Alarm as hackers target state offices in brazen cyber attack

Hackers targeted several key public offices in a brazen cyber attack that has exposed vulnerabilities in systems that hold sensitive private data on millions of Kenyans.

A hacking group calling itself Anonymous Sudan, claimed responsibility for the attack that saw the e-citizen platform taken down for several hours and Kenyans unable to access several public services.

“You have to respect Sudan,” the group posted on its Telegram Channel. “We want to inform you that many passports of Kenyan citizens have been stolen from a government centre. All data will be sold after we finish stealing everything.”

ICT Cabinet Secretary Eliud Owalo on Thursday confirmed that there had been a distributed denial-of-service (DDoS) attack on the platform, but said that the attackers did not steal any data.

Safaricom customers yesterday took to social media to express frustration at being unable to use M-PESA and business apps for the better part of the day. The firm’s USSD service however remained active, and the company had a hard time explaining the situation.

“Apologies for the inconvenience. We are having challenges on the platform. Once resolved you will be notified,” Safaricom explained to a customer on social media.

At the same time, several banks including Stanchart, Stanbic, and NCBA informed customers that mobile banking services were temporarily unavailable.

“Our online banking and mobile banking services are unavailable. We are working to restore the services and apologise for any inconvenience caused. Our ATMs/cash deposit machines remain available,” Stanchart wrote to its customers.

“Regrettably, Safaricom is experiencing a downtime which is affecting transactions. Our team is, however, working to restore the service as soon as possible. We apologize for the inconvenience caused,” NCBA said.

Electricity distributor Kenya Power issued a statement following reports that customers were unable to buy pre-paid tokens.

“We are experiencing a system hitch due to a network breakdown from our service provider,” stated Kenya Power in a statement. “Consequently, some of our services such as the purchase of prepaid tokens through M-PESA and USSD Code *977# are unavailable.”

A letter from National Computer and Cybercrimes Coordination Committee appeared to confirm the wave of attacks. Dated Monday, July 24th, the date the Anonymous Sudan group put the world on notice, the letter talked of “increased/abnormal global internet traffic targeted at several critical information infrastructures in Kenya.”

The letter addressed to Kenya Education Network Trust said the attacks aimed to disrupt essential services, particularly in telecommunications, banking and education sectors. “In this regard, it is recommended that KENET informs all research education institutions in Kenya to implement necessary cybersecurity measures and to share with Director NC4 on any malicious traffic and incidents,” E. Ombati, director of NCCCC wrote.

On Monday, the group warned that more than 100 critical infrastructure sites in Kenya would be affected.

The cyber-attack comes days after a high-ranking Sudan military official, General Yasir Alatta, warned Kenya and President William Ruto against intervening in the conflict in their country. This is the latest cybercrime incident targeting crucial government offices in the country and has cast the spotlight on Kenya’s security safeguards at a time thousands of public services are due for digitisation.

In May this year, BackdoorDiplomacy, a hacking group allegedly linked to the government of China, was reported to have attacked Kenya’s key public offices including the National Intelligence Service (NIS), Office of the Presidency, the National Treasury and Ministry of Foreign affairs for years in a bid to spy on the country’s debt policy.

Both governments denied the allegations, with China pointing a finger at unnamed western powers seeking to drive a wedge between China and Kenya. Earlier this month, the ransomware group Rhysida claimed to have infiltrated and stolen 739 GB of data belonging to the Kenya Bureau of Standards, KEBS which they said would be auctioned on the dark web if the regulator does not pay ransom.

And Mr Owalo said the government’s plan to digitise thousands of public services and processes will continue and that Kenya has adequate capacity to address cyber-security.