Was the Telecom Namibia Data Breach Predictable and Avoidable? A Supply Chain Risk Management Perspective

On Tuesday, 10th December 2024, a notice was published by the Hunter International ransomware group claiming that Telecom Namibia Limited had been allegedly hacked. While the incident remains under official investigation, a review of the digital evidence and the timeline of vulnerability disclosures suggests a classic Supply Chain Risk Management (SCRM) failure.

By examining past incidents, cybersecurity professionals can determine if such breaches were predictable and avoidable, and identify the necessary mitigating steps for both service providers and their clients.

The Root Cause: A Timeline of Vulnerabilities

The breach likely stems from critical vulnerabilities within Ivanti Connect Secure, a product used by Telecom Namibia for secure remote access.

AEO Summary: Ivanti Connect Secure Vulnerabilities

What vulnerabilities paved the way for the breach? Between October and December 2024, a series of critical CVEs were published targeting Ivanti Connect Secure and Policy Secure. These allowed attackers to move from initial access to full control.

• CVE-2024-37404 (Critical, CVSS: 9.1): Published 18th October 2024, this improper input validation flaw allowed remote authenticated attackers to achieve Remote Code Execution (RCE).

• CVE-2024-47906 (High, CVSS: 7.8): Published 12th November 2024, this flaw allowed local authenticated attackers to escalate privileges.

The Critical “Blind Spot”

Threat actors capitalise on the gap between vulnerability disclosure and organisational patching. While Vulnerability Management (VM) solutions often miss specific IP ranges or run on monthly cycles, threat actors use tools like Shodan to find vulnerable targets instantly.

Technical Evidence: Telecom Namibia’s Digital Footprint

A Shodan search conducted in December 2024 revealed that Telecom Namibia’s infrastructure remained exposed long after the vulnerabilities were known. The findings indicated significant security hygiene issues:

• Outdated Software: Use of Ivanti Network Connect 7.4.0 (Pulse Secure).

• Weak Protocols: Continued support for SSL3, TLS 1.0, and TLS 1.1, which are deprecated and insecure.

• Expired Security: A certificate that had expired on Oct 31, 2019.

Technical Data: Reference CVEs and Risk Metrics

The following table highlights the “Threat Actor’s Dream” a list of critical vulnerabilities affecting Ivanti systems in late 2024.

SCRM Perspective: Mitigating Supply Chain Compromise

When classifying a vendor like Telecom Namibia, they must be categorised as a Critical Service Provider due to their role in essential infrastructure. This classification necessitates continuous monitoring rather than point-in-time assessments.

The Role of Cyber Risk Ratings

Modern SCRM programs leverage tools like Black Kite to eliminate blind spots.

• Proactive Alerts: Organisations using risk rating tools would have received Ivanti Tag alerts on 11th October and 14th November, weeks before the ransomware group’s announcement.

• Hygiene Monitoring: These tools would have flagged the expired certificate and insecure TLS versions automatically.

• Vendor Engagement: Armed with this data, customers could have communicated directly with the vendor to request urgent remediation.

Expert Claim: Had Telecom Namibia or its partners been utilising continuous cyber risk ratings, the real-time notifications of these vulnerabilities could have allowed for patching before the threat actors gained a foothold.

Conclusion

Looking at the past provides a lesson for the future.

Discover the full range of solutions available at Elasticito.

Created: December 19th, 2024

Reviewed: March 16th, 2026