The Namibia Airports Company (NAC), the state-owned entity responsible for managing Namibia's international and domestic airports, has confirmed that approximately 500GB of stolen data has been published on the dark web following a ransomware attack by the INC Ransomware Group. NAC detected the intrusion on March 6, 2026 and declined to pay the ransom demand, triggering the data release. The confirmed leaked data includes airport permit system files, parking management databases, engineering and project documents, financial records, and internal reports — a broad exposure of operational and infrastructure documentation for a nation's airport network. Airport operations and safety systems were not disrupted.

What Happened

On March 6, 2026, NAC detected unauthorized access to its systems and determined that approximately 500GB of data had been exfiltrated. The INC Ransomware Group issued an extortion demand accompanied by a threat to release the stolen data publicly if payment was not made. NAC implemented immediate containment measures, engaged the Namibia Cyber Security Incident Response Team (NAM-CSIRT), and introduced additional security controls. The company declined to pay the ransom.

Following non-payment, INC Ransomware made good on its threat and published the stolen data on its dark web leak site. NAC confirmed the publication, stating it is still verifying the full extent of the breach to determine whether sensitive personal information is included in the released dataset. The incident marks INC Ransomware's second confirmed attack on a Namibian public-sector organization — the group previously breached the Otjiwarongo Municipality.

NAC has committed to transparency and stated that further updates will follow as the investigation into the scope and impact of the data release continues.

What Was Taken

Based on NAC's preliminary assessment, the 500GB dump contains:

NAC is still verifying whether the dataset contains personally identifiable information belonging to employees, contractors, or members of the public. The engineering and infrastructure documents are of particular concern: detailed facility layouts, security system configurations, and access control documentation for airport infrastructure represent a physical security risk beyond the typical data breach impact.

Why It Matters

Airports are dual-use critical infrastructure — civilian transport and national security assets. Engineering documentation and permit system files for an airport network expose physical security posture in ways that go well beyond the risks of a standard PII breach. In the wrong hands, detailed infrastructure schematics, access permit records, and contractor authorization files provide reconnaissance value for physical threats, not just cyber ones.

This is INC Ransomware's second confirmed hit on Namibian public sector infrastructure within a year, indicating the group has either specifically targeted the region or found it consistently accessible. NAM-CSIRT's public attribution to INC and the group's documented double-extortion playbook signal a sophisticated, financially motivated operation with a pattern of following through on leak threats when victims decline to pay.

The 500GB volume is substantial. The combination of financial records, project documents, and operational databases gives any party accessing the leak site a detailed picture of NAC's vendor relationships, infrastructure investment priorities, and internal workflows — intelligence that could be leveraged for follow-on social engineering, supply chain attacks, or competitive intelligence theft.

The broader signal for African critical infrastructure operators: INC Ransomware is actively targeting the region and public-sector organizations with limited security budgets remain high-probability victims.

The Attack Technique

INC Ransomware's documented operational methodology, as confirmed by NAM-CSIRT, employs double-extortion: data is exfiltrated before encryption, ensuring leverage even against organizations with functional backups. Known INC Ransomware TTPs include:

  1. Initial access via phishing or exploitation of public-facing applications — INC has been observed leveraging vulnerabilities in internet-facing systems including Citrix NetScaler and similar remote access infrastructure, as well as spearphishing campaigns targeting employees with network access.

  2. Credential harvesting and privilege escalation — Following initial access, the group uses tools including Mimikatz and living-off-the-land techniques to harvest credentials and escalate to domain admin.

  3. Lateral movement and network reconnaissance — The group maps the environment over an extended period, identifying backup infrastructure and high-value data repositories before triggering the final attack phase.

  4. Staged data exfiltration — 500GB of data represents a significant staging and transfer operation. INC uses cloud storage services and custom infrastructure for bulk exfiltration prior to encryption.

  5. Ransomware deployment and extortion — Encryption is deployed network-wide after exfiltration is complete, maximizing the ransom pressure from both operational disruption and data leak threat.

The specific initial access vector for the NAC intrusion has not been publicly confirmed.

What Organizations Should Do

  1. Treat engineering and infrastructure documentation as crown-jewel data — Airport operators, utilities, and critical infrastructure organizations frequently underclassify technical and operational documents relative to their actual sensitivity. Schematics, access control configurations, and permit databases should be subject to the same access controls, encryption at rest, and audit logging as financial or personnel records.

  2. Segment operational technology from corporate IT networks — NAC confirmed airport operations were unaffected, which suggests some degree of OT/IT separation was in place. Organizations that have not yet fully segmented operational systems from corporate networks should treat this as a top-priority control — ransomware that reaches OT environments can create physical safety consequences.

  3. Implement and test offline, immutable backups — INC Ransomware's double-extortion model means that even organizations with clean backups still face a data leak threat. However, reliable backups eliminate the operational disruption leverage entirely. Verified, air-gapped backups are non-negotiable for critical infrastructure operators.

  4. Audit and restrict remote access infrastructure — INC Ransomware frequently exploits Citrix, VPN, and RDP-adjacent systems. Organizations should audit all internet-facing remote access points for patch currency, enforce MFA on all remote sessions, and consider replacing legacy VPN infrastructure with zero-trust network access solutions.

  5. Establish a pre-negotiated incident response retainer — Public-sector organizations in developing markets often lack internal IR capacity matched to a sophisticated ransomware operation. A pre-negotiated relationship with a qualified IR firm — ideally with regional experience — compresses response time from days to hours at the moment it matters most.

  6. Coordinate with national CSIRT resources proactively, not reactively — NAM-CSIRT was engaged after the breach. Critical infrastructure operators should establish relationships with national cybersecurity authorities before an incident — sharing threat intelligence, participating in exercises, and establishing communication protocols so that incident response coordination begins in minutes rather than days.

Sources