Cyber Threats to the Financial Sector in Africa An Assessment of the Current Threat and an Analysis of Emerging Trends on the Future Threat Landscape MARCH 2022 ACKNOWLEDGEMENTS This report was prepared by Robert Dartnall, Kit Palmer and Wiebe Ruttenberg from Security Alliance, with guidance from Dorothee Delort (World Bank) and the assistance of Renuka Pai, under the lead- ership of Mahesh Uttamchandani and Harish Natarajan (World Bank Group, Finance, Competitiveness and Innovation Global Practice), in the context of the Financial Inclusion Global Initiative Working Group on cybersecurity (under the Security and Trust Working Group). The authors thank Zafer Mustafaoglu and Siegfried Zottel (World Bank Group, Finance, Competitive- ness and Innovation Global Practice) and Emran Islam (International Monetary Fund) for their review of the paper and their input. The interpretations and conclusions expressed in this work belong to the authors and do not neces- sarily reflect the views or positions of either the World Bank Group, its Board of Executive Directors, and the governments they represent, or the Bill and Melinda Gates Foundation. FINANCE, COMPETITIVENESS & INNOVATION GLOBAL PRACTICE Payment Systems Development Group ©2022 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW, Washington, DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org DISCLAIMER The Financial Inclusion Global Initiative led in partnership by the World Bank Group (WBG), Interna- tional Telecommunication Union (ITU), and the Committee on Payments and Market Infrastructures (CPMI), with the support of Bill & Melinda Gates Foundation (BMGF). The FIGI program funds national implementations in three countries (China, Egypt, and Mexico), supporting topical working groups to tackle 3 sets of outstanding challenges in closing the global financial inclusion gap, and hosting 3 annual symposia to gather the engaged public on topics relevant to the grant and share intermediary learnings from its efforts. This work has been prepared for the Financial Inclusion Global Initiative by the Cybersecurity for FMI’s Workstream of the FIGI Security, Infrastructure and Trust (SIT) Working Group The work is a product of the staff of the World Bank with external contributions prepared for the Financial Inclusion Global Initia- tive. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the Financial Inclusion Global Initiative partners including The World Bank, its Board of Exec- utive Directors, or the governments they represent, or the views of the Committee for Payments and Market Infrastructure, International Telecommunications Union, or the Bill & Melinda Gates Foundation. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judg- ment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. Table of Contents Abbreviations and Acronyms   ii Executive Summary  1 1. Introduction  3 2. Baseline Assessment  5 2.1 Threats to Integrity   6 2.2 Threats to Availability  9 2.3 Threats to Confidentiality   12 2.4 Baseline Assessment   13 3. Emerging Trends and the Future Threat Landscape  14 3.1 Technological Factors   14 3.2 Socioeconomic Factors   17 3.3 Geopolitical Factors   18 4. Recommendations for Central Banks and Financial Authorities  20 Strengthening Cyber Resilience of Financial Entities and the Financial Sector at Large  20 4.1  Understanding and Strengthening the Financial-Sector Supply Chain   21 4.2  Strengthening Cyber Resilience and Supervisory Capacity of Central Banks and Financial 4.3  Authorities  21 4.4 Strengthening Cyber Resilience of Government and Society at Large  22 4.5 Actively Seeking Regional Cooperation   23 5. Conclusion  24 Appendix A Definitions  26 Appendix B Case Studies  28 References  31 Endnotes  37 Boxes Box 1: List of Relevant International Guidance/Standards  21 Box 2: Role of National Cybersecurity Center and Computer Emergency Response Team  22 CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • i Abbreviations and Acronyms CERT computer emergency response team DDoS distributed denial of service DoS denial of service FSI financial-service institution NCSC national cybersecurity center OCG organized criminal group ii • FINANCIAL INCLUSION GLOBAL INITIATIVE Executive Summary This paper provides an intelligence-led analysis of the tication scams, thefts, and fraudulent activity directed current threat landscape for the financial-service sector against their customers. Scams harming victims abroad across Africa, and an assessment of future trends. may also deter foreign investment, to the detriment of Africa’s long-term economic potential. Such scams gen- African financial-service institutions currently face a sig- erally originate from domestic grassroots actors, likely nificant threat from organized criminal groups and finan- compounded by socioeconomic factors such as unem- cially motivated nation-states conducting high-value ployment and economic inequality. thefts in heist-style operations. These operations build on previous successes against similar systems in the Next to that, African financial-service institutions are cur- now-more-cyber-mature developed world and focus on rently experiencing high levels of espionage and data exploiting generally inadequate cybersecurity controls to theft from nation-states, organized criminal groups, insid- manipulate the integrity of payment-processing mech- ers, and individual hackers. Although these types of attack anisms and internal security controls. Malicious insiders have fewer immediately tangible impacts than direct theft have also shown the intent and capability to leverage or extortion attempts, they can cause future issues, such privileged knowledge and system access and steal from as loss of competitive advantage or loss of customer trust. their employers. African financial-service institutions also face a small but growing risk of supply-chain compromise from the increas- Ransomware also presents a prominent and growing ing use of third-party entities within the financial-services threat, given its detrimental impact on the availability and infrastructure, expanding the general attack surface. confidentiality of critical systems and data. A growing number of organized criminal groups and individual hack- Looking forward, the following emerging trends can be ers are showing both the intent and capability to direct identified: this activity against African financial-service institutions; the majority of these attacks opportunistically take advan- Large-scale rapid digitalization of financial products tage of security issues and infrastructure vulnerabilities. provides new avenues of opportunity for threat actors. Greater levels of digitally enabled financial inclusion, cou- Furthermore, African financial-service institutions are pled with customers who are unfamiliar with those prod- also heavily affected by the large volume of low-sophis- ucts and services, open up new targets for scammers. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 1 Digitalization also comes with an expanded supply chain, sector alone; central banks and other financial authori- which will provide threat actors with new access vectors. ties also have to play their part. Therefore, central banks and other financial authorities must comply with their Short-term economic challenges will increase the attrac- own guidelines and expectations, especially as most cen- tiveness of cybercrime for the young and unemployed. tral banks are also RTGS payment system operators and However, sporadic introduction and lax enforcement of thus engage in activities covered by these guidelines and cybersecurity regulations will not deter domestic cyber expectations. Furthermore, it will greatly contribute to activity over the short to medium term. On top of that, the cyber capabilities and cyber resilience of the central increased security in the developed world will increase bank if the senior managers of the supervision, oversight, Africa’s attractiveness to an array of threat actors. payment systems, and information systems departments engage in structured internal dialogue, to learn from each Finally, it is to be expected that Africa’s increasing geo- other and contribute to each other’s policy and opera- political relevance will incite more targeting from nation- tional objectives. state threat actors. Some of the cyber threats faced by Africa’s financial sec- The challenge of coping with the serious cyber threats tor can be addressed only by government action. On the facing Africa’s financial sector—and, with it, society in preventive side, it is recommended that central banks call general—is not borne by Africa’s banks, payment service for—and contribute to—more focused government action providers, and financial infrastructures alone; financial to improve financial and digital literacy among its citizens authorities (including central banks) and governments and consider expanding the availability of basic cyber- can help address these challenges by focusing on improv- security studies to provide for a future career path for ing the cyber resilience of both individual financial entities unemployed youth. Next to that, establishing a national and the financial sector as a collective, on strengthening cybersecurity center to assist the government and vital the cyber resilience and supervisory capacity of central industry sectors with cyber advice and the services of a banks and financial authorities, and ultimately on bolster- computer emergency response team will greatly contrib- ing the cyber resilience of African society at large. Central ute to a higher level of cyber resilience within a country’s banks and financial authorities should also actively seek vital governmental and commercial sectors. Given their to cooperate with their peers in neighboring countries. crucial institutional role in society, central banks could— and should—play a facilitating role in the establishment of With regards to improving the cyber resilience of individ- such national cybersecurity centers. Unfortunately, cyber ual financial entities and the financial sector as a collective, threats are here to stay, and cyberattacks will continue it is recommended that authorities publish more specific to happen. An efficient and credible judicial system is operational guidelines and cyber resilience expectations needed to prevent cybercrimes and—if they happen—to to help financial entities and their relevant authorities to follow up with effective law-enforcement actions. Central implement and assess the appropriate cyber resilience banks and other financial authorities should urge govern- measures. Next to that, it is recommended that the respon- ments to improve the cyber capabilities of the judicial sible authorities invite systemically important financial system (police, prosecutor offices, courts) and should entities to engage in threat-led penetration testing and stand ready to make available specific financial or cyber team up in a cyber information and intelligence-sharing expertise, if required. initiative. The wheel does not need to be invented again; practical examples of these three recommendations have Finally, cyber risks transcend geographic borders. There- been published or implemented by other international fore, it is recommended that central banks and financial authorities.1 authorities reach out to their peers in neighboring coun- tries to coordinate follow-up actions regarding the rec- The responsibility for being cyber resilient and having ommendations above and to establish and cooperate in enough cyber capabilities does not lie with the private joint initiatives, where appropriate. 2 • FINANCIAL INCLUSION GLOBAL INITIATIVE 1. Introduction The ever-increasing digitalization of everyday life makes • Human factor: While a problem worldwide, Africa suf- cybersecurity a prominent topic for entities in all indus- fers from a general lack of public cyber threat aware- tries, but particularly so for organizations of systemic ness and digital hygiene (Świątkowska 2020, 21). importance, such as financial services, which have to Researchers have cited difficulties in disseminating secure systems processing billions of US dollars each day. security materials, influenced by factors such as high The issue of cybersecurity has not gone unnoticed in the levels of linguistic diversity and varying English lan- developed world. Countries have made significant moves guage skills (Kabanda, Tanner, and Kent 2018, 270). toward improving broad cybersecurity standards, intro- • Lack of capacity: Research in 2019 showed only 4 per- ducing robust and comprehensive legislation, educating cent of information assurance specialists were located the public on cybersecurity awareness, and increasingly in Africa (Świątkowska 2020, 21). By 2020 there was subjecting critical national infrastructure entities to man- also an estimated shortage of 100,000 cybersecu- dated intelligence-led penetration testing and intelligence rity professionals on the continent, further hampering sharing. organizations’ ability to implement proper cybersecu- rity protocols and tooling (Kshetri 2019, 78). However, a number of factors, including economic con- straints, political disagreements, civil unrest, inadequate • Resources: The majority of countries in the developing infrastructure, and a general lack of awareness, have world rely on outdated, poorly secured, unlicensed, or limited a similar progression of cybersecurity standards unmanaged information security assets (Świątkowska across much of the developing world, although this 2020, 20). Numerous countries in Africa also have high assessment varies significantly between states in this cat- rates of pirated software, compounding difficulties of egory. Although the continent’s size and variety make it checking software for malicious components: In 2017, difficult to establish comprehensively the general state of investigations showed 90 percent and 89 percent of cybersecurity across all of Africa, the following common software in Libya and Zimbabwe, respectively, was issues make African cyberspace an attractive target for pirated (Kshetri 2019, 78). motivated threat actors: CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 3 • Economic constraints: A 2017 study of African small An analysis of historic cyber incidents against financial and medium-sized enterprises indicated that about 95 services confirms that as the developed world slowly but percent of those polled were at or below the “security surely improves its cybersecurity posture, cyber threat poverty line”—that is, they had few or no resources to actors are turning away from these hardening targets and invest in security or defensive solutions and were thus pivoting toward what they perceive to be easier pickings unable to plan for or manage cyberattacks effectively in developing regions. (Świątkowska 2020, 20). The cost and lack of immedi- ate return on investment for security activities such as This paper aims to address this growing disparity penetration testing or threat intelligence analysis leads between the developed and developing world by pro- many small and medium-sized enterprises to forgo viding an intelligence-led analysis of the current threat these activities entirely (Kabanda, Tanner, and Kent landscape for financial services across Africa. The paper 2018, 274). will then provide an assessment of future trends based on emerging patterns for African financial-service institu- • Socioeconomic factors: Varying levels of poverty, high tions (FSIs) (and for the respective financial authorities) unemployment, and a lack of opportunity push many and offer an assessment of the expected state of affairs Africans—particularly young people—to see cyber- on the continent. The ultimate aim of this research is to crime as a quick and lucrative source of income (Świąt- assist FSIs across Africa and in other developing regions kowska 2020, 21). to understand their own baseline threat models and to • Ineffective law enforcement: As of 2016, 39 of the 54 alter their cybersecurity strategies accordingly. As pre- African countries had no specific legal provisions for viously stated, Africa’s size and diversity mean that this cybersecurity and cyber-enabled criminal activity. Fur- paper should be considered as a broad analysis of the thermore, the lack of cybersecurity specialists means state of cybersecurity in the wider African financial infra- that many states suffer an inability to investigate structure; it does not provide in-depth threat assessments cybersecurity incidents properly, and weak enforce- on a country-by-country basis. ment mechanisms for the laws that do exist make it harder to identify and arrest perpetrators, effectively making the continent a safe haven for malicious actors to operate with impunity (Świątkowska 2020, 22). 4 • FINANCIAL INCLUSION GLOBAL INITIATIVE 2. Baseline Assessment In general, African FSIs face three broad categories of • African FSIs are also heavily affected by the large vol- cyber threat: threats to integrity through theft of funds, ume of low-sophistication scams, thefts, and fraudu- threats to availability through extortion and disruption, lent activity directed against their customers. Scams and threats to confidentiality through espionage and data that harm victims outside Africa may subsequently theft. deter foreign investment, to the detriment of Africa’s long-term economic potential. Such scams generally • African FSIs currently face a significant threat from originate from domestic grassroots actors, likely com- organized criminal groups (OCGs) and financially pounded by socioeconomic factors such as unemploy- motivated nation-states conducting high-value thefts ment and economic inequality. in heist-style operations. These operations build on previous successes against similar systems in the now- • African FSIs are currently experiencing high levels of more-cyber-mature developed world and focus on espionage and data theft from nation-states, OCGs, exploiting generally inadequate cybersecurity controls insiders, and individual hackers. Although these types to manipulate the integrity of payment-processing of attack have fewer immediately tangible impacts mechanisms and internal security controls. Malicious than direct theft or extortion attempts, they can cause insiders have also shown the intent and capability to future issues, such as loss of competitive advantage or leverage privileged knowledge and system access and loss of customer trust. steal from their employers. • African FSIs currently face a small but growing risk of • Ransomware also presents a prominent and growing supply-chain compromise from the increasing use of threat, given its detrimental impact on the availabil- third-party entities within the financial-services infra- ity and confidentiality of critical systems and data. A structure, expanding the general attack surface. growing number of OCGs and individual hackers are showing both the intent and capability to direct this activity against African FSIs; the majority of these attacks opportunistically take advantage of security issues and infrastructure vulnerabilities. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 5 2.1 THREATS TO INTEGRITY These attacks are now less common in the developed world due to a number of factors, including improved African FSIs, including central and commercial banks, cur- cybersecurity, more robust operational controls, and rently face a significant threat from financially motivated increased network segregation. Although the likes of actors seeking to redirect funds into their own pockets by SWIFT and other providers have worked on global pro- manipulating the integrity of internal systems and security grams to protect their payment network, domestic solu- controls. These threat actors use varying methodologies tions and fintechs are less mature and may be more and techniques for this purpose, ranging from heists and susceptible to attack. Improved law-enforcement capabil- the use of insiders to opportunistic malware deployment ity and capacity to target individual cyber threat actors and scamming customers. and take down infrastructure used for malicious purposes also likely plays a part in deterring threat actors. Further- Direct theft of money is a clear issue for FSIs. Most obvi- more, the success of easier methods—such as deploying ously, loss of funds through theft reduces the institution’s ransomware, engaging in email-based scams, or target- overall profit. However, cyber-enabled theft can also ing less well-secured industries, such as retail or insur- cause further damage through remediation costs, regu- ance, for payment manipulation—makes the labor- and latory fines, and the need to expend time and resources resource-intensive heist-style operations less popular investigating the incident. For example, the theft of across the board. Attacks in the developed world are also $3.2 million from a South African bank forced the bank increasingly leading toward international law-enforce- to spend over $58 million in investigation and mitiga- ment action. Similar developments are unlikely to come tion efforts (Cimpanu 2020). Cyber incidents also cause to fruition in developing nations due to the lack of the reputational damage to victim organizations, which, security tools and expertise needed to collect the forensic although harder to quantify, can result in long-term loss data required to identify and trace the perpetrators. of consumer trust and subsequent business. For exam- ple, the 2013 breach of US retailer Target, where threat Instead, threat actors are now consistently recycling these actors accessed the financial information for 110 million techniques against FSIs in Africa and other parts of the customers, resulted in a 46 percent decrease in net earn- developing world, capitalizing on the generally lower ings over the following quarter (CEA 2018, 7). As well as cybersecurity standards and other issues encountered reputational damage among customers, cyber-enabled in these regions. For example, in May 2018, research- thefts can damage investor confidence in affected orga- ers revealed a financially motivated nation-state group nizations. The average victim of cyber-enabled crime engaging in a long-term espionage operation against experiences a 15 percent drop in share value, and a the financial sector; the intrusions touched a number of lack of investor confidence is particularly damaging for African FSIs. The operation’s likely objective was large- emerging economies, which greatly benefit from external scale data reconnaissance to identify potential targets for investment (CEA 2018, 14). Finally, cyber-enabled thefts future compromise (Sherstobitoff 2018). In 2019, the same at FSIs could cause long-term economic damage, as group targeted banks in five African countries to com- consumer trust in established FSIs and the use of digital promise internal banking infrastructure and redirect funds services for financial services is reduced, stunting overall (Lederer 2019; The Chronicle 2019). Other types of threat national and sociocultural growth. actors also target African FSIs: In May 2016, an OCG tar- geted South Africa’s Standard Bank, compromised inter- 2.1.1 Cyber-Enabled Heist-Style Attacks nal banking systems, customer databases, and operational Current evidence suggests that there is a significant safeguards, and managed to use forged cards to with- threat from heist-style attacks. This type of attack typi- draw over $19 million from ATMs across Japan (Carnegie cally involves threat actors compromising bank networks Endowment for International Peace 2021). More than 260 and gaining privileged access to interbank payment sys- suspects were eventually arrested, highlighting the exten- tems such as SWIFT (Society for Worldwide Interbank sive infrastructure available to these more sophisticated Financial Telecommunication). Threat actors can then use threat actors. In January 2018, an OCG stole at least K this privileged position to issue fraudulent transaction Sh 29 million (approximately $261,000) from the National requests and obtain large amounts of money. A notorious Bank of Kenya, and anecdotal reporting suggested the incident of this type is the North Korea–linked theft of $81 actual sum was about K Sh 340 million (approximately million from the Bangladesh Central Bank in 2018, after $3 million) (PC Tech Magazine 2018). The bank cited a attackers compromised the bank’s internal network and compromise of its internal network. Additionally, from exploited the bank’s access point to the SWIFT network 2017 to 2019, several FSIs in West Africa were targeted by to make several fraudulent transactions (BBC News 2021). cyberattacks aimed at compromising internal networks 6 • FINANCIAL INCLUSION GLOBAL INITIATIVE and making fraudulent transactions (Symantec Threat The insider threat intent is usually driven by money, ideol- Hunter Team 2019). These examples highlight an already ogy, coercion, or ego (MICE). The vast majority of insider substantial volume of sophisticated attacks successfully incidents in financial services are driven by financial stealing funds from African FSIs. motives: A study in 2006 found that 81 percent of mali- cious insider incidents were motivated by money (Liang Evidence also indicates that African FSIs are routinely and Biros 2015, 162). In many cases, these thefts can reach targeted by opportunistic threat actors who typically use the equivalent of millions of US dollars, representing a sig- automated tools to probe the infrastructure of numer- nificant source of financial damage to the FSI itself. Clearly ous organizations in the hope of finding vulnerabilities demonstrating this point, in June 2020 employees at a or system misconfigurations that could provide network South African bank stole a master key used to decrypt access. For example, in September 2019, a human intelli- bank operations, access and modify banking systems, and gence source reported that the TA505 OCG was actively generate keys for customer cards. The employees used targeting large South African FSIs with phishing cam- the key to access customer accounts, make fraudulent paigns, aiming to obtain employee credentials and estab- transactions, and steal over $3.2 million (Cimpanu 2020). lish a foothold on banks’ networks.2 TA505 has a history The incident cost the bank over $58 million in remedia- of conducting direct theft operations, suggesting that this tion, as well as harder-to-measure reputational damage was the objective in this scenario. Additionally, in January and loss of customer trust and loyalty. The incident also 2020, the South African Banking Risk Information Centre demonstrates how insiders can leverage their privileged warned about a significant number of attacks on African system knowledge and access to manipulate internal sys- banks from a Russia-based OCG. The OCG was reportedly tems without immediate detection. While difficult to cal- attempting to compromise vulnerable FSIs and deploy a culate exactly, it can be assumed that incidents like this, variety of malware on compromised systems, with the where customer funds are directly affected, will damage objective of bypassing internal security controls and redi- the affected FSI’s reputation and cause long-term loss of recting funds (Githahu 2020). customer trust, loyalty, and future business. These examples demonstrate that African FSIs face a Coercion can also be a motive for insider incidents, which, significant threat from threat actors such as financially as OCGs drive recruitment efforts to elicit insider support, motivated nation-states and OCGs that seek to compro- will likely become more common. There are several cases mise the integrity of their systems and steal significant of insiders cooperating with external threat actors to amounts of money. Not only do the threat actors cause steal funds from their employers. In May 2020, Gambian financial damage to the banks by directly removing authorities arrested 12 suspects linked to an attack on The funds, but the banks targeted in this way have to expend Gambia’s Trust Bank. Evidence suggests that the suspects resources by reimbursing customers, investigating and worked with insiders in attempts to make fraudulent remediating network breaches, and expanding cyber- transactions (The Point 2020). Co-opting insiders is also security capabilities, while banks in certain regions may an established OCG tactic: The Kenyan group SilentCards also face regulatory fines. Harder to measure but still sig- consistently uses the services of current bank employees nificant nonetheless are the long-term effects of cyber- to transfer and withdraw significant sums of money from attacks, such as reputational damage, loss of customer ATMs, resulting in the theft of approximately $174 million trust, and loss of potential business. from Kenyan banks since 2019 (Niba 2019). 2.1.2 Insiders It is likely that insiders in these cases lack the skill, knowl- edge, or infrastructure to compromise their employer’s Historic examples also indicate there is a significant network effectively and “cash out” their operations; threat that current or former employees will act against working with an external actor can bypass these issues. their employer to steal funds, either directly from the FSI In several cases, the insider provides the external actor itself or from its customers. It is also important to note with knowledge of or access to internal systems, and that the majority of insider attacks go unreported, and the external threat actor steals the funds and provides the number of incidents is likely higher than reported. For the insider with a cut of the profits. These cases can example, in January 2019, an employee at a South African be very hard both to detect and to prove intent. While bank attempted to transfer approximately R 100 million ego-based attacks are less common, ideology will likely (approximately $6.6 million) from a customer’s account become a growing motive for individual hackers and into accounts controlled by accomplices. The employee insiders, particularly those aligned with environmental, used privileged system access to approve replica cards, religious, or social-justice issues. The above examples which would be used to withdraw the funds from ATMs demonstrate the significant threat posed to African FSIs (Hlungwani 2019). CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 7 by financially motivated insiders in terms of theft and ties arrested three OCG members who were engaging in integrity of funds. phishing, malware campaigns, and business email com- promise scams against almost 500,000 victims located 2.1.3 Theft from Customers in Japan, Nigeria itself, Singapore, the United Kingdom, and the United States (Scroxton 2020). In October 2021, The body of evidence suggests that there is a signifi- a joint United States-South Africa operation arrested cant level of low-sophistication, high-volume, cyber-en- members of the Nigeria-based Black Axe OCG, which had abled activity focused on stealing money directly from stolen over $6.85 million from victims via romance and financial-services customers across Africa. Such activity business email compromise scams (Hyman 2021). The is growing in volume across Africa: In 2020, the Ghana- involvement of US authorities indicates that a number of ian central bank reported a 584.1 percent year-on-year victims were likely based abroad. increase in card fraud affecting Ghanaian customers (Gha- naian Times 2020). This type of activity usually involves African banking customers are also targeted by hackers obtaining customer card details or personal information who develop malicious applications mimicking official via a range of methods, including online scams, business banking applications. For example, research found that email compromise, impersonating legitimate banking malicious mobile banking applications designed to cap- applications, or compromising point-of-sale systems and ture personal and financial data made up 17.6 percent e-commerce sites. of all fraud attempts in the first half of 2021 in Angola (Agosto 2021). Additionally, in October 2021 the Nige- In many cases, this activity takes the form of confidence rian Communications Commission alerted the public of a trickery: hackers target vulnerable people and pose as malicious app mimicking popular Android mobile bank- friends, relatives, or trusted businesses and convince the ing applications to spread the Flubot malware. The app, victim to make a fraudulent payment or disclose confi- when installed, harvests users’ online banking credentials dential personal or financial information. The scammers and gains access to SMS messages to intercept two-fac- then use this information to steal funds from the victim’s tor authentication codes to approve the fraudulent log-in bank account. For example, the World Bank has previously (Sahara Reporters 2021). warned of advance-fee fraud schemes originating from Côte d’Ivoire, Nigeria, and Sierra Leone in which actors There have also been examples of threat actors compro- impersonate the World Bank to obtain victims’ banking mising both physical point-of-sale systems and e-com- details and personal information for fraudulent purposes merce payment portals to obtain customer card data. or to direct victims to send payments to attacker-con- Research conducted in March 2021 shows that the FIN7 trolled accounts (WBG 2021b). Additionally, 19 percent of OCG conducted attacks on point-of-sale systems in South African mobile payments made in the first half of 2021 Africa, aiming to steal customer card data (Seals 2021). were made without users’ consent, showing this to be a The details were then used to make counterfeit cards, highly targeted area for scams and fraud (Agosto 2021). which the group used to commit fraud or sold to other cybercriminals. Additionally, in September 2019, Garmin Scammers also exploit consumers’ lack of familiarity with South Africa warned customers that their financial infor- new products or technologies. For example, in 2020 sev- mation was at risk after a card-skimming script was found eral hundred thousand victims were defrauded out of on its e-commerce site. Customers who shopped on the $588 million through a pyramid scheme bitcoin scam site had their home addresses, phone numbers, email (Chelin 2021). In April 2021, the founders of South African addresses, and full payment card and billing address data cryptocurrency exchange Africrypt staged a hack and stolen (Karabus 2019). stole $3.6 billion from investors (Ryan 2021). Overall, threat actors use a range of techniques to obtain Another popular scam format is business email com- customers’ personal and financial information for use in promise, the process of impersonating an entity to trick fraud, clearly establishing this activity as a lucrative source a company or individual into transferring funds to an of income. Superficially, this cyber-enabled malicious attacker-controlled account. A significant amount of activity directed at banking customers does not directly grassroots business email compromise activity orig- affect the integrity of FSIs’ networks or funds. How- inates in Africa, particularly in Nigeria, and affects both ever, this activity does have an indirect impact, in that it African and foreign victims. In 2019, police arrested 77 removes money from the legitimate economy; the aggre- Nigerians, including a local entrepreneur, for engaging in gate impact of low-value but high-volume thefts can, in an online financial-fraud scheme worth almost $11 million turn, cause or exacerbate economic issues on a regional (Iwenwanne 2021). In November 2020, Nigerian authori- or national scale. Furthermore, if the bank is assessed to 8 • FINANCIAL INCLUSION GLOBAL INITIATIVE be negligent in preventing the attack, it could face signifi- actors consistently perceive new financial technologies cant reimbursement or even compensation costs. as immature and therefore more susceptible to compro- mise. As such, they elicit significant interest from both Additionally, thefts from customers can damage con- malicious actors and security researchers. More detailed sumer trust in formal banking services if victims believe analysis and testing of the security of these technologies FSIs failed to secure their money or protect customers is needed before they become commercially available. from scams. For example, in October 2021, the Central Bank of Nigeria warned that scammers were using Twit- For example, in October 2020 hackers compromised ter to defraud customers by falsely claiming to disburse Pegasus Technologies, a fintech service