A sophisticated cyberattack exploiting a critical vulnerability in Microsoft’s SharePoint server software has compromised hundreds of government agencies and organisations across Africa, with South Africa’s National Treasury among the most prominent victims in what security experts are calling one of the most significant cyber incidents of 2025.
The breach, orchestrated by multiple Chinese state-linked hacking groups identified by Microsoft as Linen Typhoon, Violet Typhoon, and Storm-2603, has exposed critical government systems to malware infections and potential data theft across the continent, raising urgent questions about the security of Africa’s digital infrastructure.
South Africa’s National Treasury confirmed the discovery of malware on its Infrastructure Reporting Model website, a critical platform used for government infrastructure reporting and document management. While officials stated that no immediate operational disruptions occurred, the breach has triggered emergency security audits and collaboration with Microsoft to address vulnerabilities.
The compromise is particularly concerning given the Treasury’s daily battle against cyber threats. ICT teams reportedly block approximately 5,800 security threats daily, processing over 200,000 emails and managing 400,000 web connections in an environment already under constant attack.
“Despite proactive defence measures, this breach underscores the persistent and evolving nature of threats facing South Africa,” Treasury officials acknowledged, noting that the country already ranks among the world’s top 30 most breached nations.
Continental Scale of Attack
Security firm Eye Security identified roughly 400 affected government agencies and organisations globally, with the number surging from just 60 within days. While the United States bore the brunt of the attacks, Mauritius and South Africa emerged as major targets across Africa, with several other African nations also compromised.
The zero-day vulnerability in Microsoft SharePoint enabled attackers to access servers, steal authentication keys, and potentially impersonate users or compromise entire networks. Security experts warn that the breach could enable deep access, long-term infiltration, and extensive theft of confidential information.
Most alarmingly, the attackers are believed to have installed backdoors across compromised systems, allowing for persistent and stealthy surveillance or data theft that could continue undetected for months or years.
The attack targeted critical infrastructure, financial institutions, and state agencies across multiple sectors, exposing systemic vulnerabilities in widely used software across African government and business infrastructure. Organisations running self-hosted SharePoint solutions remain vulnerable if emergency patches are not urgently applied.
The breach has intensified pressure on both public and private organisations to conduct intensive cybersecurity audits, forensic investigations, and threat-hunting operations. However, cybersecurity analysts warn that simply applying patches may not fully remove entrenched cyber threats already embedded within networks.
Long-term Reform Response
In response to the breach and broader cybersecurity challenges, South Africa is implementing sweeping long-term reforms designed to transform the country’s digital security posture:
Regulatory Overhaul: The Joint Standard on Cybersecurity and Cyber Resilience takes full effect on June 1, 2025, for all major financial institutions, requiring robust IT risk management and shifting cybersecurity governance from IT departments to board-level responsibility.
Government Modernization: A comprehensive digital transformation roadmap spanning 2025-2030 includes digital identity systems, modernized public service delivery, and integrated platforms designed to reduce fraud and strengthen access controls.
Enhanced Enforcement: Additional provisions of the Cybercrimes Act are being enacted throughout 2025, including mandatory cyberattack reporting, stricter penalties for cybercriminal activities, and enhanced international law enforcement cooperation.
National Security Integration: The government’s 2024-2028 National Security Strategy emphasises counter-intelligence, protective security, and continuous vulnerability assessments across government systems and critical infrastructure.
The incident reveals the urgent need for Africa’s digital infrastructure to evolve from reactive security measures to proactive resilience strategies. The attack’s scope and sophistication demonstrate that African governments and businesses can no longer rely solely on traditional cybersecurity approaches.
Financial and operational burdens for municipalities and government bodies are mounting as they scramble to remediate after cyberattacks, often requiring expedited procurement of cybersecurity experts and causing revenue losses during recovery periods.
Microsoft has responded with emergency patches and global warnings, urging all SharePoint users to update systems immediately. The tech giant is working with affected entities and international cyber agencies to investigate the full extent of the compromise.
Security experts stress that the Microsoft SharePoint hack represents more than just another cyber incident – it’s a wake-up call for African governments and businesses to fundamentally rethink their approach to digital security. The persistent nature of the backdoors installed by attackers means that even patched systems may remain compromised.
“Organisations must adopt an ‘assume breach’ security posture,” cybersecurity analysts warn, emphasizing that traditional defensive measures are no longer sufficient against state-sponsored actors with advanced persistent threat capabilities.
As investigations continue, the true scope of data accessed or stolen remains unclear. However, the incident has already catalyzed the most comprehensive cybersecurity reform effort in South African history, with implications extending across the African continent.
The breach serves as a stark reminder that in an interconnected world, cybersecurity is not just a technical issue but a matter of national security, economic stability, and public trust in digital governance systems that citizens increasingly depend upon.
