As cyberattacks increasingly target critical infrastructures worldwide, a notable rise in Chinese state-sponsored hacking activities aimed at African IT networks has emerged. Two prominent groups, APT41 and Salt Typhoon, are at the forefront of these operations, deploying sophisticated cyber-espionage techniques with a particular focus on telecommunications and government IT services.
Since late 2022, APT41 has concentrated its efforts on Africa, exploiting vulnerabilities in networks through meticulous strategies. The group employs hardcoded internal service names and IP addresses within malware to evade detection, utilizing captive SharePoint servers in infected infrastructures to maintain a persistent, covert presence.
APT41 has intensified its focus on African networks, utilizing advanced strategies to exploit vulnerabilities and establish covert presences.
Simultaneously, Salt Typhoon has targeted network devices across seven global telecom companies, including South Africa’s MTN Group. This group’s campaigns have begun exploiting client devices, aiming at routers and switches to gain footholds into more expansive networks, thereby undermining critical telecommunications infrastructure. Salt Typhoon has recently established that compromised devices belong to clients of telecom companies, not directly to the firms. Additionally, this hacking group has compromised devices linked to seven telecommunications companies, highlighting the widespread threat they pose.
US officials have previously accused Salt Typhoon of wide-ranging cyber-espionage campaigns, considerably affecting political figures and organizations. The geographical and sectoral expansion of Chinese cyber espionage is evident, with notable operations now extending into African IT and telecommunications networks.
The deteriorating state of cybersecurity defenses in Africa renders the region particularly vulnerable, as cyber capabilities often lag compared to Western counterparts. In addition, this expansion covers vital sectors, including healthcare and government entities, representing a long-term strategy by Chinese groups to gain influence over global data infrastructures.
Technical attack methods have evolved, with malware designed to deploy hardcoded access details and internal proxies. These developments facilitate undetected lateral movement throughout the networks.
Tools such as Impacket’s Atexec and WmiExec modules further improve attackers’ capacity to compromise unmonitored hosts, allowing the establishment of initial footholds. The ramifications for African IT and telecom networks could be severe, encompassing potential sensitive data exposure and the compromising of fundamental government services, which highlights an urgent need for improved cybersecurity measures in the region.