used by numer- 50 billion eNaira, Nigeria’s new digital currency, launched ous mobile network operators, including MTN and Airtel, on October 25, 2021 (Adegboyega 2021). The campaign for mobile money payments, as well as providing financial likely aimed to obtain Nigerians’ banking details for use services for a mobile banking platform. Pegasus Tech- in further fraudulent activity. This example shows how nologies was not overseen or regulated at the time. The low-level scammers quickly capitalize on technological attackers stole about $1 million from Uganda’s digital developments in the banking sector for their own per- payments system, and 20 million people were affected by sonal gain. the subsequent service shutdown (Kasemiire and Ajuna 2020). The threat actors were able to access all trans- The evidence also shows a high concentration of Afri- actions between banks and mobile money providers by ca-based scamming and other fraudulent activity target- exploiting Pegasus Technologies’ central position in the ing victims across the world. Scams and fraud affecting financial infrastructure, highlighting the threat posed foreign victims can damage African FSIs and national by integrating third parties into financial-services archi- economies by compounding the image of Africa as an tecture. But it has since become a regulated entity and unsafe business environment. For example, in July 2021 a received a license from the Bank of Uganda to operate Nigerian citizen was sentenced for defrauding a US retire- as a payment service operator (Matooke Republic 2021). ment fund out of $1 million by conspiring with an insider to create unauthorized bank accounts, change legitimate Outsourcing IT and cybersecurity capabilities, while help- bank deposit information, and reroute payments to con- ful in temporarily solving Africa’s capacity and resource trolled accounts (Nwezeh 2021). As a result of this activ- problems, also represents a risk. Recent history shows evi- ity, some businesses now automatically categorize online dence of sophisticated threat actors targeting IT service transactions originating from Africa as risky and either providers and managed service providers to gain access require the purchaser to enter more information or block to multiple institutions via one convenient access point. the transaction entirely (Kshetri 2019, 78). By contributing The United States’ Cybersecurity and Infrastructure Secu- to this image, globally targeted scams could deter future rity Agency warned managed service providers of height- foreign investment in the continent or harm the establish- ened malicious activity in 2021 (Office of the Director of ment of business relationships with African companies, National Intelligence 2021). A learning point from this damaging economies’ growth potential and contributing example is that third-party service providers must be held to long-term economic stagnation. to the same—if not higher—security standards than the FSIs for which they provide services. 2.1.4 Third-Party Risk African FSIs also currently face a smaller—but nonetheless 2.2 THREATS TO AVAILABILITY significant—risk from the growing involvement of third parties in Africa’s financial infrastructure. While growth is Loss of system or data availability is a significant issue inconsistent across the continent, in general African FSIs for all organizations, but particularly so for FSIs whose are steadily increasing their use of fintechs (third-party business operations typically require system availability firms providing technology for financial services). For 24 hours a day, seven days a week, or carry out a high example, Nigeria’s central bank recently partnered with frequency of financial activity, such as payments, trans- Bitt Inc. to launch the digital currency eNaira (Francis actions, or trades. Loss of connectivity can render cus- and Emejo 2021). Fintechs are also increasingly focusing tomers and clients unable to carry out transactions, which on Africa’s growing mobile money market (Chironga, de in turn can harm the wider economy as well as individu- Grandis, and Zouaoui 2017). als. For example, a denial-of-service (DoS) attack on the UK bank HSBC in 2016 left customers unable to access However, the inclusion of third parties in Africa’s financial online banking services for several hours; the attack was infrastructure opens up a significant level of risk. Threat timed to coincide with payday (Osborne 2016). As with CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 9 direct theft, cyber-enabled disruption may also force Financial services are therefore attractive targets for ran- victims to expend resources investigating and remedi- somware operators, although there are few cases of ran- ating the issue and, in some countries, could result in somware attacks against FSIs in the developed world in regulatory fines. Disruption to services for long periods recent years due to factors such as more secure networks of time will also likely reduce customer trust in FSIs and (in comparison to other industries) and the increasing growing dependence on digital services, which, as pre- threat of law-enforcement action. In October 2021, a mul- viously stated, could hinder future economic growth if ticountry operation seized infrastructure belonging to the disillusioned consumers reject digitalization. Unreliable operators of REvil ransomware after the strain compro- connectivity or availability could also deter future invest- mised a large number of prominent targets in the United ment from or establishment of business relationships States and Europe (Menn and Bing 2021). with foreign partners. Ransomware can cause serious problems for targeted Available evidence, provided throughout the report, companies. Losing access to critical systems disrupts suggests the African financial sector faces a high and business operations and causes financial and reputational growing threat from malicious actors compromising damage. Companies have to expend time and resources the availability of critical systems and functions, such investigating and remediating the attack, while being the as through ransomware or DoS extortion. The reliance victim of a ransomware attack or having data leaked and on third parties or market infrastructures should also be stolen can significantly reduce customer trust and loyalty, noted for availability concerns. For example, in 2020 the causing long-term losses. New Zealand stock exchange was targeted with a sim- plistic but effective distributed denial-of-service (DDoS) Ransomware groups have been less reluctant to target attack, rendering its services unavailable for approxi- FSIs in Africa and other developing regions, likely capital- mately two days (BBC News 2020). (DDoS attacks use izing on the perception of lower security standards and multiple sources, such as large botnets, networks of a lack of law-enforcement capability to investigate cyber hijacked devices, to conduct the attack.) This example incidents and target OCG personnel and infrastructure. demonstrates how even unsophisticated attacks can There are a significant number of historic ransomware cause significant disruption for FSIs. incidents against African FSIs: For example, in February 2021, the operators of REvil ransomware compromised 2.2.1 Ransomware the Union Bank of Nigeria, disrupted system availability, and stole and leaked confidential customer and business Ransomware is currently one of the most prominent and data (Hack Notice 2021). The operators of Egregor ran- potentially damaging threats for the majority of orga- somware targeted the South African/Botswanan Norsad nizations. Ransomware involves threat actors compro- Finance in July 2021 and compromised Zimbabwe’s Stew- mising a target, usually via ingress mechanisms such ard Bank in November 2020.3 In September 2020, the as spearphishing, vulnerability exploitation, or, in some Calix ransomware strain infected the Development Bank cases, supply-chain compromise, and moving laterally of Seychelles, a branch of the Seychelles Central Bank within internal networks to obtain a position of privi- (Sweny 2020). lege. The threat actors then deploy the final ransomware payload, a piece of malware that encrypts the victim’s A high volume of ransomware activity is a trend seen systems and data and demands that the victim pay a across the majority of the developing world, not just in ransom to regain access. Africa. For example, in October 2021, an unknown ran- somware group compromised the network of Papua Trends from other regions show ransomware operators New Guinea’s Department of Finance, disrupting access now typically focus on “big game hunting,” the practice to its payment systems and subsequently preventing the of targeting singular high-revenue organizations, rather country from accessing domestic funds and foreign aid than many smaller entities, to obtain a large ransom pay- reserves for several days. Anecdotal evidence suggests out, although recent law-enforcement action may deter that the threat actors gained access via software and groups from targeting critical infrastructure or systemi- infrastructure vulnerabilities in the government’s network. cally important entities in the developed world. Ransom- A commentator blamed the poor security on a lack of ware groups also consistently steal and threaten to leak resources to invest in cybersecurity and other issues, such confidential data as extra leverage on the victim and as COVID-19, taking priority over cybersecurity and infra- employ such additional tactics as conducting simultane- structure resilience (Tarabay 2021). Overall, it is clear that ous DDoS attacks or harassing senior executives. ransomware operators see FSIs in the developing world as soft and lucrative targets. 10 • FINANCIAL INCLUSION GLOBAL INITIATIVE Ransomware incidents can also affect financial services Other threat actors, such as hacktivists, use DoS attacks indirectly even when targeted at other industries. For to disrupt targets’ operations or publicly embarrass the example, in July 2021 ransomware disrupted operations victim. A lack of motivation and specific intent means at Transnet, South Africa’s state-owned enterprise for rail, hacktivists are unlikely to target FSIs directly with DDoS port, and pipeline infrastructure. The incident took most attacks but could harm the industry as part of broader systems offline, forcing employees to record vessel move- campaigns. In October 2020, for example, a hacktivist ments manually and causing significant logistical back- group protesting police brutality targeted the website of logs (Reva 2021). Additionally, in July 2019 an unknown the Central Bank of Nigeria with DDoS attacks (Vermeulen OCG deployed ransomware against the large South Afri- 2019). The incident was part of a wider campaign against can energy supplier City Power. The incident was timed to the Nigerian government, demonstrating how FSIs can be occur when many South Africans received monthly pay- caught up in wider politically or ideologically motivated checks to pay for electricity for the next month. The ran- campaigns (Olufemi 2020). In June 2020, ideologically somware encrypted City Power’s entire network, including motivated hacktivists defaced the website of Sudan’s databases and application servers, and temporarily kept Ministry of Endowment and Religious Affairs with political many customers from purchasing electricity packages slogans, also allegedly targeting the Ministry of Finance (BBC News 2019). The incident affected City Power cus- (Sudan News Agency 2020). tomers and revealed how cybersecurity vulnerabilities in other industries can harm FSIs: A loss of power for an FSI Some threat actors also conduct DDoS attacks without could render it unable to process transactions, conduct overt ideological or financial motivation, likely testing trading, or engage in other business-critical operations. their skill level and ability to take down an organization Although not directly targeting the financial sector, these or to boost their reputation among the cybercriminal incidents demonstrate how ransomware targeting other community. In July 2021, Angola’s largest state-owned industries can have a knock-on effect for the availability bank suffered a disruptive attack against several servers, and operational capacity of FSIs. leaving services at branches in its commercial banking network temporarily limited (Lusa/Ver Angola 2021). No 2.2.2 Denial of Service demands were made, and no responsibility was claimed. In addition to ransomware, some threat actors use DoS Financial services may also be indirectly affected by attacks to take down targets’ public-facing assets and availability attacks against other critical national infra- cause significant disruption. DoS attacks work by flood- structure providers. In November 2017, unknown threat ing targets (usually servers) with high volumes of incom- actors temporarily took down the services of Algeria’s ing traffic to overload systems and prevent legitimate state telecommunications operator, Algerie Telecom, requests from getting through. with a series of DDoS attacks (Paganini 2017). Addition- ally, in October 2016 an individual hacker for hire was The motivation for using such attacks varies. Some threat contracted by a rival firm to use a botnet to conduct actors use the threat of disruption to extort payments. DDoS attacks against a Liberian telecommunications There is significant evidence to suggest that this activity company. The incident left half the country unable to is a growing threat to African FSIs, although the effects access the internet (Casciani 2019). Currently the global of DDoS attacks are usually limited and less severe than leader in mobile money usage, Africa is unusually reliant other extortion methods, such as ransomware. For exam- on mobile infrastructure and internet access to conduct ple, in October 2019, the South African Banking Risk and financial activity; disrupting mobile network provision Information Centre reported a series of DDoS attacks through DDoS attacks therefore has an indirect impact against multiple African banks’ public-facing assets. The on customers’ ability to make and receive payments, attacks were accompanied by a ransom note demanding thus having an aggregate negative impact on the wider payment to stop the attacks. The attacks were timed to financial industry. coincide with payday to cause maximum disruption. While the effects of this campaign were limited, it demonstrates Motivations aside, DDoS attacks are usually low impact how less sophisticated threat actors seek to disrupt FSIs’ and short-lived and limited to public-facing assets. How- availability for financial gain. These attacks coincided ever, the growing use of botnets harnessing millions of with a ransomware attack against the City of Johannes- Internet of Things devices or insecure smartphones for burg’s network, which shut down all electronic services, DDoS attacks can result in prolonged outages and signif- including bill-payment mechanisms, and coincided with icant disruption for vulnerable targets. month-end processes for supplier and customer pay- ments (Paton 2019). CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 11 2.2.3 Other Factors extracontinental nation-state interest in obtaining politi- cal intelligence from African organizations. The availability of financial services and their critical sys- tems can also be affected by other factors. For example, However, available evidence indicates that FSIs in Africa in November 2018 Mozambique’s banking system (includ- are also valuable espionage targets. Vendor research in ing ATMs and card machines) went offline for several days 2017 revealed a nation-state group targeting a number after the Portuguese fintech provider BizFirst cut off its of Africa-based FSIs since at least 2011 and perhaps even services when Mozambique refused to pay a disputed 2007. The custom malware used by the group had sophis- bill (Verdade 2018). This example highlights issues with ticated system fingerprinting, discovery, and exfiltration relying on third parties to provide core aspects of critical capabilities, indicating that the group was conducting national infrastructure. long-term espionage of its targets (Johnson 2017). Addi- tionally, in February 2021 a sophisticated threat actor Political issues can also affect the availability of infra- compromised Angola’s Ministry of Finance, accessed structure underpinning financial services. In July 2020, emails and shared folders, and stole confidential data Somalia suffered an almost complete internet blackout (Massala 2021). after the parliament removed the president in a vote of no confidence. The blackout was likely intended to impede Financial services, especially large international banks coverage of the incident but affected a large number of and payment processors, likely provide nation-states businesses and Somalia’s mobile money services (Net- threat actors with a high-level overview of African states’ blocks 2020). This example shows how political and civil transaction flows and business and political relationships unrest can disrupt FSIs’ availability, particularly as FSIs both within Africa and with extracontinental nations. become more reliant on digitalization and the internet for Nation-states can provide this information to domestic the provision of services. companies, who can then use the intelligence to gain an advantage over competitors when negotiating with Afri- can companies for contracts or partnerships. It is also 2.3 THREATS TO CONFIDENTIALITY plausible that other threat actor types, such as state- aligned OCGs or independent hackers, also target finan- A less tangible but nonetheless prominent threat to finan- cial intelligence to provide to interested nation-states. cial services in Africa is cyber-enabled activity that affects the confidentiality of data. Theft of data, such as business 2.3.2 Data Theft/Exposure strategy plans or high-level financial intelligence, can lead to a future loss of competitive advantage—for example, Threat actors are also targeting African FSIs to obtain with information regarding upcoming contracts or part- customer information, including personally identifi- nerships with third parties. Theft of data such as technical able information and personal