Ransomware attack cripples Johannesburg power supplier

City Power limping back to normalcy after ransomware attack on customer payday

City Power, one of the largest power suppliers in Johannesburg, is limping back to normalcy after a crippling ransomware infection lead to a blackout on 25 July.

"City Power will continue to work throughout the night to recover the systems and restore remaining applications. We are hoping that if everything goes according to plan, everything should be restored by Friday," the pre-paid power supplier tweeted earlier today (26 July).

"While it appears City Power is investigating the source of the attack it does sound like they have been able to restore systems, hopefully minimising the risk of any significant damage,", Nozomi Networks co-founder and CPO Andrea Carcano told SC Media UK.

City Power has been relentlessly tweeting about each and every recovery and redressal steps since the blackout. The attack left customers unable to load prepaid electricity on the payday of the month, so they were unable to load prepaid electricity.

"The key point here is that this incident demonstrates how previously isolated systems can now be adversely affected by even the most commodity viruses. Attackers need not necessarily access control systems anymore to impact something as critical as electric distribution," Claroty CSO Dave Weinstein told SC Media UK.

The precise point of breach in the Johannesburg attack is not known yet. The convergence of OT and IT has given cyber-criminals an edge in targeting critical national infrastructure, SC Media UK reported in June. The inherent lack of security measures in traditional infrastructure makes matters worse, said Weinstein.

"Most of the devices that run the world’s infrastructure were never designed to be secure. They often lack basic security features like encryption and authentication because, like the internet itself, they were built to operate in highly trusted, closed environments," he said. 

"The world’s critical infrastructure operates on many old and obscure protocols, of which, a high number are proprietary to just a few manufacturers. When it comes to the cyber security around critical infrastructure, defenders are, unfortunately, in the dark. This is the current state of industrial cyber security  - and for now, it’s advantage offense," he added.

ImmuniWeb founder and CEO Ilia Kolochenko warned that similar incidents will continue to happen.

"Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber- gangs. These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive," he said.

The time window and specific range in the Johannesburg attack is worth noting, said Vectra director Matt Walmsley.

"We’re seeing ransomware becoming a far more focused tactic where cyber-criminals take time to profile and target organisations who they believe will have a higher likelihood of paying a meaningful level of ransom. The disruption to their services and consumer backlash will further compound the pressure on City Power’s IT and security teams to rapidly restore systems to a known good condition from back-ups, or chance of paying the ransom," he said.

Crypto currencies make such crimes technically un-investigatable in most cases, said Kolochenko. 

"Law enforcement agencies are already overburdened with an increasingly growing pipeline of sophisticated investigations, often aggravated by continuous lack of financing and unfriendly colleagues from foreign jurisdictions. Unless governments develop, finance and duly enforce security regulations purported to safeguard cities and municipalities, we will soon dive into a darkness, facing grave accidents involving airports and other objects of critical infrastructure," he added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews