Since Sunday, websites belonging to government agencies, media, hospitals and banks have been targeted by hackers claiming to be exacting revenge on behalf of the Sudanese regime.
Anonymous Sudan, a pro-Russian hacktivist group says it is responsible for a Distributed Denial-of-Service (DDoS) attack which intermittently took websites belonging to Kenyan media, hospitals, universities, and businesses, including Safaricom, offline. The group had previously been involved in a series of “unprecedented escalation in DDoS attack sophistication” with pro-Russian hackers that targeted Western websites including Microsoft, according to a report published by Cloudflare earlier this year.
Denial of service attacks are cyberattacks where the attacker prevents users from accessing a website, online service, or connected device, by flooding the servers with internet traffic.
The group appears to have turned their attention to their southern neighbour this week after a video of a Sudanese general allegedly taunting Kenya’s president went viral on social media. On Sunday, it claimed it had attacked Kenya’s eCitizen website which hosts government services like visa application, business registration and more. It also claimed to have attacked Kenya Commercial Bank, Kenya’s second-largest bank measured by assets, and the country’s largest telecom, Safaricom.
It also attacked media websites including the one of The Standard Group, Kenya’s oldest newspaper, as well as the website of the government-owned Kenya News Agency. On Monday, 10 university websites were hit, including the University of Nairobi. And on Tuesday it targeted seven hospitals and the website of Kenya’s transport agency. The National Transport and Safety Agency allows Kenyan residents to apply and pay for driving licenses among others.
On Spice FM, a local radio station (owned by Standard Media Group whose website was also attacked) Eliud Owalo, Kenya’s cabinet secretary in charge of the Ministry of Information, Communication and the Digital Economy said, no data was accessed or lost. Other targeted websites appear to be functioning normally at press time.
The group said it attacked Kenya because it “released statements doubting the sovereignty of [the Sudanese] government.” Sudan has been locked in internecine conflict between the Sudanese Armed Forces (SAF) and the paramilitary Rapid Support Forces (RSF), rival factions of the military government of Sudan since the 15th of April, 2023. Last month, the Sudanese government rejected the appointment of Kenya’s president, William Ruto as leader of a mediation group after accusing the East African nation of lacking neutrality.
African states are vulnerable to cyber attacks from foreign hackers but typically don’t attack each other—at least not publicly. According to Nathaniel Allen and Noëlle van der Waag-Cowling, both cybersecurity researchers, “African countries tend to have low levels of cyber maturity and possess limited offensive and defensive cyber capabilities. Virtually all rely on foreign actors to supply critical information.” Anonymous Sudan might be pro-Sudan, but it also has significant links to pro-Russian hacktivist groups.
Digitising government services is a key part of President Ruto’s agenda. Earlier this year, his administration said Kenyans could access 5,000 government services online. The services include business permits and visa applications. All were affected by the denial of service attacks.
Africa’s growing digital economy is attracting the attention of hackers and digital crime groups. Much of the infrastructure undergirding the continent’s digital boom is often lacking adequate cyber protections in policy and practice. Digitising government services is often hailed as a model for creating efficiency and improving access, but it also opens new vulnerabilities.
In a world of increased digitalisation, when digital public services are unexpectedly and suddenly unavailable it can cause indirect and direct economic and financial losses and even physical harm, in some cases. Across the continent, cybersecurity incidents result in losses estimated at between $3.5 billion and $4 billion every year.
Update:
- Fresh attacks have hit Kenyan government services, Safaricom’s M-Pesa service and Kenya Power, the national utility. Documents shared on Anonymous Sudan’s public telegram group and by Kenya’s principal secretary for Foreign Affairs, Korir Sing’Oei suggest that Kenya will be issuing visas on arrivals to all travellers—in what appears to be a temporary visa-on-arrival program due to the attack on Citizen. In this year’s ICT budget (now held up litigation) Kenya’s government allocated $110 million to ICT. Konza City, a futuristic tech city program got almost half of the budget.
- On Twitter, Kenyans are complaining that bank-to-Mpesa wallet transfers are failing. USSD transactions and an online token purchase for electric power tokens from Kenya’s national power company appear to be also affected, per reports from social media.
This is a developing story.