financial information. For intellectual property or trade secrets relating to fintech example, in December 2020 a credit analyst at a South solutions can also significantly harm FSIs’ future com- African bank stole and sold the personal information of petitiveness. Additionally, theft or exposure of customer 200,000 customers to an unknown third party (Carnegie information can cause direct reputational damage, incite Endowment for International Peace 2021). In July 2021, regulatory measures, trigger remediation and recovery an unidentified threat actor compromised a South Afri- costs, or push customers toward rival entities. can financial-services provider and stole databases con- taining policyholder information, including bank account 2.3.1 Espionage numbers and card details (Vermeulen 2021). This infor- mation can be used for a range of purposes, such as con- Various threat actors are currently targeting African orga- ducting identity theft, opening fraudulent bank accounts nizations, including FSIs, for espionage and data-collec- or cards, or applying for fraudulent loans, or can be sold tion purposes. As demonstrated when African Union staff on underground marketplaces to other cybercriminals. members discovered that a nation-state threat actor was As previously stated, data theft or exposure can have using compromised security cameras installed in their serious reputational and financial consequences for headquarters for espionage purposes, the majority of affected organizations, particularly for entities like FSIs this espionage activity is targeted at governmental and that hold highly valuable data, such as financial data and regional political bodies. With a developing economy, a bank card details. wealth of natural resources, growing political clout in inter- national bodies, and opportunities for economic growth, Data can also be exposed through misconfigurations in Africa is an attractive target for expansionist nation-states software or inadequate security provisions. In August (CSIS 2021). This activity highlights the already extensive 2020, Experian South Africa suffered a data breach, 12 • FINANCIAL INCLUSION GLOBAL INITIATIVE resulting in the exposure of personal information belong- ruption of service, and confidentiality through the theft ing to 24 million South Africans and almost 800,000 busi- of or exposure of data. These threats are compounded ness entities (Times Live 2020). Accidental data breaches by structural issues affecting the African cyberspace, can damage customer trust in a brand or institution and including comparatively poorer security than found in the could result in significant fines, depending on national developed world, a lack of awareness about cybersecu- regulations. rity and cyber-enabled scams, and a lack of appropriate legislation and law-enforcement capability to deal with cyber-enabled theft on this level. 2.4 BASELINE ASSESSMENT Building on the current baseline established by this threat To summarize, it is clear that African FSIs, including cen- assessment, the next section of this paper will establish tral banks and finance ministries, face a wide range of several emerging trends and extrapolate on their likely threats. In a broad sense, these threats harm integrity impact on the African financial sector’s future cyber through the theft of funds, availability through the dis- threat landscape. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 13  merging Trends and the 3. E Future Threat Landscape This section will build on previous analysis and the cur- 3.1 TECHNOLOGICAL FACTORS rent state of financial services in Africa to identify the key emerging trends for the industry and region. This section A diverse array of factors will affect the future develop- will then assess the likely impact of these trends on the ment of African financial services. For example, rapid African financial sector’s future cyber threat landscape. improvements in the efficiency, utility, and availability of technology in support of financial services and products • Large-scale rapid digitalization of financial products across the continent will almost certainly help to engage represents new avenues of opportunity for threat actors. Africa’s significant unbanked population and promote for- • Greater levels of digitally enabled financial inclusion, mal financial inclusion across the continent. Additionally, coupled with unfamiliar products and services, open the expansion of private-sector involvement within Afri- up new targets for scammers. ca’s financial infrastructure will likely drive technological innovation and be able to respond to consumer demands • Expanding the supply chain provides threat actors with and needs. However, despite its benefits, technology will new access vectors. bring with it a number of increased risks. • Short-term economic challenges will increase the attractiveness of cybercrime for the young and unem- Large-Scale Rapid Digitalization of Financial 3.1.1  ployed. Products Represents New Avenues of Opportunity for Threat Actors • Sporadic introduction and lax enforcement of cyberse- curity regulations will not deter domestic cyber activ- One of the biggest trends set to affect African financial ity over the short to medium term. services over the near and medium term is large-scale rapid digitalization of financial products and services • Increased security in the developed world will increase (Świątkowska 2020). Broadly speaking, digitalization Africa’s attractiveness to an array of threat actors. refers to the adoption of technology-based solutions • Africa’s increasing geopolitical strength and impor- to combine with or replace the physical components of tance will incite more targeting from nation-state an existing business model, such as using a smartphone threat actors. application to transfer money, rather than writing a check or paying in cash. 14 • FINANCIAL INCLUSION GLOBAL INITIATIVE Generally, digitalization is already a well-established trend 2021). Nigeria’s central bank was forced to warn its cus- for African financial services. Key areas include Africa’s tomers after hackers attempted to steal banking details already substantial mobile money network (digital pay- by offering free eNaira just days after the digital currency ments usually sent via SMS). The continent is already the was officially launched (Adegboyega 2021). Additionally, global leader in mobile money: 562 million mobile money the near-instantaneous payments facilitated by digital accounts were registered in Africa as of 2021, represent- products such as mobile money and smartphone-based ing a 12 percent year-on-year increase (AfricaNenda 2021; banking can allow threat actors to move stolen funds out Chironga, de Grandis, and Zouaoui 2017). Likely exac- of compromised accounts quickly, making it harder for erbated by COVID-19, Africans’ use of digital platforms FSIs to stop, intercept, or recover fraudulent payments. for shopping and e-commerce has seen similar growth: e-commerce revenue increased 53 percent from 2020 The expansion of digital services such as mobile money to 2021. As with other aspects of African digitalization, without an accompanying expansion and implementation mobile phones and smartphones are the primary tech- of adequate security and operational controls is highly nologies for conducting e-commerce transactions (Var- likely to result in the increased exploitation of these ser- rella 2021). The shift toward digitalization is also being vices by opportunistic cybercriminals and individual hack- compounded on a state level, as numerous African gov- ers to steal funds and data from consumers and FSIs in ernments have already introduced digital currencies like the near future. Nigeria’s eNaira (Further Africa 2021). A further threat accompanying African digitalization is Digitalization is highly likely to accelerate in the future, the continent’s overwhelming reliance on mobile technol- given high latent demand for digitalized services, large ogy and smartphone-based products to conduct finan- areas of the continent that still lack access to physical cial activity, such as e-commerce, transactions, and online financial infrastructure, and the expected expansion of banking. As African internet usage grows, this established internet services to more than one billion Africans by preference indicates that a vast number of new internet 2022 (Kshetri 2019, 77; Świątkowska 2020, 18). The need users will predominantly use mobile devices and smart- to reduce face-to-face contact during the COVID-19 pan- phones as their primary method of accessing the inter- demic has undoubtedly accelerated this trend across net. While figures vary, mobile operators estimate that the both the developed and developing world. For exam- number of unique mobile users just in Sub-Saharan Africa ple, the Seychelles’ technological integration strategy will increase to over 600 million (or half its population) by aims to eliminate the use of physical cash and to digitize 2025 (GSMA 2019, 2). While undoubtedly beneficial for the financial system entirely by 2023 (Seychelles News internet users, an increasing number of mobile devices Agency 2021). brings the increased risk that threat actors will compro- mise unsecured or out-of-date devices for malicious pur- Despite advantages in service provision, innovation, poses, such as for use in botnets for large-scale DDoS and efficiency, digitalization also brings increased risk. attacks or to install malware to steal information such as As more and more parts of Africa’s financial architec- log-in credentials or personal data. Mobile malware has ture move online or embrace digital components, the indeed become more commonplace in developed nations, industry’s attack surface also expands. Ultimately, digital and this trend is highly likely to cross over as the devel- products and services are likely to contain some form of oping world becomes more connected (Kaspersky 2021). exploitable vulnerabilities, security issues, or misconfig- It is probable that this trend will have a more significant urations, opening the door for exploitation by malicious impact in the African region, given its reliance on mobile threat actors and carrying a heightened risk of harm to payments and generally lower cyber maturity. the entire financial system (WBG 2021a, 2–3). To this point, the rapid demand-driven pace of digitalization threatens Greater Levels of Digitally Enabled 3.1.2  to result in “hollow diffusion,” where the provision of dig- Financial Inclusion, Coupled with Unfamiliar italized services outpaces the establishment and imple- Products and Services, Open Up New Targets mentation of technical controls and legal frameworks for for Scammers cybersecurity (Świątkowska 2020, 19). Another core trend likely to accelerate across Africa This trend toward exploiting digital financial products is (albeit with varying speed and distribution across the con- already occurring in Africa and is likely to expand. For tinent) is the use of digital financial products to expand example, in the first half of 2021, 19 percent of all mobile the provision of formal financial services to Africa’s sig- payments in Africa were made without the user’s consent, nificant unbanked population. As of 2020, only 20 per- highlighting the vulnerability of this technology (Agosto cent of adults in developing regions saved through formal CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 15 FSIs (Pazarbasioglu et al. 2020, v–vii). The level of finan- In short, mass financial inclusion provides threat actors cial inclusion across Africa varies from region to region. In with the opportunity to exploit consumer naivety in using West Africa, for example, low numbers of ATMs and bank new digital products and services. branches disproportionately affect the rural population: As of 2018, only 22 percent of adults held accounts with for- Expanding the Supply Chain Provides Threat 3.1.3  mal FSIs, while in Central Africa, only 19 percent of adults Actors with New Access Vectors had a formal bank account (Cooper et al. 2018, 15–21). Current evidence also indicates that the integration of third-party products and services into financial-services Despite these regional differences, a common factor infrastructure will increase in the near future. These third behind low levels of formal financial inclusion is a lack of parties include fintechs, mobile network operators, and sufficient physical infrastructure to support formal par- software providers, among others, and their inclusion en ticipation, a trend particularly pronounced in rural areas. masse will greatly expand the supply chain for African Digitalization, and its ability to transcend the need for FSIs. As previously mentioned in this report, African enti- physical infrastructure, is therefore a key facilitator of ties are already making use of fintechs in financial prod- greater financial inclusion. ucts, such as Nigeria’s use of a private-sector third party to support the rollout and provision of its digital currency Financial inclusion has significant benefits on both a eNaira (Kshetri 2019, 78). Fintechs are also rapidly enter- micro and macro scale, such as reducing poverty, improv- ing into the mobile money market, identifying a sector ing social mobility, and providing economic opportuni- with high latent demand and opportunity for growth (Chi- ties for individuals while bolstering participation in and ronga, de Grandis, and Zouaoui 2017; Lukonga 2018, 11). stimulating economic growth. However, bringing large numbers of previously unbanked people into the formal The state of affairs in the developed world shows that financial sector via digital services is not without risk. an expansive supply chain, while important for obtain- These new joiners may lack the knowledge and technical ing specialized components and services, is a significant skill to use digital services and handle sensitive data and risk: Threat actors increasingly compromise large well-se- information correctly, and they will likely be targeted by cured entities not directly but by infiltrating the network scammers, hackers, and individual cybercriminals look- of trusted suppliers and exploiting connections to client ing to exploit this naivety for their own financial gain infrastructure. Two of the most prominent examples of (WBG 2021a, 3). this risk are the SolarWinds compromise, where nation- state threat actors compromised a software supplier to Africa already has a significant level of grassroots scam- gain access to clients’ networks for espionage purposes, ming activity, as discussed in the first half of this report. and the Kaseya ransomware attack, where ransomware It is highly likely that this class of threat actor will seek to operators compromised a an IT solutions developer for exploit the increased numbers of unsophisticated users the purposes of deploying ransomware across client sys- entering the digital financial-services space through a tems (Jibilian and Canales 2021; Osborne 2021). Introduc- range of methods, such as social engineering, to obtain ing third parties into the supply chain brings further issues log-in credentials or financial information or to trick users for FSIs, such as a lack of transparency or loss of insight into transferring funds into attacker-controlled accounts. into internal processes (Lukonga 2018, 20–21). It is also possible scammers will exploit for their own gain the dearth of consumer knowledge about new prod- These examples demonstrate that expanding the supply ucts. Indeed, the introduction of microcredit services in chain brings with it an increased risk to African financial Kenya and Tanzania has already produced a large num- services. It is likely that supply-chain expansion without ber of borrowers who are unable to repay loans due to implementation of necessary security and operational irresponsible lending practices and a lack of effective controls, such as network segmentation and limiting oversight and regulation for this emerging sector (WBG supplier access to the client environment, will result in a 2021a, 1). Novelties such as cryptocurrency present similar greater number of threat actors looking to exploit these threats, as unsuspecting users may be tempted to invest supplier-client relationships for their own gain. In addition, funds without understanding the level of risk associated it is logical to assume that new products and solutions with this activity. The Africrypt case, where a professed introduced by third parties will contain vulnerabilities or cryptocurrency firm allegedly scammed customers out security misconfigurations that are exploitable by mali- of approximately $3.6 billion, is one example of this risk cious actors, representing another avenue by which threat (Ryan 2021). actors can gain access to financial services’ networks. 