Cyber Incident Victim: Western Cape Provincial Parliament

On or around May 23, 2023, the Western Cape Provincial Parliament (WCPP) experienced a cyber security attack. The incident occurred overnight, rendering the institution's ICT services inaccessible. The WCPP, one of nine provincial legislatures in South Africa, did not publicly divulge the specific nature or the full extent of the cyber attack in its initial communications. Its primary public statement on the matter confirmed the event had taken place and that its systems had been compromised, leading to a loss of access.

Despite the inaccessibility of its ICT services, the WCPP asserted that no parliamentary business would be affected as a result of the attack. This statement indicated that contingency plans were in effect to ensure the continuity of its core functions, which include passing legislation, providing a forum for public debate, involving the public in the law-making process, and overseeing the activities of the provincial executive. The institution characterized cyber security as the single biggest threat in the world at the time, contextualizing the incident within a broader global and national landscape of increasing digital threats.

In response to the attack, the WCPP activated its pre-established business continuity and disaster recovery plans. The organization stated it had previously invested heavily in these cyber security measures. As part of its response actions, the matter was formally reported to the South African Police Service and the State Security Agency, initiating official law enforcement and security investigations into the breach. The technical recovery process involved restoring the institution's systems from backups to a secure environment. This restoration was planned as a systematic process, with services being brought back online in a phased approach to ensure stability and security.

The incident at the WCPP occurred within a period of significantly heightened cyber threat activity across South Africa. The country had witnessed a spike in attacks targeting various critical sectors, including credit bureaus, healthcare and retail groups, and several government departments. Highly-organised distributed denial-of-service (DDOS) attacks had also been launched against South African banks. Research from the Council for Scientific and Industrial Research (CSIR) highlighted the severe economic impact of such cyber crime, with losses to the South African economy estimated at R2.2 billion per annum. Further context from CSIR researchers indicated that South Africa was ranked as the eighth most targeted nation in the world for ransomware attacks, with more than half of all local firms reporting they had been impacted by ransomware within the past year. While the specific attack vector used against the WCPP was not disclosed, this national context illustrates the challenging environment in which the incident took place.

The activation of the disaster recovery plan was the central technical measure undertaken to mitigate the attack's impact and restore operational normalcy. By relying on system backups, the WCPP aimed to rebuild its digital infrastructure without capitulating to any potential ransom demands, had the attack been of a ransomware nature. The phased restoration of services was designed to methodically validate the integrity of each restored system and application before returning it to production, minimizing the risk of re-infection or further compromise. This careful approach also allowed IT personnel to monitor the newly restored environment for any lingering malicious activity.

The decision to involve both the South African Police Service and the State Security Agency formed the legal and investigative component of the response. This action was intended to pursue potential attribution of the attack and to gather forensic evidence that could be used in any subsequent legal proceedings. It also aligned with national security protocols for incidents affecting a provincial government body. The attack on the WCPP demonstrated the vulnerability of governmental institutions to cyber threats, regardless of their stated investments in security measures. The event served to underscore the critical importance of having tested and viable business continuity and disaster recovery plans in place, as these mechanisms were immediately called upon to ensure the legislature could continue its constitutional duties without interruption. The full impact of the incident, including whether any sensitive data was exfiltrated or compromised, was not detailed in the public statements released by the organization in the immediate aftermath.