The Quiet Harvest: Corporate Espionage Targeting Foreign Businesses in Africa and the Intelligence Gap That Enables It

About the author: Nijat Babazade

Threat Intelligence analyst

Institution: FH BFI Vienna .

Most foreign businesses operating in Africa carry a mental map of the risks they face. Armed conflict in unstable zones. Regulatory unpredictability. Fraud at the transactional level. What rarely appears on that map is the more deliberate, structured threat: the systematic targeting of their people, their data, and their competitive intelligence by actors with the patience and capability to wait months before taking anything of value.

Corporate espionage against foreign firms in Africa is not a marginal phenomenon. It is a growth sector, and the gap between how most corporate security functions are configured and what the actual threat environment demands has never been wider. This article examines who is running these operations, how they work in practice, what the early indicators look like, and what a protective intelligence function needs to do differently. It tries to do so without overstating either the sophistication or the success rate of the adversary, both of which vary considerably across actor type, target, and country.

Who Is Running These Operations

The answer is not a single actor type, and the analytically useful answer is not even a small set of broad categories. What makes the African operating environment particularly difficult for corporate security managers is that several distinct actor sets are often active simultaneously, with overlapping methods but very different institutional logics, target selection criteria, and tradecraft signatures. Treating them as variants of the same threat produces the kind of analytical confusion that adversaries rely on.

Chinese services are the most frequently cited and the most operationally diverse. Chinese collection against commercial targets in Africa is not run by a single institution. The Ministry of State Security, the People’s Liberation Army’s Strategic Support Force, and provincial state security bureaus all operate against foreign commercial targets, and they pursue different priorities. Cyber operations attributed to APT41, a contractor cluster linked to MSS, have combined financially motivated activity with state-directed collection, including against telecommunications operators across the continent. Mandiant has documented dwell times exceeding 18 months in some intrusions before extraction begins.¹ The Africa Center for Strategic Studies has separately catalogued the systematic positioning of Chinese commercial firms within African telecommunications and surveillance infrastructure, which provides persistent collection access independent of any specific intrusion campaign.² The institutional logic is patient, infrastructural, and aligned with a coherent national industrial policy. It does not look like Russian collection, and it does not look like Gulf state collection.

Russian services operate against commercial targets in Africa with a different posture. The institutional split between the GRU and the SVR matters less for practical purposes than the operational layer that has emerged through the Wagner Group’s successor entities, now consolidated under what is publicly described as the Africa Corps. Russian commercial intelligence collection in the Sahel, Central African Republic, Sudan, and Libya has been organised primarily around extractive sector access (gold, diamonds, hydrocarbons) and security-for-resources arrangements. The collection profile is human-source heavy, front company dependent, and frequently piggybacked on legitimate commercial relationships with local elites. Cyber capability is present but secondary. A foreign mining operator in Mali or CAR is more likely to encounter Russian collection through compromised local intermediaries and pressured government counterparties than through a spear-phishing campaign.

Gulf state actors, particularly the United Arab Emirates, are an underacknowledged element of the African commercial intelligence environment. UAE interests in Horn of Africa logistics, Sahel security partnerships, and East African port infrastructure have produced a parallel collection effort, often executed through contracted private firms rather than directly by state services. The Project Raven reporting, while focused on the broader Middle East, illustrated the operating model: former Western signals intelligence personnel retained on contract, operating against commercial and political targets that align with state interests but at a deniable remove. The same model travels to Africa wherever Gulf commercial interests do.

Private intelligence firms retained by commercial principals form a fourth and rapidly growing category. Israeli, British, and South African private intelligence vendors operate openly in this space, and the line between investigative work commissioned by a client and active collection against a competitor is one that practitioners in the field know is routinely crossed. The Black Cube exposures, NSO Group’s African client base, and the documented use of private intelligence in African deal disputes (including in mining licence litigation in DRC and Zambia) all sit in this category. A foreign firm targeted by a private intelligence vendor will rarely be able to identify the ultimate principal, which is precisely why the model is attractive to commercial buyers.