16 • FINANCIAL INCLUSION GLOBAL INITIATIVE 3.2 SOCIOECONOMIC FACTORS As shown by current evidence, economic instability and a lack of employment opportunities—particularly among Along with technological improvements, socioeconomic young people—are key factors driving Africans to par- factors will influence the future threat landscape for Afri- ticipate in cyber-enabled crime (Świątkowska 2020, 21). can FSIs. For example, ongoing economic challenges and Over the short to medium term, it is therefore highly higher-than-average poverty levels across the continent likely that these aforementioned economic challenges may influence the uptake and attractiveness of grass- will drive the attractiveness and subsequent growth of roots cybercrime for individual Africans, while economic Africa’s “cybercrime sector.” Additionally, these current constraints at the national and government levels may and future economic challenges will likely constrain the affect states’ abilities to devise, implement, and effec- ability of governments and businesses alike to establish tively enforce much-needed legislation and regulations to and implement effective cybersecurity capabilities across tackle cybersecurity challenges. the board, further increasing the attractiveness of cyber- crime. Following trends seen in the developed world, 3.2.1 S  hort-Term Economic Challenges Will which has seen an increase in the volume and affordabil- Increase the Attractiveness of Cybercrime for ity of commodity tools such as exploit kits and rentable the Young and Unemployed botnets, cybercrime will likely become more profitable and accessible to less technically skilled individuals and Poverty continues to be a significant issue for African groups (Koegler 2017). economies. About 36 percent of Africa’s population (or 490 million people) live in extreme poverty as of 2021 Sporadic Introduction and Lax Enforcement 3.2.2  (Human 2021). As with most of the issues covered in this of Cybersecurity Regulations Will Not Deter report, the level and impact of poverty varies significantly Grassroots Cyber Activity over the Short to across the continent. Medium Term Following global patterns, the COVID-19 pandemic cast Current cybersecurity regulations differ extensively from the continent into its worst economic recession for half state to state. Many states have yet to adopt specific cyber- a century, and there is significant uncertainty about the security strategies and continue to lack capabilities to level of recovery expected over the next few years. Only a conduct national risk analyses and information exchanges, third of emerging economies are expected to recover to hindering efforts to create a functioning and united cyber- their prepandemic per-capita income levels by 2022 (Afri- security ecosystem across Africa (Świątkowska 2020, 22). can Development Bank Group 2021, 20; Brooks 2021). For example, as of 2016 only 15 of the 54 African coun- Current evidence suggests that the pandemic has exac- tries had specific legal provisions in place for categoriz- erbated poverty issues across the continent but harmed ing or dealing with cybersecurity issues; indicating a slight those with lower levels of education, fewer assets, and improvement, by 2021 that number had risen to 29 (Saeed working in informal employment the most; women and and Osakwe 2021). Many states are enacting specific pol- young people were particularly affected (African Devel- icies, such as South Africa’s 2021 Cybercrimes and Cyber- opment Bank Group 2021, 20–21). Generally low levels of security Act compelling communications service providers vaccine provision across Africa and, indeed, most of the and FSIs to report cybersecurity incidents, or Ghana’s developing world—while developed states begin to roll 2020 Cybersecurity Act establishing a national authority out booster programs—will further delay the continent’s and providing protection for critical national infrastructure recovery from the pandemic (Selassie and Hakobyan (Baker McKenzie 2021). Some states are also benefitting 2021). from external aid, such as Nigeria’s participation in the United Kingdom’s £22 million cyber capacity-building ini- Along with the lingering effects of the pandemic, other tiative for developing regions (This Day 2021). issues are likely to exacerbate economic uncertainty and individual poverty across the continent, such as general States that have comprehensive legal, regulatory, and political and civil unrest, a lack of employment opportuni- institutional frameworks and laws to detect and inves- ties, high levels of corruption, and a lack of social mobility. tigate cybercrime, such as Nigeria, have a higher level Global climate change will also hurt African economies, of arrests and successful prosecutions. For example, in causing long-term effects, such as mass population dis- November 2020 Nigerian authorities arrested three OCG placement or the disruption of traditional industries, such members who were engaging in phishing, malware cam- as farming (Reuters 2021). paigns, and business email compromise scams against almost 500,000 victims located in Japan, Nigeria itself, Singapore, the United Kingdom and the United States CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 17 (Scroxton 2020). These examples clearly demonstrate the tigation enabled authorities to identify individuals behind necessity of establishing similar frameworks across Africa. the attacks, resulting in the eventual seizure of criminal infrastructure and the arrest of several REvil operators in However, there are still significant gaps in Africa’s gen- November 2021 (Krebs 2021). Failure to develop effec- eral regulatory framework and law-enforcement capacity tive forensic investigative capability and law-enforcement regarding cybersecurity. As of 2021, only 10 African coun- capacity will ensure that Africa remains a safe haven for tries have a comprehensive national cybersecurity strat- cybercriminal activity. egy fully addressing issues pertaining to critical national infrastructure. Africa is also home to just 19 of the 131 com- puter incident and emergency response teams across the 3.3 GEOPOLITICAL FACTORS globe, indicating a lack of general cybersecurity maturity. Although there are of course exceptions, African states are Finally, geopolitical factors, such as security improve- generally lacking in collaborative capabilities: only 19 Afri- ments in the developed world, and Africa’s growing can countries are signatories to multilateral cybersecurity importance on the global stage will also affect the future agreements, and only 10 are part of bilateral agreements. threat landscape for African FSIs. Furthermore, only six states have adequate capacity-de- velopment incentives in place to address issues such as Increased Security in the Developed World 3.3.1  the digital divide and building institutional knowledge Will Increase Africa’s Attractiveness to an regarding cybersecurity (Saeed and Osakwe 2021). Array of Threat Actors The developed world is currently trending toward broad This {-lack of?-} regional and international cooperation improvement of its cybersecurity standards. While issues and regulatory streamlining, combined with porous inter- undoubtedly remain across many industries, financial ser- national borders and a lack of centralized state control vices in particular are now subject to stringent security over remoter territories, challenges effective investigation and regulatory requirements. Operational controls are and arrest of cybercriminal actors (Kshetri 2019, 78). The being designed to protect the confidentiality, integrity, dearth of effective legislation and forensic investigative and availability of entities’ systems and data. capacity and capability also hampers efforts to identify and investigate properly varying types of cybercrime, FSIs in the developed world generally have sufficient liq- making successful prosecutions even more difficult. Ulti- uid assets to invest heavily in cybersecurity and are thus mately, this lack of punishment creates a safe haven for likely to be initial adopters of new technologies and secu- cybercriminals to operate with almost-guaranteed impu- rity standards. For example, several states have already nity. It should also be considered that a history of political claimed to have developed supercomputers with quan- corruption and authoritarianism in some African states tum supremacy—that is, quantum computers that com- may cause public pushback against attempts to enact plete tasks quicker than classic machines (Nield 2021). laws that could be considered detrimental to individual One of the security benefits of quantum computing is the privacy and personal security (Świątkowska 2020, 19–21). use of quantum key distribution for encrypting informa- tion and assets, exploiting quantum mechanical proper- These ongoing issues indicate that, despite a general ties to ensure that an external force is unable to read or upward trend toward implementing regulatory frameworks copy encoded data. While predictions vary, quantum key and legislation, over the short to medium term, African distribution and other functions of quantum computing FSIs’ ability to deter or respond effectively to cyber threats are likely to be commercially available to most industries will continue to be hampered by sporadic and patchwork by 2030 (Fowler 2021). It is highly likely that financial legislation at the governmental and regional level. services across the developed world, as an industry with the resources to invest heavily in cybersecurity, will be Additionally, establishing legal and regulatory frameworks among the first to adopt these new technologies for for dealing with malicious cyber activity is not enough; security purposes. evidence from the developed world indicates that Afri- can states must simultaneously establish the capacity and However, the ongoing economic challenges previously capability to investigate cyber activity; actively identify, outlined in this paper are likely to hamper adoption of this arrest, and prosecute individual participants; and disrupt technology on a similar timeframe and scale across the criminal assets and infrastructure. One example of this is developing world. Therefore, the already significant dis- the recent US-led action against members of the REvil ran- parity in security between the developed and developing somware group. A joint public- and private-sector inves- world will widen in the future. Threat actors lacking the 18 • FINANCIAL INCLUSION GLOBAL INITIATIVE capability to compromise these now theoretically impen- In addition to providing energy and raw materials in etrable entities in the developed world will likely pivot response to continental and global needs, Africa will toward targeting financial services elsewhere, taking become even more important to the global economy. advantage of the security disparity. In the future, African Africa is currently home to the world’s largest free trade financial services will therefore face a heightened threat area, making it an important target for states and cor- from sophisticated, highly skilled, and well-resourced porations alike (WB 2021). The short-term effects of threat actors looking to steal funds and data or conduct COVID-19 have undoubtedly hampered Africa’s economic extortion attacks. growth, as previously explained, and recovery is likely to be slow and sporadic across the continent. Looking more These threat actors may also attempt to compromise Afri- over the long term, Africa has a high potential for eco- can FSIs to use them as conduits for accessing well-se- nomic growth. Currently underdeveloped sectors such as cured entities in the developed world. Comparatively poor technology and financial services will therefore become security in the developing world, therefore, represents a key targets for external parties in the future (Yade 2021). significant weakness in the global financial system and may deter global interaction with the developing world, Factors such as climate change, potential post-pandemic ultimately to the economic, geopolitical, and sociocultural economic recession, and continued geopolitical power detriment of these regions (Świątkowska 2020, 23–24). struggles mean Africa’s importance on the global stage will only increase in the future. It is highly likely that Africa’s Increasing Geopolitical Clout and 3.3.2  nation-state threat actors will increasingly target Afri- Importance Will Incite More Targeting from can entities. While governments and political bodies are Nation-State Threat Actors likely to be primary targets, financial services will also be important sources of information for this type of threat Africa is already an important global player, and it has actor. For example, FSIs can provide states with finan- significant potential to increase this importance over cial intelligence, monetary policy, business relationships, the near and long term. For example, Africa is an abun- or financial flows across the continent. This information dant source of energy, currently a major exporter of oil can then be passed on to domestic companies and used and gas (Ford 2021). Africa also has the potential to pro- to bolster their competitiveness when dealing with Afri- duce colossal amounts of renewable power, such as solar can businesses. Targeting the financial industry can also energy, as global demand grows. assist in broader espionage efforts against African gov- ernments, businesses, and individuals. It is possible that Africa is also rich in natural resources such as minerals and other threat actors, such as corporations, hacker-for-hire rare earth metals. For example, African countries such as groups, and OCGs, will capitalize on Africa’s immense the Democratic Republic of Congo, Ghana, Mali, Namibia, economic potential and also seek to steal financial intel- and Zimbabwe all contain large amounts of lithium, a key ligence and business-sensitive data from FSIs. Overall, component in batteries for electric vehicles (BGS 2021). as Africa’s global importance grows, the targeting of As climates change and dwindling supplies of fossil fuels its financial-services sector by a diverse range of threat heighten the importance of cleaner sources of energy, actors will simultaneously increase. Africa’s resources will be even more hotly contested. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 19 Recommendations for Central Banks 4.  and Financial Authorities Based on the analysis of the current threat landscape It is the responsibility of supervisors and overseers to for Africa’s financial sector and the subsequent emerg- ensure that appropriate regulations on operational and ing trends, it is clear that a strategic approach is needed cyber risk are in place. While this is often the case, what to address the challenges ahead. While following nor- is lacking in many instances is a more practical under- mal supervisory practice, such an approach would entail standing by both the supervised/overseen entities and focusing on individual financial entities and aiming to the supervisor/overseer on how these regulations are to improve their cyber resilience by applying stricter rules be implemented in practice. and enforcing compliance. However, the analysis in this paper indicates that such an approach would likely be Therefore, several authorities have come up with more insufficient. The challenge of coping with the serious specific—but technology-neutral—operational guidelines cyber threats faced by Africa’s financial sector—and, and cyber resilience expectations to provide a common with it, society in general—is not borne by Africa’s banks, understanding to financial entities and their relevant payment service providers, and financial infrastructures authorities regarding how to implement and assess the alone; financial authorities, including central banks and appropriate cyber resilience measures. governments too, must step up their cyber capabilities and improve their own cyber resilience by pursuing the It is recommended that authorities publish such opera- following four-track approach: tional guidelines and cyber resilience expectations, if not available already, taking into account guidelines and expectations already published by relevant international  TRENGTHENING CYBER RESILIENCE 4.1 S authorities, including the World Bank.4 OF FINANCIAL ENTITIES AND THE FINANCIAL SECTOR AT LARGE Compliance with regulations alone is not enough to ensure cyber resilience. Testing—and for systemically important The improvement of the cyber resilience of financial enti- entities, threat-led penetration testing—is a critical tool ties and the financial sector at large can be achieved only for assessing the cyber resilience of supervised and over- by focusing on both individual financial entities and the seen entities. Threat-led penetration testing is a concept financial sector as a collective. already applied in several countries in Europe and Asia, 20 • FINANCIAL INCLUSION GLOBAL INITIATIVE BOX 1 LIST OF RELEVANT INTERNATIONAL GUIDANCE/STANDARDS • Financial Stability Board’s Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices • Financial Stability Institute’s Cyber Resilience Practices • CPMI-IOSCO guidance on cyber resilience for financial market infrastructures • European Central Bank’s Financial Stability Review: Financial stability vulnerabilities stemming from cyber risks within financial market infrastructures • National Institute of Standards and Technology Cybersecurity Framework • ISO/IEC 27000, 27001, 27002, 27031, 27032, 27701 • COBIT 5 • Information Security Forum’s Standard of Good Practice for Information Security • Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and the frameworks could also be applied by authorities and risks—specifically, the risk of large-scale, opportu- in other countries.5 It is recommended that the responsi- nistic, supply-chain compromise operations allowing ble authorities invite systemically important financial enti- threat actors, through the compromise of a single third ties to engage in threat-led penetration tests. party, to disturb the supply chain or even access multiple victims. As a result, third-party entities that are used by The chain is as strong as its weakest link. One way to numerous financial entities can themselves become sys- improve the cyber resilience of the financial sector as a temically important. whole is for the financial entities (in most cases the sys- temically important banks, payment service providers, It is therefore recommended that the financial authori- fintechs, and financial market infrastructures) to cooper- ties and central banks conduct sector mapping to estab- ate in a cyber information and intelligence-sharing initia- lish a clearer understanding of which third-party service tive. Within such an initiative, financial entities could work providers are of systemic importance to their financial together closely by exchanging the threats they have sector and ensure that the relevant providers also com- identified, attacks they have endured, and the possible ply with the applicable cyber regulations, operational mitigation measures they have taken. By doing so, they guidelines, and cyber resilience expectations.7 would help themselves and their peers increase their sit- uational awareness, prepare for the threats and imminent attacks they face, and take the appropriate cyber resil-  TRENGTHENING CYBER RESILIENCE 4.3 S ience measures. Blueprints for how to set up information AND SUPERVISORY CAPACITY OF and intelligence-sharing initiatives as a financial-sector CENTRAL BANKS AND FINANCIAL community are freely available, as are more commercial AUTHORITIES alternatives.6 The responsibility for being cyber resilient and having sufficient cyber capabilities lies not only with the