Masterminds behind
the hackers

Cyber attacks on African organisations have surged past global averages, placing the continent firmly in the crosshairs of the world’s most dangerous threat actors. In the first quarter of 2025 alone, Africa experienced 3,286 attacks per organisation per week – the highest average of any region in the world – according to cyber security platform provider Check Point Software.

The company’s Q1 2025 Global Cyber Attack Report shows that Nigeria clocked in at 4,388 attacks per week, Angola at 4,727, and Kenya at 4,004. Even South Africa, with a relatively modest 1,884 attacks weekly, saw a staggering 69% year-on-year increase.

The numbers reflect a dramatic escalation in both volume and sophistication. The culprits range from state-sponsored espionage units to loosely organised digital extortionists, with Africa becoming both a testing ground and a soft target. According to Hendrik de Bruin, security consulting specialist at Check Point Software, the evolving threat landscape has turned even amateur efforts into real dangers, but it is the professionalised, persistent actors that pose the deepest risks.

“Script kiddies” still play their part, said De Bruin, referring to inexperienced attackers using plug-and-play hacking tools. During a media briefing in Johannesburg this week, Check Point gave the example of a few young Kenyans who bought their hacking tools online and mounted attacks from their homes.

“They were very unsophisticated, but still very successful,” De Bruin told Gadget. “That speaks to the fact that you don’t really need to have a mastermind to perpetrate successful cyber crime.”

But the real danger, he said, lies in the more sophisticated operations. 

“When we talk about these larger scale cyber attacks… that’s when we start to talk about the advanced persistent threats (APTs), as well as the nation states.”

One of the most notable examples is APT41, a cyber threat group believed to operate on behalf of the Chinese government. It is widely regarded as one of the most sophisticated and versatile APT groups in the world, with a dual focus: cyber espionage and financially motivated cybercrime.

It is also linked to recent breaches in Kenya. In one such case, attackers remained inside a government network for weeks with full administrative access. 

APT41 uses a catalogue of known TTPs — techniques, tactics and procedures — that have allowed analysts like those from Check Point to match their digital fingerprints to attacks around the world. The Kenyan breach bore all the hallmarks, said de Bruin. 

The increase in attacks reflects vulnerabilities in infrastructure, rapid digital transformation without proper security controls, and poor regulation of cyber governance.

“Digitisation is often done without due care towards security,” said De Bruin. “Government, the public sector, private sector — we see it across the board. People moving away from paper-based processes, cloud adoption and so forth. But it’s not necessarily done securely, and that leads to low-hanging fruit that attackers are exploiting.”

South Africa, with its relatively advanced connectivity and mobile penetration, is a case study in this paradox. Whole ,ore connected than most of its neighbours, it is more vulnerable for precisely that reason. 

“Oftentimes cyber security is just a tick box exercise,” De Bruin said. “Someone tells them, ‘you need to have a firewall’, and then they go buy the cheapest firewall they can and tick the box.”

The consequences are being felt across all sectors. Education tops the list globally, with 4,484 weekly attacks per organisation. In Africa, telecommunications companies are emerging as prime targets, both for their critical infrastructure role and their user databases. South Africa’s MTN, Namibia’s Telecom Namibia and Kenya’s South Sea have all suffered breaches in recent months.

De Bruin traces the motives to a mix of espionage, activism and pure opportunism. “As geopolitical tensions rise, we see an increase in these nation states attacking each other. They don’t necessarily use ransomware. Instead, they use wipers to make sure that all the data has been removed.”

Then there are the threats from within. Insider risks are harder to quantify but potentially more damaging. In one case cited by De Bruin, a supplier to a Brazilian bank was bribed with $900 to hand over credentials. The result: a $140-million attack. “We also see a massive take on identity-related attacks,” he said. “You can purchase credentials on the dark web for about $5.”

While some attacks are meticulously orchestrated by elite state-sponsored teams, others are opportunistic, decentralised, and built on a chain of small compromises. According to de Bruin, one growing tactic is supply chain infiltration: “Rather than attacking a bank individually, they find an IT service provider of those organisations, get access to their infrastructure, and by extension, you then have access to multiple other infrastructures”.

This context gives shape to the so-called cyber mastermind: a hybrid of software, strategy, and subterfuge, sometimes operating under a nation’s flag, sometimes under no flag at all.

It also highlights the inadequacy of traditional defences. Firewalls, anti-virus software and patching are no longer enough. Check Point recommends a “prevention-first” posture: multi-layered defences, employee training, zero-trust architectures, regular vulnerability testing, and incident response protocols that assume a breach has already occurred.

* Arthur Goldstuck is CEO of World Wide Worx, editor-in-Chief of Gadget.co.za and author of The Hitchhiker’s Guide to AI.