Organised crime networks in the political-commercial grey zone form the next category. The GI-TOC’s 2023 Organised Crime Index identified Southern and West Africa as zones of increasing convergence between political power and criminal enterprise, and that convergence creates a market for commercial intelligence as a tradeable commodity.³ South Africa’s Zondo Commission documented the integration of private intelligence collection, political operatives, and organised crime in a way that ought to have changed how practitioners think about this category.⁴ A mining firm’s negotiating position on a licensing deal, a logistics company’s contract terms with a state entity, an insurer’s underwriting assessment of a high-value asset: these are intelligence products with buyers, and brokers with political connections are increasingly the channel through which they move.

Local political operatives working on behalf of competing commercial interests form the final category, and the most consistently underestimated. Competitive intelligence gathering by politically connected local actors does not require sophisticated cyber capability. It requires access, and access is far easier to obtain than most foreign security managers assume. Election cycles in Kenya, Nigeria, Ghana, and South Africa routinely produce surges in commercial intelligence activity, as politically aligned firms position for post-election contract flows.

These actor sets do not operate in clean separation. A Chinese state-linked operation may purchase access to a foreign firm from a locally embedded political operative. A private intelligence vendor working for one mining major may obtain its product from an organised crime broker. The intelligence products generated by any of these actors can and do circulate, which is why a single confirmed indicator rarely identifies its true source on first inspection.

How the Operations Actually Work

The standard model begins with a mapping phase. Before any approach is made or any system is touched, the target organisation is profiled comprehensively using open sources. LinkedIn alone provides an operational map of any organisation with more than fifty employees: reporting lines, tenure patterns, who recently left, who is new, who is publicly dissatisfied. Corporate registry data, procurement announcements, court records, and local business press fill in the rest.

This OSINT harvesting phase is the one most foreign firms are least equipped to detect, because nothing about it is illegal and none of it triggers technical security controls. A meaningful fraction of operations also fail or stall at this stage. Where a target firm enforces disciplined external presence, where senior staff are trained not to publish travel and meeting information, and where vendor relationships are not advertised through press release, the OSINT phase produces a thin and ambiguous picture that does not justify further investment. This matters because most practitioner literature implies an inevitability to operational progression that does not exist in practice. Operations are abandoned, deprioritised, or burned at this stage routinely.

Where mapping does produce a viable target picture, the active phase typically runs along one of three tracks.

Cyber intrusion is the track most discussed and most measured. It is usually delivered through spear-phishing tailored to the target’s professional context: a vendor communication, a conference invitation, a document that appears to originate from a known contact. Interpol’s Africa Cyberthreat Assessment Report recorded a substantial increase in cyberattack volumes against African-based organisations between 2021 and 2023, with business email compromise and targeted intrusion accounting for the majority of corporate-sector incidents.⁵ The success rate per attempt is low. The volume compensates. North Korean Lazarus Group activity against African financial institutions, documented in successive United Nations Panel of Experts reports, illustrates a pattern in which dozens of attempts produce a small number of significant breaches, but the significant ones are very significant.⁶ APT41 operations against African telecommunications operators, documented by Mandiant and CrowdStrike, show a different profile: lower attempt volume, higher per-attempt sophistication, and longer dwell times.

Insider recruitment is where financial intelligence becomes directly relevant to the protective intelligence function. Unusual financial activity in the personal accounts of key employees (where monitorable within applicable law), sudden lifestyle changes, and new relationships with individuals whose corporate affiliations are opaque are all behavioural and financial indicators that can precede a successful insider recruitment. United States Department of Justice prosecutions of espionage and corruption cases consistently show that the recruitment process involves a financial component in the great majority of cases.⁷ Insider recruitment also fails frequently, and even when it succeeds it tends to be exposed late. The Glencore investigations in DRC, the various FCPA cases involving African operations, and the publicly reported elements of the Eskom and Transnet investigations during the South African state capture period all show recruitment patterns that were eventually surfaced, often years after the fact. The slow timeline matters. A foreign firm is unlikely to identify an insider recruitment in the period when intervention would still be useful unless it has structured indicator monitoring in place.