private UNDERSTANDING AND STRENGTHENING 4.2  sector but also with central banks and other financial THE FINANCIAL-SECTOR SUPPLY CHAIN authorities. The financial sector is a networked industry in which First, central banks and other financial authorities must many financial entities are mutually dependent on each comply with their own cyber guidelines and expecta- other. However, many of these financial entities also tions. Just like commercial financial entities, central depend on the same third-party service providers, such banks and financial authorities perform critical functions as cloud service operators, security vendors, or hard- that are supported by critical assets (including data) and ware providers. As previously mentioned in this report, systems. Therefore, most cyber guidelines and expec- an extensive supply chain brings with it both benefits tations are also relevant for these entities, especially as CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 21 most central banks also act as operators of critical finan- An NCSC could also be earmarked by means of regula- cial infrastructures. tion as the so-called competent authority to which mar- ket participants from vital industry sectors have to report Second, there is often a lack of communication and align- their significant cyber incidents, allowing the NCSC to ment of policy and action among departments respon- perform its governmental advisory function and national sible for the institutional and organizational functions of CERT role even better. Furthermore, by also stimulat- a central bank. Senior managers engaging in structured ing nonfinancial sectors to set up cyber information and internal dialogue will greatly contribute to the cyber capa- threat intelligence-sharing initiatives (see paragraph 4.1), bilities and cyber resilience of the central bank, allowing NCSCs could position themselves as linchpins between decision-makers to learn from each other and to contrib- those initiatives and actively feed those initiatives with ute to the other’s policy and operational objectives (for cyber information and intelligence while simultaneously example, by sharing specific expertise).8 This recommen- receiving new information and intelligence. dation is especially significant for departments responsi- ble for supervision and oversight, for payment systems, Ultimately, while the financial sector and its authorities and for the bank’s own information systems. focus on improving cyber resilience (that is, improving the capability to cope with cyberattacks), preventing cyber Third, if financial authorities other than the central bank incidents from happening in the first place should be have supervisory responsibilities in a jurisdiction, a proper the focus of government. It is recommended that central structural cyber dialogue with the same objectives as banks call for—and contribute to—more focused action by described above should be established. governments on improving financial and digital literacy among its citizens and expanding the availability of basic cybersecurity studies to provide a future career path for STRENGTHENING CYBER RESILIENCE OF 4.4  unemployed youth. GOVERNMENT AND SOCIETY AT LARGE Unfortunately, cyber threats are here to stay, and cyber- This paper has clearly established that some of the attacks will continue to happen. Banks, financial market challenges threatening Africa’s financial sector can be infrastructures, payment service providers, and especially addressed only by governmental action. ordinary citizens will continue to be targeted by adversar- ies trying to steal their money, data, or intellectual prop- First, the establishment of a national cybersecurity cen- erty. An efficient and credible judicial system is therefore ter (NCSC),9 to assist the government with cyber advice needed to deter these crimes and—if they happen—to and to provide government and vital industry sectors with follow up with effective law-enforcement actions. Central computer emergency response team (CERT)10 services, banks and other financial authorities should urge govern- will greatly contribute to a higher level of cyber resilience ments to improve the cyber capabilities of the judicial sys- within a country’s vital governmental and commercial tem (that is, police, prosecutor offices, courts, and so on) sectors. Given their crucial institutional role in society, and should stand ready to make available specific finan- central banks could play a facilitating role in the establish- cial or cyber expertise if required. ment of such NCSCs. BOX 2 ROLE OF NATIONAL CYBERSECURITY CENTER AND COMPUTER EMERGENCY RESPONSE TEAM National Cybersecurity Center Computer Emergency Response Team The NCSC responds to cybersecurity incidents across Also known as the incident response team (IRT) organizations in the country and uses industry and or the computer security incident response team academic expertise to build the country’s cybersecu- (CSIRT), the CERT comprises appropriately skilled rity capability. The NCSC also works to secure pub- and trusted members of the organization that han- lic and private-sector networks and prepares publicly dle incidents during their life cycle. available practical guidance to promote knowledge sharing. 22 • FINANCIAL INCLUSION GLOBAL INITIATIVE 4.5  ACTIVELY SEEKING REGIONAL region to coordinate follow-up actions regarding the rec- COOPERATION ommendations above and to establish and cooperate in joint initiatives where appropriate. As the European Com- Financial entities are often active internationally. In addi- mission and the European Central Bank do at the level of tion, cyber risks do not stop at geographic borders. There- the European Union, the institutions of the African coop- fore, it is recommended that central banks and financial eration and/or economic and monetary integration initia- authorities reach out to their peers in countries in their tives could play a facilitating role in this. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 23 5. Conclusion The evidence presented in this report demonstrates that Africa’s already prolific scammers and hackers with fresh, African financial services are already a significant tar- naive, and digitally unsophisticated targets. get for a wide range of threat actors. High-value thefts conducted by OCGs and financially motivated nation- Long-standing economic challenges faced by the con- states represent the most significant current threat to tinent, compounded by the slow and sporadic recovery financial integrity across the continent, while ransom- from the effects of the COVID-19 pandemic, are likely to ware is an already prominent but growing concern for exacerbate the existing trend of young, technically skilled, organizations across all industries. Both African FSIs and unemployed (or precariously employed) Africans and their customers face an almost-constant barrage of turning to cybercrime as a quick and lucrative source of scamming and social-engineering activity from a largely income. Technical developments, such as the commodifi- homegrown class of opportunistic threat actors look- cation of hacking tools, accelerate this trend. Conversely, ing to exploit security loopholes and individual naivety. while many African states are pushing to enact robust Additionally, state-level espionage and prolific data theft and effective cybersecurity legislation, significant gaps threaten the confidentiality of financial systems and their remain. These gaps, coupled with a general lack of capa- data and threaten to cause long-term reputational dam- bility and capacity to investigate cybercrimes effectively age and potential mistrust of digital technologies within and arrest and successfully prosecute those involved, will the global system. not deter this projected uptake of cybercrime across the continent. Building on this evidence and a number of technologi- cal, socioeconomic, and geopolitical factors, this report On a global scale, developments in cybersecurity and also postulates the most likely threat landscape for Afri- technologies will exacerbate the already significant can FSIs in the near future. Well-established trends, such security divide between FSIs (and, indeed, most entities) as the large-scale and rapid digitalization of financial in the developed and developing world. This trend will products and the expansion of the software and hard- push threat actors to target entities that are now com- ware supply chain for FSIs, open up new opportunities paratively less secure in developing regions in greater for cyber-enabled compromise, while efforts to improve numbers and volume. Finally, as developments such formal financial participation across the continent provide as climate change, energy insecurity, and geopolitical 24 • FINANCIAL INCLUSION GLOBAL INITIATIVE power struggles heighten Africa’s importance on the Financial authorities (including central banks) and gov- global stage, espionage activity from nation-states and ernments can help address these challenges by focus- other motivated threat actors against such relevant tar- ing on improving the cyber resilience of both individual gets as governments, big business, and financial services financial entities and the financial sector as a collective; will similarly increase. on strengthening the cyber resilience and supervisory capacity of central banks and financial authorities; and The challenge of coping with the serious cyber threats ultimately on bolstering the cyber resilience of African that Africa’s financial sector is facing—and, with it, soci- society at large. Central banks and financial authorities ety in general—is not borne by Africa’s banks, payment should also actively seek to cooperate with their peers in service providers, and financial infrastructures alone. neighboring countries. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 25 APPENDIX A Definitions The intelligence-led model uses historical precedent, trend cial gain, notoriety, and general curiosity. Their skill- examples, and prior examples to establish the level of set varies widely. Less skilled hackers are restricted threat of a particular entity. Cyber threat intelligence typ- to exploiting system misconfigurations, while more ically divides threat actors into the following categories, sophisticated individuals have proven capable of com- based on their intent and capability: promising well-secured networks to steal data, con- duct disruption, or sell access to other cybercriminals. • Nation-states: Established groups working for or These highly capable hackers tend to be absorbed by on behalf of an incumbent government. Typically, collective entities such as nation-states or OCGs. these threat actors are highly sophisticated and well • Hacktivists: Individual or loosely affiliated threat actors resourced and are capable of compromising even driven primarily by ideological motivations. Hacktivist hardened targets. Their motivations typically align with attacks focus on disrupting or embarrassing their tar- their state’s broader strategic objectives, such as con- gets—for example, through DoS attacks, data breaches, ducting espionage against targets, obtaining data, or, website defacement, and social media campaigning. for some states, stealing money. Like hackers, individual hacktivists vary in skill and • Organized cybercriminal groups: Loose affiliations of capability. individual cybercriminals who pool expertise, tooling, • Malicious insiders: Former or current employees or and resources to compromise their victims. OCGs range staff members who act against their employers. Insid- in capability: Some rival nation-state actors in terms of ers are driven by a number of motivations, includ- skill and sophistication, and in some geographies, OCG ing financial gain or to take revenge on an employer. infrastructure, personnel, and targeting rationale may Although some insiders, such as IT staff, have high overlap closely with that of nation-state actors. OCGs levels of technical skill, even unskilled employees can are typically financially motivated and seek financial cause serious damage through privileged knowledge gain in a variety of ways, including manipulating finan- of, and access to, systems. cial networks, stealing and selling data, or using disrup- tive tactics to extort payments from victims. • Corporations: Companies, corporations, or enterprises that adopt cyber techniques to obtain a competitive • Hackers: Individuals unaffiliated with OCGs. Hackers business advantage. Activities usually involve espio- are motivated by a range of factors, including finan- nage and theft of sensitive data, such as technical intel- 26 • FINANCIAL INCLUSION GLOBAL INITIATIVE lectual property, trade secrets, or business intelligence, • Confidentiality attacks focus on stealing or exposing but some corporations may also seek to disrupt the secret, confidential, or otherwise private information, activities of industry competitors for their own gain. ranging from customer data to technical intellectual property. • Hackers for hire: Either groups or individuals with moderate to high technical skill who rent out hacking • Integrity attacks focus on manipulating target assets services to third parties. Hacker-for-hire activity usu- for various purposes, such as adapting security con- ally involves espionage against designated targets. The trols to facilitate lateral movement within networks or contractual nature of their activities means that victims altering the contents of financial messaging systems to are located in a wide range of geographies and indus- divert legitimate payments or create fraudulent ones. tries, depending on the objectives and motivations of • Availability attacks disrupt the continuation of systems their “employer.” underpinning key services, such as websites or pay- ment portals, via methods such as DoS attacks, ran- Threat intelligence also divides types of attack into the somware, or destructive malware. following groups, based on their likely impact on the victim: CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 27 APPENDIX B Case Studies This table details the case studies collected and analyzed for this report. The nature of the report means that these studies are skewed toward more recent events. This should not be taken to mean that malicious cyber activity did not occur in Africa before these dates. Date Example 2021 In October 2021, a joint United States-South Africa operation arrested members of Nigeria-based Black Axe OCG, which had stolen over $6.85 million from victims via romance and business email compromise scams (Hyman 2021). The involve- ment of US authorities indicates that a number of victims were likely based abroad. 2021 In October 2021, the Nigerian Communications Commission alerted the public of a malicious app mimicking popular Android mobile banking applications to spread the Flubot malware. When installed, the app harvests users’ online bank- ing credentials and gains access to SMS messages to intercept two-factor authentication codes to approve a fraudulent log-in (Sahara Reporters 2021). 2021 In October 2021, the Central Bank of Nigeria warned that scammers were using Twitter to defraud customers by falsely claiming to disburse 50 billion eNaira, Nigeria’s new digital currency, launched on October 25, 2021 (Adegboyega 2021). The campaign likely aimed to obtain Nigerians’ banking details for use in further fraudulent activity. This example shows how low-level scammers quickly capitalize on technological developments in the banking sector for their own personal gain. 2021 In August 2021, authorities arrested 39 Nigerians for using lost or stolen SIM cards to empty bank accounts. The group’s operating model involved purchasing SIM packs in bulk and reactivating old phone numbers to obtain bank account details (Isamotu 2021). 2021 In July 2021, the Egregor ransomware operators targeted the South African investment and private credit firm Norsad Finance.11 2021 In July 2021, ransomware disrupted operations at Transnet, South Africa’s state-owned enterprise for rail, port, and pipe- line infrastructure. The incident took most systems offline, forcing employees to record vessel movements manually and causing significant logistical backlogs. Although not directly targeting the financial sector, the incident shows ransomware groups’ clear intent to capitalize on inadequate security and target critical infrastructure entities in Africa (Reva 2021). 2021 In July 2021, a Nigerian citizen was sentenced for defrauding a US retirement fund out of $1 million by conspiring with an insider to create unauthorized bank accounts, change legitimate bank deposit information, and reroute payments to controlled accounts (Nwezeh 2021). 28 • FINANCIAL INCLUSION GLOBAL INITIATIVE Date Example 2021 In July 2021, Angola’s largest state-owned bank suffered a disruptive attack against several servers, leaving services at branches in its commercial banking network temporarily limited (Lusa/Ver Angola 2021). 2021 In July 2021, an unidentified threat actor compromised a South African financial services provider and stole databases containing policyholder information, including bank account numbers and card details (Vermeulen 2021). 2021 In April 2021, the founders of South African cryptocurrency exchange Africrypt staged a hack and stole $3.6 billion from investors (Ryan 2021). 2021 Research in March 2021 shows OCG FIN7 conducted attacks on point-of-sale systems in South Africa, aiming to steal customer card data (Seals 2021). The details were then used to make counterfeit cards, which the group used to commit fraud or sold to other cybercriminals. 2021 In February 2021, the operators of REvil ransomware compromised the Union Bank of Nigeria, disrupted system availabil- ity, and stole and leaked confidential customer and business data (Hack Notice 2021). 2021 In February 2021, unknown threat actors compromised Angola’s Ministry of Finance, accessed emails and shared folders, and stole confidential data (Massala 2021). 2020 In December 2020, a credit analyst at a South African bank stole and sold the personal information of 200,000 customers to an unknown third party (Carnegie Endowment for International Peace 2021). 2020 In December 2020, African Union staff discovered that nation-state threat actors had compromised the security camera system installed in their headquarters for espionage purposes (CSIS 2021). 