Of the cybersecurity threat activity detected by cybersecurity solutions and services company Trellix during the year, 26% was directed towards government systems, while 16% was targeted at business service providers, 14% at wholesalers’ networks, and 12% targeted utilities’ systems.

Cyberthreat groups Lazarus and the Daggerfly Advanced Persistent Threats (APT) group were among the most notable threat actors that have recently ramped up targeted efforts to infiltrate critical South African systems, according to the latest Trellix Cyberthreat Intelligence report.

Government organisations remain the primary targets for threat actors looking to infiltrate South African information technology systems.

“Despite not experiencing a significant surge in detections since the first quarter, we have noticed a trend of specialised, well-equipped and highly skilled threat actors,” said Trellix South Africa country lead Carlo Bolzonello.

“More alarming is their interconnection with extensive networks and potential State support, indicating a coordinated and sophisticated approach to their malicious activities,” he highlighted.

The Lazarus Group is historically associated with a North Korean State-sponsored APT syndicate and has since been linked to the North Korean government by the US Cybersecurity and Infrastructure Security Agency.

Lazarus deploys tools and capabilities including distributed denial of services botnets, keyloggers to record users’ input, remote access tools allowing anonymous unauthorised users access, and wiper malware to erase data from the system.

Lazarus is notorious for executing spear-phishing campaigns aimed at accessing and stealing account credentials and financial data, as well as employing "living off the land" techniques, using fileless malware and legitimate system tools, Bolzonello highlighted.

Further, the Daggerfly APT group, which is suspected to have affiliations with China, has been exhibiting heightened activity in Africa, with a particular emphasis on targeting telecommunications organisations.

Its primary objective is information gathering, leveraging PlugX loaders to abuse any desktop remote software, and living off the land tooling, like PowerShell, BITSAdmin and GetCredManCreds, which is heavily used for long-term campaigns that can go undetected for extended periods.

“What makes some of the tools used by threat actors so destructive is their trail obfuscation capabilities,” Bolzonello said.

“They employ various techniques, such as hiding backdoors and manipulating time stamps, skilfully giving the impression that their malicious artifacts date back as far as ten years ago. This renders the analysis process exceedingly challenging for investigating teams.

“What is even more concerning is that these adversaries are highly proficient in evasion tactics, leaving organisations believing they have eliminated the threats, when in reality, they may still lie concealed,” he added.