Relationship exploitation is the cultivation of a trusted local partner, intermediary, or adviser whose access to the foreign firm’s decision-making is used to extract intelligence without any technical intrusion at all. This is the track that leaves the fewest traces and produces the most strategically valuable intelligence, because the information extracted tends to be strategic rather than operational. It is also the track that is least well covered by conventional corporate security frameworks, which were not designed to detect a problem that looks identical to a normal commercial relationship.

Real operations are messier than this three-track model implies. Tracks combine. They abort. They fail and are restarted with different personnel. Adversary services experience the same operational security failures, personnel turnover, and resource constraints that any institution does. The model is useful as an analytical scaffold, not as a deterministic forecast.

What the Indicators Look Like

Corporate security managers who wait for a confirmed incident before acting are already operating too late. The intelligence indicators that precede a mature espionage operation are detectable, provided the function is looking in the right places.

At the OSINT level: unusual interest in the organisation from newly created or thinly populated professional profiles, contact requests to multiple employees from a common source, public tender or contract information appearing in competitor proposals before it has been officially released, and the appearance of accurate organisational details (reporting lines, internal project names, departure dates of specific staff) in queries from unrelated parties.

At the cyber level: login attempts from IP ranges associated with known threat actor infrastructure, unusual data access patterns within internal systems, outbound traffic to domains registered within the past 90 days, and lateral movement between systems that have no legitimate operational reason to communicate. The Australian Cyber Security Centre’s annual reporting framework, while developed for a different operating environment, provides a baselining and anomaly detection model that translates directly to African contexts.⁸

At the human level: employees receiving unsolicited approaches from individuals they cannot fully account for, requests for information that fall outside normal professional interactions, the appearance of accurate internal information in external contexts where it should not be, and patterns of social engagement that do not fit the local professional environment (introductions through unusual channels, persistent interest in specific personnel from contacts who have no clear commercial reason to maintain it).

At the financial level, where access permits: lifestyle changes inconsistent with declared compensation, new banking relationships in jurisdictions associated with grey-zone financial flows, and changes in spending patterns that align with the timing of sensitive internal events.

No single indicator is determinative. The protective intelligence function’s job is to identify when several of these indicators correlate around a specific individual, project, or external entity, and to act on the correlation before the picture is complete enough to be unambiguous.

What Protective Intelligence Must Do Differently

The standard corporate security posture in Africa is reactive and perimeter-focused. It is built around physical security protocols, access control, and incident response. None of that is wrong, but it addresses the visible surface of a threat that operates primarily in the layer beneath visibility.

A protective intelligence function adequate to this environment requires capabilities that most foreign firms do not currently have. The honest position, however, is that not every operating entity can or should be expected to develop the full set. The recommendations below are tiered accordingly. A mid-sized firm with a small in-country team should not read the advanced tier and conclude the entire programme is out of reach. The baseline tier is achievable at modest cost and addresses the highest-frequency exposure pathways.

Baseline capabilities that any foreign firm operating in this environment should adopt regardless of size:

Standing awareness of the organisation’s external profile. This does not require a dedicated OSINT cell. It requires a quarterly review of what a competent external analyst could compile about the firm using public sources, conducted either internally by an analyst with the right skill set or commissioned from a credible external vendor.

Phishing-aware training that goes beyond compliance modules. Most generic awareness training does not prepare staff for the level of context and tailoring that targeted spear-phishing in this environment uses.

Vendor and counterparty due diligence that goes beyond sanctions screening. Beneficial ownership review, exposure to politically connected intermediaries, and prior litigation history are accessible through commercial databases at modest cost.

Named individual exposure mapping for senior staff, particularly those with decision authority on major contracts or sensitive negotiations. This is a one-day exercise per individual, conducted annually.

