Unidentified Malware Found on South Africa's Treasury Online Platform, Adding to Escalating Cybersecurity Threats
South African National Treasury Responds to Malware Incident on IRM Website
The South African National Treasury is currently assessing the extent of a compromise on its Information and Communication Technology (ICT) servers, following the discovery of malware on its Infrastructure Reporting Model (IRM) website on Tuesday, 22 July 2025.
The IRM system, which is used for online infrastructure reporting and monitoring, was found to be compromised by malware linked to a widespread global cyberattack exploiting vulnerabilities in Microsoft server software, specifically Microsoft SharePoint.
In response, the Treasury immediately isolated the affected IRM servers to assess the extent of the infiltration and to ensure the security of its systems. Despite this incident, its wider IT systems and websites continued to operate normally, reporting no disruptions.
Given the context of the incident occurring amid a global wave of attacks exploiting a zero-day vulnerability in Microsoft SharePoint server software, the National Treasury requested Microsoft's assistance in identifying and addressing any potential vulnerabilities within its IT environment.
The Treasury's ICT department processes over 200,000 emails daily and facilitates more than 400,000 user connections to its websites. The department successfully detects and blocks approximately 5,800 security threats each day, including phishing attempts, malware infections, and spam attacks.
The zero-day vulnerability meant that Microsoft had no advance warning and responded only after active exploitation was observed. Security firms confirmed that by that Tuesday, at least 100 servers across 60 organizations globally were compromised, including South African entities.
The ongoing cybersecurity challenges faced by governmental institutions globally are underscored by this incident on the South African National Treasury's IRM website. The Treasury emphasised that it is taking steps to secure its IRM website following the discovery of malware, and that its focus remains on maintaining the security of its systems and the integrity of its data.
In summary, the incident involved malware linked to a zero-day exploit affecting Microsoft server software, specifically impacting the IRM website. National Treasury acted rapidly by isolating servers and seeking Microsoft's expertise to mitigate the threat while maintaining normal operational functions. The Treasury continues to work diligently to secure its systems and ensure the continued smooth operation of its IT infrastructure.
- The national cybersecurity threats, as demonstrated by the malware incident on the South African National Treasury's IRM website, highlight the importance of data-and-cloud-computing security in the general-news and crime-and-justice arena.
- In the realm of cybersecurity, the South African National Treasury is taking active steps to secure its infrastructure, following the discovery of malware on its IRM website, which was linked to a global cyberattack exploiting vulnerabilities in Microsoft technology.
- The incident on the IRM website served as a stark reminder of the necessity for robust cybersecurity measures, as the malware exploited a zero-day vulnerability in Microsoft SharePoint, a technology widely used across governmental institutions.
- The South African National Treasury's ICT department, which handles over 200,000 emails daily and more than 400,000 user connections to its websites, is vigilant in detecting and blocking approximately 5,800 security threats each day, underscoring the department's commitment to maintaining the security of its systems and the integrity of its data.
