is an intentional shutdown, it is equal to industrial sabotage and will bring the economy to its knees,” they said.
eNCA reporter Sli Masikane shared details about the hack on her Twitter account, including an alleged letter from the hackers as well as internal communications about the hack.
BREAKING #TransnetHack I’ve been reliably informed that Transnet systems have been hacked. All employees received this communication to shutdown all laptop and desktops and not to not access their emails. #eNCA pic.twitter.com/BavupKGMoV
— Sli Masikane (@Sli_Masikane) July 22, 2021
“Transnet systems have been hacked and compromised,” reads the alleged internal document which further advises employees to disconnect from the Transnet network immediately until advised to do otherwise.
“Please communicate to all your teams to shutdown all laptops, desktops & tablets connected to the domain,” it reads.
A screenshot of an alleged ransomware declaration document is also included reading, “Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data, financial reports and money other documents.”
“Do not try recover files yourself,” it continues. “You can damage them without special software.”
“We can help recover your files and prevent your data from leaking or being sold on the darknet,” it reads with the hackers willing to decrypt a single, non-important file for free to “convince you of our honesty.” A prime example of classic ransomware modus operandi.
As notable with other ransomware attacks, the threat actors have included contact info, telling relevant people to contact them through the TOR Browser, a free proxy-relaying online communication platform made to conserve anonymity and allow untraceable interactions. A favoured software of dark web communities and internet privacy advocates.
Transnet spokesperson Ayanda Shezi said all business continuity plans have been activated following the attack.
“Operations across the group are continuing, with the freight rail, pipelines, engineering and property divisions reporting normal activity. Port terminals are operational across the system, with the exception of container terminals, as the Navis system on the trucking side has been affected,” Shezi said.
“In the Eastern Cape, terminal operations have been halted by inclement weather and will continue manually once it is safe to do so. The Ports Authority continues to operate, and vessels moving in and out of the ports are being recorded manually. Customers have been made aware of the disruption and are being engaged throughout the process.”
Transnet is currently working to reduce site downtime and disruptions to customers.
*UPDATE: The following is a statement provided by Navis about the disruptions at Transnet:
“Navis is aware of the situation at Transnet and is in close contact with the Transnet team as they work to identify and isolate the cause of the disruption and restore operations. While the source of the disruption is not related to Navis, as a precautionary measure Transnet shut down all systems, including the servers running the N4 terminal application.”