2020 In November 2020, the Egregor ransomware operators targeted Zimbabwe’s Steward Bank, causing several days of sys- tem disruption.12 2020 In November 2020, Nigerian authorities arrested three OCG members engaging in phishing, malware campaigns, and business email compromise scams against almost 500,000 victims located in Japan, Nigeria itself, Singapore, the United Kingdom, and the United States (Scroxton 2020). 2020 In October 2020, hackers compromised Pegasus Technologies, a fintech service used by numerous mobile network oper- ators such as MTN and Airtel for mobile money payments, as well as providing financial services for a mobile banking plat- form. The attackers stole about $1 million from Uganda’s digital payments system, and 20 million people were affected by the subsequent service shutdown (Kasemiire and Ajuna 2020). 2020 In October 2020, a hacktivist group protesting police brutality targeted the website of the Central Bank of Nigeria with DDoS attacks (Vermeulen 2019). The incident was part of a wider campaign against the Nigerian government, demon- strating how FSIs can be caught up in wider politically or ideologically motivated campaigns (Olufemi 2020). 2020 In September 2020, the Calix ransomware strain infected the Development Bank of Seychelles, a branch of the Seychelles Central Bank (Sweny 2020). 2020 In August 2020, the New Zealand stock exchange was taken offline for approximately two days following several DDoS attacks (BBC News 2020). 2020 In August 2020, Experian South Africa suffered a data breach, resulting in the exposure of personal information belonging to 24 million South Africans and almost 800,000 business entities (Times Live 2020). 2020 In July 2020, Somalia suffered an almost complete internet blackout after the parliament removed the president in a vote of no confidence. The blackout was likely intended to impede coverage of the incident but affected a large number of businesses and Somalia’s mobile money services (Netblocks 2020). 2020 In June 2020, employees at a South African bank stole a master key used to decrypt bank operations, access and mod- ify banking systems, and generate keys for customer cards. The employees used the key to access customer accounts, make fraudulent transactions, and steal over $3.2 million (Cimpanu 2020). The incident cost the bank over $58 million in remediation, as well as harder-to-measure reputational damage and loss of customer trust and loyalty. The incident also demonstrates how insiders can leverage their privileged system knowledge and access to manipulate internal systems without immediate detection. 2020 In June 2020, ideological hacktivists targeted the website of Sudan’s Ministry of Endowment and Religious Affairs with political slogans. They also allegedly targeted the Ministry of Finance (Sudan News Agency 2020). 2020 In May 2020, Gambian authorities arrested 12 suspects linked to an attack on The Gambia’s Trust Bank. Evidence suggests that the suspects worked with insiders in attempts to make fraudulent transactions (The Point 2020). 2020 In January 2020, the South African Banking Risk Information Centre warned about a significant number of attacks on African banks from a Russia-based OCG. The OCG was reportedly attempting to compromise vulnerable FSIs and deploy a variety of malware on compro- mised systems, with the objective of bypassing internal security controls and redirecting funds (Githahu 2020). 2020 A fraud report from the Ghana central bank reported a 584.1 percent year-on-year increase in card fraud affecting its customers from 2019 to 2020 (Ghanaian Times 2020). CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 29 Date Example 2020 Several hundred thousand victims were defrauded out of a total of $588 million through a pyramid scheme bitcoin scam in 2020 (Chelin 2021). 2019 In October 2019, the South African Banking Risk and Information Centre reported a series of DDoS attacks against multi- ple African banks’ public-facing assets. The attacks were accompanied by a ransom note demanding payment to stop the attacks. The attacks were timed to coincide with payday to cause maximum disruption. While the effects of this campaign were limited, it demonstrated how less sophisticated threat actors seek to disrupt FSIs’ availability for financial gain. These attacks coincided with a ransomware attack against the City of Johannesburg’s network, which shut down all electronic services, including bill-payment mechanisms, and coincided with month-end processes for supplier and customer pay- ments (Paton 2019). 2019 In September 2019, Garmin South Africa warned customers that their financial information was at risk after a card- skimming script was found on their e-commerce site. Customers who shopped on the site had their home addresses, phone numbers, email addresses, and full payment card and billing address data stolen (Karabus 2019). 2019 In September 2019, a human intelligence source reported that the TA505 OCG was actively targeting large South Afri- can FSIs with phishing campaigns, aiming to obtain employee credentials and establish a foothold on banks’ networks.13 TA505 has a history of conducting direct theft operations, suggesting that this was the objective in this scenario. 2019 In July 2019, an unknown OCG deployed ransomware against the large South African energy supplier City Power. The incident was timed to coincide with when many South Africans received monthly paychecks to pay for electricity for the next month. The ransomware encrypted City Power’s entire network, including databases and application servers, and temporarily kept many customers from purchasing electricity packages (BBC News 2019). In addition to harming City Power customers, this incident shows how cybersecurity vulnerabilities in other industries can affect FSIs: A loss of power for an FSI could render it unable to process transactions, conduct trading, or engage in other business-critical operations. 2019 In January 2019, an employee at a South African bank attempted to transfer approximately R 100 million (approximately $6.6 million) from a customer’s account into accounts controlled by accomplices. The employee used privileged system access to approve replica cards, which would be used to withdraw the funds from ATMs (Hlungwani 2019). 2019 Active since 2019, a Kenyan group named SilentCards has stolen approximately $174 million from Kenyan banks. The group purchases legitimate dormant accounts and co-opts the services of current bank employees to transfer and with- draw significant sums of money from ATMs (Niba 2019). 2019 In 2019, police arrested 77 Nigerians, including a local entrepreneur, for engaging in an online financial-fraud scheme worth almost $11 million (Iwenwanne 2021). 2017–19 Several FSIs in West Africa were targeted by cyberattacks aimed at compromising internal networks and making fraudu- lent transactions (Symantec Threat Hunter Team 2019). 2018 In November 2018, Mozambique’s banking system (including ATMs and card machines) was offline for several days after Portuguese fintech provider BizFirst cut off its services when Mozambique refused to pay a disputed bill (Verdade 2018). 2018 In May 2018, researchers revealed that a financially motivated nation-state group was engaging in a long-term espionage operation against the financial sector. The intrusions affected a number of African FSIs. The operation’s likely objective was large-scale data reconnaissance to identify potential targets for future compromise (Sherstobitoff 2018). In 2019, the same group targeted banks in five African countries to compromise internal banking infrastructure and redirect funds (Lederer 2019; The Chronicle 2019). This example shows significant nation-state interest in capitalizing on Africa’s gener- ally weaker cybersecurity posture for financial gain. 2018 In January 2018, an OCG stole at least K Sh 29 million (approximately $261,000) from the National Bank of Kenya, with anecdotal reporting suggesting that the actual sum was about K Sh 340 million (approximately $3 million) (PC Tech Mag- azine 2018). The bank cited a compromise of its internal network. 2007–17 Vendor research in 2017 revealed that a nation-state group had been targeting a number of Africa-based FSIs since at least 2011 and perhaps even 2007. The custom malware used by the group had sophisticated system fingerprinting, dis- covery, and exfiltration capabilities, indicating that the group was conducting long-term espionage operations against its targets (Johnson 2017). 2017 In November 2017, unknown threat actors temporarily took down the services of Algeria’s state telecommunications oper- ator, Algerie Telecom, with a series of DDoS attacks (Paganini 2017). 2016 In May 2016, an OCG targeted South Africa’s Standard Bank, compromised internal banking systems, customer databases, and operational safeguards and managed to use forged cards to withdraw over $19 million from ATMs across Japan (Carnegie Endowment for International Peace 2021). More than 260 suspects were eventually arrested, highlighting the extensive infrastructure available to these more sophisticated threat actors. 2016 In October 2016, an individual hacker for hire was contracted by a rival firm to use a botnet to conduct DDoS attacks against a Liberian telecommunications company. The incident left half the country unable to access the internet (Casciani 2019). It was not directed at FSIs, but the level of reliance on mobile infrastructure and the internet to conduct daily banking activities indicates how infrastructure and connection disruption can significantly affect the wider financial industry across Africa. 30 • FINANCIAL INCLUSION GLOBAL INITIATIVE References Adegboyega, Ayodeji. 2021. “eNaira: CBN Warns October 2021. https://www.bakermckenzie.com/en/ Nigerians of Fraud, Denies Disbursing 50 Billion.” insight/publications/2021/06/africa-cybersecurity- Premium Times, October 27, 2021, accessed November data-protection-law. 2021. https://www.premiumtimesng.com/news/top- BBC News. 2019. “Ransomware Hits Johannesburg news/492085-enaira-cbn-warns-nigerians-of-fraud- Electricity Supply.” BBC News, July 26, 2019, denies-disbursing-50-billion.html. accessed October 2021. https://www.bbc.co.uk/news/ African Development Bank Group. 2021. African technology-49125853. Economic Outlook: From Debt Resolution to Growth: BBC News. 2020. “New Zealand Stock Exchange Halted The Road Ahead for Africa. African Development Bank by Cyber-Attack.” BBC News, August 26, 2020, Group, accessed October 2021. https://www.afdb.org/ accessed November 2021. https://www.bbc.com/ en/documents/african-economic-outlook-2021. news/53918580. AfricaNenda. 2021. The State of Instant Payments BBC News. 2021. “The Lazarus Heist: How North Korea in Africa: Progress and Prospects. AfricaNenda, Almost Pulled Off a Billion-Dollar Hack.” BBC News, October 2021, accessed November 2021. https://www. June 21, 2021, accessed October 2021. https://www. africanenda.org/uploads/files/211005_AfricaNenda- bbc.com/news/stories-57520169. Instant-Payments-in-Africa-Report_vF-1.pdf. BCBS (Basel Committee on Banking Supervision). Agosto, Pedro. 2021. “Angola a Top Target for Global 2021. Principles for Operational Resilience. Bank for Cyber Crooks.” CAJ News Africa, July 26, 2021, International Settlements, March 2021. https://www. accessed October 2021. https://www.cajnewsafrica. bis.org/bcbs/publ/d516.pdf. com/2021/07/26/angola-a-top-target-for-global- BGS (British Geological Survey). 2021. “Lithium cyber-crooks/. Resources and Their Potential to Support Battery Baker McKenzie. 2021. “Africa: Implementation of Supply Chains in Africa.” British Geological Survey, Cybersecurity and Data Protection Law Urgent across July 14, 2021, accessed November 2021. https://www. Continent.” Baker McKenzie, June 7, 2021, accessed bgs.ac.uk/news/lithium-resources-and-their-potential- CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 31 to-support-battery-supply-chains-in-africa/. CREST. 2021. “An Introduction to CBEST.” CREST, Brooks, Acadia. 2021. “World Bank ‘Growth in the Time of 2021, accessed December 2021. https://www.crest- Crisis’ Forum to Begin.” Foreign Brief, October 11, 2021, approved.org/wp-content/uploads/2014/05/CBEST- accessed October 2021. https://www.foreignbrief.com/ OVERVIEW.pdf. daily-news/world-bank-growth-in-the-time-of-crisis- CSIS (Center for Strategic and International Studies). forum-to-begin/. 2021. Significant Cyber Incidents since 2006. Center Carnegie Endowment for International Peace. 2021. for Strategic and International Studies (updated “Timeline of Cyber Incidents Involving Financial 2021), accessed October 2021. https://www.csis.org/ Institutions.” Carnegie Endowment for International programs/strategic-technologies-program/significant- Peace, 2021 (updated 2021), accessed October and cyber-incidents. November 2021. https://carnegieendowment.org/ ECB (European Central Bank). 2021. “Cyber specialprojects/protectingfinancialstability/timeline. Information and Intelligence Sharing Initiative Casciani, Dominic. 2019. “Briton Who Knocked Liberia (CIISI-EU).” European Central Bank, 2021, accessed Offline with Cyber Attack Jailed.” BBC News, January December 2021. https://figi.itu.int/wp-content/ 11, 2019, accessed October 2021. https://www.bbc. uploads/2021/06/5_Constantinos_Fiona_ECB.pdf. com/news/uk-46840461. Feltman, Jeffrey. 2020. China’s Expanding Influence CEA (Council of Economic Advisers). 2018. The Cost of at the United Nations—and How the United States Malicious Cyber Activity to the U.S. Economy. Council Should React. Brookings Institution, September 2020, of Economic Advisers, February 2018, accessed accessed November 2021. https://www.brookings.edu/ July 2020. https://trumpwhitehouse.archives.gov/ wp-content/uploads/2020/09/FP_20200914_china_ wp-content/uploads/2018/02/The-Cost-of-Malicious- united_nations_feltman.pdf. Cyber-Activity-to-the-U.S.-Economy.pdf, p. 14. Ford, Neil. 2021. “Africa Walks Development Tightrope as Chelin, Richard. 2021. “Africa—New Playground for Calls for Oil and Gas Restraint Grow.” African Business, Crypto Scams and Money Laundering.” All Africa, October 31, 2021, accessed November 2021. https:// August 9, 2021, accessed October 2021. https:// african.business/2021/10/energy-resources/africa- allafrica.com/stories/202108100118.html. walks-development-tightrope-as-calls-for-oil-and-gas- Chironga, Mutsa, Hilary de Grandis, and Yassir Zouaoui. restraint-grow/. 2017. “Mobile Financial Services in Africa: Winning Fowler, Gary. 2021. “When Will Quantum Computers the Battle for the Customer.” McKinsey & Company, Impact Our Day-to-Day?” Forbes, April 28, 2021, September 1, 2017, accessed October 2021. https:// accessed November 2021. https://www.forbes.com/ www.mckinsey.com/industries/financial-services/our- sites/forbesbusinessdevelopmentcouncil/2021/04/28/ insights/mobile-financial-services-in-africa-winning- when-will-quantum-computers-impact-our-day-to- the-battle-for-the-customer. day/. The Chronicle. 2019. “UN Investigating North Korean Francis, Ndubuisi, and James Emejo. 2021. “Nigeria: Cyber Attacks in Gambia, 16 Other Countries.” The Digital Currency Gains Traction as CBN Appoints Chronicle, August 14, 2019, accessed October 2021. Technical Partner.” All Africa, August 31, 2021, https://www.chronicle.gm/un-investigating-north- accessed November 2021. https://allafrica.com/ korean-cyber-attacks-in-gambia-16-other-countries/. stories/202108310106.html. Cimpanu, Catalin. 2020. “South African Bank to Replace Further Africa. 2021. “Angola: e-Kwanza Currency 12M Cards after Employee Stole Master Key.” ZDNet, Yields over US$6M.” Further Africa, January 14, June 15, 2020, accessed November 2021. https://www. 2021, accessed October 2021. https://furtherafrica. zdnet.com/article/south-african-bank-to-replace-12m- com/2021/01/14/angola-e-kwanza-currency-yields- cards-after-employees-stole-master-key/. over-us6m/. Cooper, Barry, Christine Hougaard, Laura Munoz Perez, Ghanaian Times. 2020. “Bankers Association Calls Christiaan Loots, Rose Tuyeni Peter, Matthew Ferreira, for Increased ATM Fraud Education.” Ghanaian and Matthew Dunn. 2018. Payment Systems in Sub- Times, 2020, accessed October 2021. https://www. Saharan Africa: Note 2: Case Studies of National and ghanaiantimes.com.gh/bankers-association-calls-for- Regional Payment Systems Market Development. increased-atm-fraud-education/. Centre for Financial Regulation and Inclusion, Githahu, Mwangi. 2020. “SA Banks Ready in Case of December 2018, accessed October 2021. https://cenfri. Cyber Attack by Russian Hackers.” IOL, January 16, org/wp-content/uploads/2018/12/Payment-systems- 2020, accessed October 2021. https://www.iol.co.za/ in-SSA-Note-2.pdf. capeargus/news/sa-banks-ready-in-case-of-cyber- attack-by-russian-hackers-40677478. 32 • FINANCIAL INCLUSION GLOBAL INITIATIVE GSMA. 2019. The Mobile Economy: Sub-Saharan Africa Johnson, A. L. 2017. “Longhorn: Tools Used by 2019. GSMA, 2019, accessed November 2021. https:// Cyberespionage Group Linked to Vault 7,” Broadcom, data.gsmaintelligence.com/api-web/v2/research-file- April 10, 2017, accessed October 2021. https://www. download?id=45121567&file=2794-160719-ME-SSA.pdf. symantec.com/connect/blogs/longhorn-tools-used- Hack Notice. 2021. “Union Bank of Nigeria.” cyberespionage-group-linked-vault-7. Hack Notice, February 27, 2021, accessed Kabanda, Salah, Maureen Tanner, and Cameron Kent. October 2021. https://app.hacknotice.com/#/ 2018. “Exploring SME Cybersecurity Practices in hack/6039759f3d050599d8af9597. Developing Countries.” Journal of Organizational Hlungwani, Victor. 2019. “Bank Worker Stole R1M Computing and Electronic Commerce 28, no. 3: from Client!” Daily Sun, January 31, 2019, accessed 269–82, accessed October 2021. https://www. November 2021. https://www.dailysun.co.za/News/ researchgate.net/profile/Salah-Kabanda-2/ National/bank-worker-stole-r1m-from-client-20190131. publication/326385562_Exploring_SME_ Hoffmann, Christiane, and Christoph Schult. 