Transnet ransomware attack

On 22 July 2021, Transnet became a victim of a ransomware attack. The attack caused Transnet to declare force majeure at several key container terminals, including Port of Durban, Ngqura, Port Elizabeth and Cape Town. The attack was the first time that the "operational integrity of the country's critical maritime infrastructure has suffered a severe disruption" leading the Institute for Security Studies (ISS) to call its impact "unprecedented" in South African history.

The ISS speculated that Transnet was withholding details about the attack as it was an issue of national security and because the attack might cause legal liabilities for the company. Bloomberg News stated that the attackers encrypted files on Transnet's computer systems thereby preventing the company from accessing their own information whilst leaving instructions on how to start ransom negotiations. The Bloomberg article quotes a source from the cybersecurity firm Crowdstrike Holdings Inc. which states that the ransomware used in the attack was linked to "strains known variously as “Death Kitty,” “Hello Kitty” and “Five Hands.”" and likely originated from Russia or Eastern Europe. The Department of Public Enterprises stated that none of Transnet client's data had been compromised in the attack.

The timing of the attack, which followed closely after the 2021 South African unrest following former South African President Jacob Zuma's imprisonment, caused speculation that the two events might have been part of a coordinated effort to disrupt economic activity in the country. The authorities stated that the two events were likely unrelated.

Background
The Durban port handles 60% of South African container traffic.

Timeline

 * July 22, Transnet ransomware attack occurred.
 * July 26, most computer systems had been restored.
 * July 27, Transnet's investigation into the attack's severity was still ongoing.
 * July 28, Department of Public Enterprises stated that Transnet had fully restored operations at the ports.