Cyber Incident Victim: Telkom

On 12 May 2017, Telkom’s customer service platforms were disrupted during the global WannaCry ransomware outbreak, which targeted unpatched Windows systems via the MS-17-010 vulnerability. The attack initially manifested on Tuesday, 16 May, when customers reported failures in USSD menus, the Telkom mobile app, voicemail systems, and call center operations, preventing data bundle purchases and service access. Telkom’s security teams had detected anomalous network traffic spikes on Saturday, 13 May, coinciding with the virus’s spread in South Africa, prompting an elevated security alert. Managed security personnel immediately initiated monitoring and defensive measures, including traffic throttling in high-risk network segments to contain the threat. While Telkom confirmed WannaCry’s attempts to infiltrate its systems, the company’s firewalls blocked the ransomware from encrypting files or deploying its DOUBLEPULSAR backdoor payload.

The sustained attack generated overwhelming network traffic as Telkom’s defenses repelled repeated intrusion attempts, causing intermittent performance degradation across customer platforms until Thursday, 18 May. Most services were restored overnight following the initial Tuesday outage, though sporadic disruptions persisted. Telkom attributed the operational delays to its deliberate security strategy of prioritizing data protection over uninterrupted service availability, which involved aggressive firewall filtering and traffic management. No customer data was compromised, and no systems were encrypted by the ransomware. Post-incident, Telkom emphasized the importance of applying MS-17-010 patches to prevent recurrent infections, noting that unpatched devices remained vulnerable to new variants and could exacerbate network congestion. The company publicly acknowledged service interruptions but maintained that its response averted data loss or ransom demands, which globally ranged from $300 to $600 per infected system.