Cyber Incident Victim: Webafrica
Date:
Feb 2016
Location:
South Africa
Summary
A mass defacement compromised over 2,500 South African websites hosted by Webafrica after an attacker exploited a Joomla vulnerability in their shared hosting service. The hacker, operating under the alias Tobitow, replaced site content with messages supporting the #OpAfrica campaign against child labor and corruption, subsequently publishing hundreds of defaced URLs online. South African cybersecurity authorities issued alerts regarding the incident, which the perpetrator claimed involved no data theft despite initial reports suggesting SQL injection attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On February 12, 2016, a mass website defacement campaign impacted 2,532 South African websites hosted by Webafrica, a shared hosting provider. The attack was executed by an individual using the alias Tobitow, who identified and exploited a vulnerability in Webafrica's hosting infrastructure. This incident formed part of the broader #OpAfrica initiative by Anonymous-affiliated actors, which previously targeted Rwandan and Ugandan government entities before expanding to South African targets including a job portal and the Government Communication and Information System (GCIS). Tobitow, though geographically located in Latin America, aligned with the campaign's stated objectives of drawing attention to child labor and government corruption across Africa. After compromising the websites, Tobitow replaced their content with a political message supporting #OpAfrica, using a custom defacement image that had originally appeared in a Softpedia article about related Anonymous activities.
Webafrica's call center staff confirmed the security breach to South African technology news outlet MyBroadband shortly after detection. Tobitow initially publicized the attack by posting defaced website links on Twitter before abandoning this method and publishing approximately 600 compromised URLs in a CryptoBin paste. The South African Compute Security Incident Response Team (ECS-CSIRT) issued an advisory attributing the attacks to SQL injection vulnerabilities and website defacements targeting unpatched server operating systems. However, Tobitow contradicted this assessment, clarifying through public statements that he exploited a Joomla content management system vulnerability rather than SQL injection techniques, and emphasized that no data exfiltration occurred during the incident. The scale of the defacement operation highlighted systemic security weaknesses in shared hosting environments while demonstrating how geopolitical hacktivist campaigns could rapidly expand through individual actor participation.