Intermediate capabilities that mid-sized operations should be working toward:

Continuous OSINT monitoring of the organisation’s external profile, conducted on a structured cycle rather than a one-off basis, with defined indicators and a clear escalation path when anomalies are identified.

HR and security liaison on personnel risk, including a defined process for raising and assessing financial or behavioural anomalies in staff occupying sensitive positions, within whatever legal framework the operating jurisdiction permits. The legal framework varies considerably across the continent, and what is feasible in South Africa is not feasible in Senegal.

Threat intelligence integration that goes beyond generic feeds, including subscription to or development of analysis specific to the operating country and sector.

Advanced capabilities appropriate to operations of significant scale or sensitivity:

A dedicated protective intelligence function with analytical staff distinct from physical security, reporting through a structure that allows it to influence executive decisions on partnerships, hiring, and country entry.

Financial intelligence integration with personnel security, structured to identify indicator patterns rather than individual events, and reviewed under a defined legal and ethical framework.

Africa-specific threat actor profiling, country by country, that is not imported wholesale from European or North American frameworks. The actor typologies, the methods, and the objectives in Lagos, Nairobi, or Kinshasa are not identical to those in London or Frankfurt, and security functions that operate as if they are will consistently misread what they are seeing.

Red-team-informed insider risk programmes, in which the firm tests its own exposure by commissioning controlled attempts to recruit, phish, and elicit information from its own staff under appropriate legal authorisation.

The Africa Center for Strategic Studies has consistently argued that foreign actors treat the continent as a permissive environment precisely because the defensive posture of most operating entities does not reflect the actual threat level.⁹ That assessment, made primarily in a geopolitical context, applies with equal force to the corporate security domain.

Conclusion

Corporate espionage in Africa is not a future risk. It is a present operational reality for a significant proportion of foreign firms doing business across the continent, most of whom do not yet know they are targets and would not recognise the indicators if they were in front of them. The intelligence gap is not primarily a technical problem. It is a conceptual one: a failure to apply the same analytical rigour to the pre-incident threat environment that organisations routinely apply to incident response after the damage is done.

Closing that gap does not require every operating entity to build a full protective intelligence function. It requires an honest assessment of what the threat looks like in a specific operating context, a baseline of capabilities any serious operation should sustain, and a clear-eyed view of which advanced capabilities are worth the investment given the firm’s exposure profile.

The harvest is quiet precisely because the field is left unguarded.

References

¹ Mandiant. APT41: A Dual Espionage and Cyber Crime Operation. Milpitas: Mandiant Intelligence, 2019.

² Africa Center for Strategic Studies. Mapping the Pillars of China’s Influence in Africa. Washington D.C.: ACSS, 2022.

³ Global Initiative Against Transnational Organized Crime. African Organised Crime Index 2023. Geneva: GI-TOC, 2023.

⁴ Republic of South Africa. Judicial Commission of Inquiry into Allegations of State Capture, Corruption and Fraud in the Public Sector (Zondo Commission), Final Report. Pretoria, 2022.

⁵ Interpol. Africa Cyberthreat Assessment Report 2023. Lyon: Interpol, 2023.

⁶ United Nations Security Council. Reports of the Panel of Experts established pursuant to resolution 1874 (2009). Successive annual reports, New York: United Nations.

⁷ United States Department of Justice. Counterintelligence and Export Control Section: Annual Report 2022. Washington D.C.: DOJ, 2023.

⁸ Australian Cyber Security Centre. Annual Cyber Threat Report 2022/23. Canberra: ACSC, 2023.

⁹ Africa Center for Strategic Studies. China’s Engagement in Africa: Scope, Significance, and Prospects for the Future. Washington D.C.: ACSS, 2023.

Additional sources consulted: CrowdStrike. Global Threat Report. Sunnyvale: CrowdStrike Intelligence, 2023. United States Department of Justice. Glencore International A.G. and Glencore Ltd. Plea Agreement and Resolution Documents. Washington D.C.: DOJ, 2022.