2021. “I cybersecurity_practices_in_developing_countries/ Have Eliminated ‘the West’ from My Vocabulary.” links/5cd56c2ea6fdccc9dd9d5ae4/Exploring-SME- Spiegel International, September 23, 2021, cybersecurity-practices-in-developing-countries.pdf. accessed September 2021. https://www.spiegel.de/ Karabus, Jude. 2019. “Charmin’. Garmin Admits international/germany/interview-with-merkel-s- Customers’ Full Credit Card Data Nicked from South former-foreign-policy-adviser-i-have-eliminated-the- African Web Store.” The Register, September 13, 2019, west-from-my-vocabulary-a-e3ab1e9d-998f-4d56- accessed October 2021. https://www.theregister. 9b17-ab950cef5334. com/2019/09/13/garmin_breach_notification/. Human, Jurie Hendrik. 2021. “African Countries Continue Kasemiire, Christine, and David Vosh Ajuna. 2020. to Have the Highest Poverty Rates in the World.” “Hackers Steal Billions in Mobile Money Heist.” Development Aid, February 25, 2021, accessed The Monitor, October 6, 2020, accessed October November 2021. https://www.developmentaid.org/#!/ 2021. https://www.monitor.co.ug/uganda/news/ news-stream/post/84943/highest-poverty-rates-in- national/hackers-steal-billions-in-mobile-money- africa. heist-2458494. Hyman, Aron. 2021. “Nigerian Mafia Leaders Arrested Kaspersky. 2021. “Types of Mobile Malware.” Kaspersky, after Hawks Swoop in Cape Town.” Times Live, 2021, accessed November 2021. https://www. October 19, 2021, accessed October 2021. https:// kaspersky.co.uk/resource-center/threats/mobile. www.timeslive.co.za/news/south-africa/2021-10-19- Koegler, Scott. 2017. “Cybercrime Has Become a nigerian-mafia-leaders-arrested-as-sa-and-us-forces- Commodity.” Security Intelligence, May 23, 2017, swoop-in-cape-town/. accessed November 2021. https://securityintelligence. Isamotu, Idowu. 2021. “How We Emptied Many Nigerians’ com/cybercrime-has-become-a-commodity/. Bank Accounts, Stole Millions of Naira—Suspect.” Krebs, Brian. 2021. “REvil Ransom Arrest, $6M Seizure, Daily Trust, August 17, 2021, accessed October 2021. and $10M Reward.” Krebs on Security, November https://www.dailytrust.com.ng/how-we-emptied- 8, 2021, accessed November 2021. https:// many-nigerians-bank-accounts-stole-millions-of-naira- krebsonsecurity.com/2021/11/revil-ransom-arrest-6m- suspect. seizure-and-10m-reward/. Iwenwanne, Valentine. 2021. “More than Email Scams: Kshetri, Nir. 2019. “Cybercrime and Cybersecurity in The Evolution of Nigeria’s Cyber-Crime Threat.” N Africa.” Journal of Global Information Technology World, July 21, 2021, accessed November 2021. https:// Management 22, no. 2: 77–81, accessed October 2021. www.thenationalnews.com/world/africa/2021/07/22/ https://www.tandfonline.com/doi/pdf/10.1080/10971 more-than-email-scams-the-evolution-of-nigerias- 98X.2019.1603527. cyber-crime-threat/. Lederer, Edith M. 2019. “UN Probing 35 North Korean Jibilian, Isabella, and Katie Canales. 2021. “The US Cyberattacks in 17 Countries.” AP News, August 13, Is Readying Sanctions against Russia over the 2019, accessed October 2021. https://apnews.com/ SolarWinds Cyber Attack. Here’s a Simple Explanation ece1c6b122224bd9ac5e4cbd0c1e1d80. of How the Massive Hack Happened and Why It’s Such Liang, Nan, and David Biros. 2015. “Identifying a Big Deal.” Business Insider, April 15, 2021, accessed Common Characteristics of Malicious Insiders.” November 2021. https://www.businessinsider.com/ Paper prepared for the Annual ADFSL Conference solarwinds-hack-explained-government-agencies- on Digital Forensics, Security and Law, May 21, 2015, cyber-security-2020-12?r=US&IR=T. accessed October 2021. https://core.ac.uk/download/ pdf/217154843.pdf. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 33 Lukonga, Inutu. 2018. “Fintech, Inclusive Growth and Office of the Director of National Intelligence. 2021. Cyber Risks: Focus on the MENAP and CCA Regions.” Annual Threat Assessment of the US Intelligence IMF Working Paper WP/18/201, September 11, 2018, Community. Office of the Director of National accessed October 2021. https://www.imf.org/en/ Intelligence, April 9, 2021, accessed November Publications/WP/Issues/2018/09/11/FinTech-Inclusive- 2021. https://www.dni.gov/files/ODNI/documents/ Growth-and-Cyber-Risks-Focus-on-the-MENAP-and- assessments/ATA-2021-Unclassified-Report.pdf. CCA-Regions-46190. Olewe, Dickens. 2021. “Why African Countries Back China Lusa/Ver Angola. 2021. “BPC Suffers Cyber Attack.” on Human Rights.” BBC News, May 2, 2021, accessed Ver Angola, July 20, 2021, accessed October October 2021. https://www.bbc.com/news/world- 2021. https://www.verangola.net/va/en/072021/ africa-56717986. BankingInsurance/26365/BPC-suffers-cyber-attack. Olufemi, Alfred. 2020. “#EndSARS: Anonymous Attacks htm. CBN Website.” Premium Times, October 16, 2020, Massala, Guilherme. 2021. “Angolan Finance Ministry accessed October 2021. https://www.premiumtimesng. Suffers Cyber Attack.” Menos Fias, February 23, 2021, com/news/headlines/421284-updated-endsars- accessed October 2021. https://www.menosfios.com/ anonymous-attacks-cbn-website.html. en/angola-finance-ministry-suffers-cyber-attack/. Osborne, Charlie. 2021. “Updated Kaseya Ransomware {-OK? PAGE NOT FOUND AT URL-} Attack FAQ: What We Know Now.” ZDNet, July 23, Matooke Republic. 2021. “Pegasus Technologies 2021, accessed November 2021. https://www.zdnet. Becomes the First Indigenous Ugandan Fintech to Get com/article/updated-kaseya-ransomware-attack-faq- BoU License for Mobile Payments.” Matooke Republic, what-we-know-now/. October 18, 2021. https://www.matookerepublic. Osborne, Hilary. 2016. “HSBC Suffers Online Banking com/2021/10/18/pegasus-technologies-becomes-the- Cyber-Attack.” The Guardian, January 29, 2016, first-indigenous-ugandan-fintech-to-get-bou-license- accessed October 2021. https://www.theguardian. for-mobile-payments/. com/money/2016/jan/29/hsbc-online-banking-cyber- Menn, Joseph, and Christopher Bing. 2021. “Governments attack. Turn Tables on Ransomware Gang REvil by Pushing It Paganini, Pierluigi. 2017. “A Massive Cyber Attack Hit the Offline.” Reuters, October 21, 2021, accessed October Algerian State Telecom Operator Algerie Telecom.” 2021. https://www.reuters.com/technology/exclusive- Security Affairs, November 21, 2017, accessed October governments-turn-tables-ransomware-gang-revil-by- 2021. https://securityaffairs.co/wordpress/65822/ pushing-it-offline-2021-10-21/. hacking/algerie-telecom-cyberattack.html. Netblocks. 2020. “Somalia Internet Blackout after Paton, Carol. 2019. “City of Joburg, Banks under Cyber Parliament Votes to Remove Prime Minister.” Attack.” Times Live, October 25, 2019, accessed Netblocks, July 26, 2020, accessed October 2021. October 2021. https://www.timeslive.co.za/news/ https://netblocks.org/reports/somalia-internet- south-africa/2019-10-25-city-of-joburg-banks-under- blackout-after-parliament-votes-to-remove-prime- cyber-attack/. minister-DA3lx6BW. Pazarbasioglu, Ceyla, Alfonso Garcia Mora, Mahesh Niba, William. 2019. “Focus on Africa: Kenya: Home- Uttamchandani, Harish Natarajan, Erik Feyen, and Grown Hackers Have Looted Millions from Banks.” Mathew Saal. 2020. Digital Financial Services. RFI, May 3, 2019, accessed October 2021. http://en.rfi. World Bank Group, April 2020, accessed fr/africa/20190502-focus-africa-kenya-cyber-crime- October 2021. https://pubdocs.worldbank.org/ buster-trace-home-grown-hackers-looting-millions- en/230281588169110691/Digital-Financial-Services.pdf. bank. PC Tech Magazine. 2018. “National Bank of Kenya Nield, David. 2021. “Record-Breaking Chinese Suffered a Breach—Admits Ksh 29 Million Was Stolen.” Supercomputer Marks New Quantum Supremacy PC Tech Magazine, January 22, 2018, accessed Milestone.” Science Alert, July 14, 2021, accessed October 2021. https://pctechmag.com/2018/01/ November 2021. https://www.sciencealert.com/china- national-bank-of-kenya-suffered-a-breach-admits- s-latest-56-qubit-computer-marks-another-quantum- ksh-29-million-was-stolen/. milestone. The Point. 2020. “Beware of Cyber-Criminals!” The Point, Nwezeh, Kingsley. 2021. “Nigerian Sentenced to Eight May 8, 2020, accessed October 2021. https://thepoint. Years Imprisonment in U.S. for $975,863 Fraud.” All gm/africa/gambia/editorial/beware-of-cyber- Africa, July 19, 2021, accessed October 2021. https:// criminals. allafrica.com/stories/202107300104.html. 34 • FINANCIAL INCLUSION GLOBAL INITIATIVE Reuters. 2021. “Climate Change to Displace Tens of Sherstobitoff, Ryan. 2018. “Analyzing Operation Millions of East Africans by 2050—World Bank.” GhostSecret: Attack Seeks to Steal Data Worldwide.” Reuters, October 27, 2021, accessed October 2021. McAfee Blog, April 24, 2018, accessed October 2021. https://www.reuters.com/business/cop/climate- https://securingtomorrow.mcafee.com/other-blogs/ change-displace-tens-millions-east-africans-by-2050- mcafee-labs/analyzing-operation-ghostsecret-attack- world-bank-2021-10-27/. seeks-to-steal-data-worldwide/. Reva, Denys. 2021. “Cyber Attacks Expose the Sudan News Agency. 2020. “Sudan: Endowments Vulnerability of South Africa’s Ports.” ISS Today, July Website Hacked.” All Africa, June 18, 2020, 29, 2021, accessed October 2021. https://issafrica.org/ accessed October 2021. https://allafrica.com/ iss-today/cyber-attacks-expose-the-vulnerability-of- stories/202006190145.html. south-africas-ports. Sweny, Gillian. 2020. “Calix Ransomware Attack Hits Ryan, Ciaran. 2021. “Africrypt ‘Hack’ of Nearly R54Bn Development Bank of Seychelles.” AgileBlue Blog, Dwarfs Mirror Trading.” Moneyweb, June 23, 2021, September 17, 2020, accessed November 2021. accessed October 2021. https://www.moneyweb. https://agileblue.com/calix-ransomware-attack-hits- co.za/moneyweb-crypto/africrypt-hack-of-nearly- development-bank-of-seychelles/. r54bn-dwarfs-mirror-trading/. Świątkowska, Joanna. 2020. Tackling Cybercrime to Saeed, Mustapha, and Sone Osakwe. 2021. “Are African Unleash Developing Countries’ Digital Potential. Countries Doing Enough to Ensure Cybersecurity Background Paper 33. Pathways for Prosperity and Internet Safety?” MyITU, September 1, 2021, Commission, January 2020, accessed October 2020. accessed October 2021. https://www.itu.int/en/myitu/ https://pathwayscommission.bsg.ox.ac.uk/sites/ News/2021/09/01/06/54/Are-African-countries- default/files/2020-01/tackling_cybercrime_to_ doing-enough-to-ensure-cybersecurity-and-Internet- unleash_developing_countries_digital_potential.pdf. safety. Symantec Threat Hunter Team. 2019. “West African Sahara Reporters. 2021. “New Virus Impersonating Financial Institutions Hit by Wave of Attacks.” Mobile Banking Apps to Steal Money—Agency Threat Intelligence Blog, January 17, 2019, accessed Warns Nigerians.” Sahara Reporters, October 22, November 2021. https://symantec-enterprise-blogs. 2021, accessed October 2021. http://saharareporters. security.com/blogs/threat-intelligence/african- com/2021/10/22/new-virus-impersonating-mobile- financial-attacks. banking-apps-steal-money-%E2%80%93-agency- Tarabay, Jamie. 2021. “Ransomware Hackers Freeze warns-nigerians. Millions in Papua New Guinea.” Bloomberg, October 27, Scroxton, Alex. 2020. “Three Cyber Criminals Arrested 2021, accessed October 2021. https://www.bloomberg. in Nigerian BEC Investigation.” Computer Weekly, com/news/articles/2021-10-27/papua-new-guinea-s- November 25, 2020, accessed October 2021. https:// finance-department-hit-with-ransomware-attack. www.computerweekly.com/news/252492711/ This Day. 2021. “Nigeria to Benefit from UK’s £22M Three-cyber-criminals-arrested-in-Nigerian-BEC- Cyber Capacity Building Fund.” All Africa, May 20, investigation. 2021, accessed October 2021. https://allafrica.com/ Seals, Tara. 2021. “FIN8 Resurfaces with Revamped stories/202105200105.html. Backdoor Malware.” Threat Post, March 11, 2021, Times Live. 2020. “Massive Data Attack Exposes accessed November 2021. www.threatpost.com/fin8- Personal Info of 24 Million South Africans.” Times Live, resurfaces-backdoor-malware/164684. August 19, 2020, accessed October 2021. https:// Selassie, Abebe Aemro, and Shushanik Hakobyan. 2021. www.timeslive.co.za/news/south-africa/2020-08-19- “Six Charts Show the Challenges Faced by Sub- massive-data-attack-exposes-personal-info-of-24- Saharan Africa.” IMF News, April 15, 2021, accessed million-south-africans/. November 2021. https://www.imf.org/en/News/ Varrella, Simona. 2021. “E-Commerce in Africa— Articles/2021/04/12/na041521-six-charts-show-the- Statistics & Facts.” Statista, September 28, 2021, challenges-faced-by-sub-saharan-africa. accessed November 2021. https://www.statista.com/ Seychelles News Agency. 2021. “Seychelles: Cashless topics/7288/e-commerce-in-africa/#topicHeader__ Economy—Seychelles’ Financial System to Be wrapper. Entirely Digital by 2023.” All Africa, September 2, Verdade. 2018. “Mozambique: Central Bank Governor 2021, accessed October 2021. https://allafrica.com/ Blames Cyber-Attack for Banking Crisis.” All Africa, stories/202109030270.html. November 21, 2018, accessed November 2021. https:// allafrica.com/stories/201811210152.html. CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 35 Vermeulen, Jan. 2019. “How Much Money DDoS worldbank.org/curated/en/515771621921739154/pdf/ Attackers Demanded from South African Banks.” Consumer-Risks-in-FinTech-New-Manifestations-of- MyBroadband, October 29, 2019, accessed Consumer-Risks-and-Emerging-Regulatory- October 2021. https://mybroadband.co.za/news/ Approaches-Policy-Research-Paper.pdf. security/324929-how-much-money-ddos-attackers- WBG (World Bank Group). 2021b. “Scams and demanded-from-south-african-banks.html. Fraudulent Investment Schemes That Misuse Our Vermeulen, Jan. 2021. “Bank Account Details Stolen in Name.” World Bank, last updated August 25, 2021, Major Insurance Hack in South Africa.” MyBroadband, accessed November 2021. https://www.worldbank.org/ July 16, 2021, accessed November 2021. https:// en/about/legal/scams. mybroadband.co.za/news/security/405878-bank- Yade, Rama. 2021. “Africa Is America’s Greatest Geo- account-details-stolen-in-major-insurance-hack-in- political Opportunity. Does the US Know It?” Africa south-africa.html. Source Blog, May 25, 2021, accessed November 2021. WB (World Bank). 2021. “The World Bank in Africa.” https://www.atlanticcouncil.org/blogs/africasource/ World Bank, updated 2021, accessed November 2021. africa-is-americas-greatest-geopolitical-opportunity- https://www.worldbank.org/en/region/afr/overview. does-the-us-know-it/. WBG (World Bank Group). 2021a. Consumer Risks in Fintech: New Manifestations of Consumer Risks and Emerging Regulatory Approaches. Policy Research Paper. World Bank Group, April 2021, accessed October 2021. https://documents1. 36 • FINANCIAL INCLUSION GLOBAL INITIATIVE Endnotes 1. Threat-led penetration testing is also advocated for by the G-7. A Act. While in the final stages of negotiations with European Parlia- good practical example is TIBER-EU, the threat-led penetration test- ment and EU member states (status February 2022), the legal pro- ing framework developed by the European Central Bank and currently posal aims—among other things—to establish an EU-wide oversight applied in 11 EU countries. The TIBER-EU framework is jurisdiction and regime for “critical ICT third party service providers.” sector agnostic and free to be used. Next to that, reference is made to 8. This does not need imply that institutional roles and responsibilities the CIISI-EU initiative, which has been developed under the aegis of are being blurred, nor that it needs to be done in a fully formalized the Euro Cyber Resilience Board and the European Central Bank. The setting. Already agreeing to meet regularly at the senior management CIISI-EU blueprint is sector and jurisdiction agnostic, free to be used, level and starting the dialogue will probably make a great difference. and currently being implemented in several countries and regions. 9. The role of an NCSC is ultimately to support organizations in pro- 2. Closed source. tecting against, identifying, and responding to cyber threats. More 3. Results obtained from DarkTracer ransomware tracking platform, acutely, an NCSC distills cybersecurity knowledge into practical https://platform.darktracer.com:4430/ (October 2021). guidance for organizations and individuals, responds to cybersecurity 4. In November 2019, under the aegis of the Financial Inclusion Global incidents to reduce the potential impact, uses industry and academic Initiative, the World Bank published Cyber Resilience for Financial expertise to bolster national cybersecurity capabilities, and reduces Market Infrastructures, which spells out in concrete, practical terms general risk by securing public- and private-sector networks. For the expectations for the oversight of cyber resilience developed by more information, see https://www.ncsc.gov.uk/information/about- the European Central Bank. Next to that, one could be referred to the the-ncsc. Principles for Operational Resilience published by the Basel Commit- 10. The role of a national CERT is to coordinate the management of tee on Banking Supervision (BCBS 2021). national cybersecurity incidents; support critical national infrastruc- 5. Threat-led penetration testing is also advocated for by the G-7. A ture entities in managing cybersecurity incidents; promote cyber- good practical example is TIBER-EU, the threat-led penetration test- security situational awareness across industry, academia, and the ing framework developed by the European Central Bank and currently public sector; and act as a single international point of contact for applied in 11 EU countries. The TIBER-EU framework is jurisdiction and coordination and collaboration with other national CERTs. For more sector agnostic and free to be used. information, see https://www.gov.uk/government/news/uk-launch- es-first-national-cert. CERTs can also be established at the sectoral 6. Reference is made to the CIISI-EU initiative, which has been devel- level. oped under the aegis of the Euro Cyber Resilience Board and the European Central Bank. The CIISI-EU blueprint is sector and jurisdic- 11. Results obtained from DarkTracer ransomware tracking platform, tion agnostic, free to be used, and currently being implemented in https://platform.darktracer.com:4430/ (October 2021). several countries and regions. 12. Results obtained from DarkTracer ransomware tracking platform, 7. September 2020, as part of its Digital Finance Package, the Euro- https://platform.darktracer.com:4430/ (October 2021). pean Commission issued a proposal for an EU regulation on digital 13. Closed source. resilience for the financial sector, the Digital Operational Resilience CYBER THREATS TO THE FINANCIAL SECTOR IN AFRICA • 37