Kenya’s Digital Infrastructure Under Threat? A Look at Anonymous Sudan’s Thwarted Cyberattack Attempt and its Implications for Kenya’s Digital Systems

On 27^th July 2023, Kenya’s digital infrastructure was the target of a cyberattack that affected both public and private institutions.¹ The Companies that were partially crippled by this attack include Kenya Power and Lighting Company, Kenya Railways Corporation and the National Transport and Safety Authority. These companies enable Kenyans to obtain electricity supply services, train services, driver testing and licensing services respectively. Digital banking and mobile money services were also partially paralysed thereby freezing regular transactions.

The attack denied Kenyans essential services like purchasing electricity tokens, M-Pesa transactions and government services that are accessible on e-citizen and other platforms. This action raises the question as to what exactly is a cyberattack. A cyberattack comprises any action taken to sabotage the functions of a computer network for political or national security purposes.² It may be done through various means like hacking, bombing, and infecting. For it to amount to a cyberattack, the aim should be to disrupt a computer network’s function.³

It is alleged that the individuals behind the attack are a group referred to as Anonymous Sudan that depicts itself as a group of Sudanese cyber-warriors that threatens to attack anyone who tries to meddle with the internal affairs of Sudan.⁴ It is believed that the group has links with Russia since it supports it and has also become an affiliate of Killnet which is a pro-Russian hacking group.⁵ The group through its official telegram channel claimed⁶ that the digital infrastructure in the country was attacked because Kenya has been trying to interfere with the affairs of Sudan and has also released statements casting doubt on the country’s sovereignty.⁷

In a video released recently, Sudan’s army leader is seen warning President William Ruto of serious repercussions should he try to intervene in the ongoing conflict in Sudan.⁸ Efforts by President William Ruto to mediate the conflict between the Sudanese military and the paramilitary Rapid Support Forces (RSF) have been rejected by the Sudanese government as they accuse him of not being neutral.⁹

Modus operandi employed in the Cyberattack

The cyberattack affected a number of digital services that Kenyans rely on. Most of these services are hosted in the e-citizen platform, which now hosts over 5,000 government services after being revamped.¹⁰ Government services like passport applications, business registrations and driving licence applications that can be done through the e-citizen platform were unavailable.¹¹ The digital banking and transport sector was also not left out, for instance Standard Chartered online banking service was unavailable while the National Transport and Safety Authority issued a statement claiming that their services had also been attacked.¹²

Cybercriminals may use various types of attacks to sabotage a computer network. The most common cyberattacks include: phishing, social engineering, ransomware, malware and virus, denial of service (DoS), distributed denial of service (DDoS) and spyware and adware attacks.¹³ To address the menace caused by cybercrime, local, regional and international laws have been promulgated. The Budapest Convention 2001 for instance identifies computer-related and content-related offences as categories of cybercrime. Regionally, the African Union Convention on Cybersecurity and Personal Data Protection in Article 29 addresses cybercrime offences while locally it is the Computer Misuse and Cybercrimes Act 2018.

The ICT Cabinet Secretary said that the attack on the e-citizen platform involved an “unsuccessful attempt to overload the system with extraordinary requests with the intention of clogging the system…”¹⁴ The attack was later identified as a DDoS. A DDoS attack is a type of DoS attack. A DoS attack occurs when an attacker makes it impossible for users to access computer systems, networks or services.¹⁵ DoS attacks may involve flooding a network thus preventing legitimate network traffic; disrupting connection between two machines thus preventing access to a service; preventing a particular person from accessing a service and disrupting service to an individual or specific system.¹⁶

A DDoS attack, therefore, occurs when the overloading traffic ‘originates from more than one attacking machine operating in a concert.’¹⁷ The attackers leverage a botnet to conduct large scale attacks that may appear to originate from many different attackers.¹⁸ Political hacktivists are well known for launching DDoS attacks against government bodies and organisations like PayPal, MasterCard, the US Department of Justice and even the US Federal Bureau of Investigation (FBI).¹⁹

Politically instigated cyberattacks have the potential of meeting the threshold of cyberterrorism depending on the nature and severity of the attack. According to Conway, for it to amount to cyberterrorism, an attack must have ‘a motivational component, must result in death or large scale destruction and must be politically motivated.’²⁰ It has also been argued that cyberterrorist attacks converge the virtual and physical world.²¹ The DDoS attack launched by the group did not meet the cyberterrorism threshold but was merely a cyberattack.

A DDoS attack has been described as being similar to ‘an unexpected traffic jam clogging up the highway thus preventing regular traffic from arriving at its destination.’²²Although DDoS attacks are not really a threat to personal data held by an organisation, they can be used to divert attention from other malicious actions that can result in a data breach.²³ While assuring Kenyans, the ICT Cabinet Secretary said that neither the privacy nor security of data was compromised.²⁴

The legal position of DDoS attacks in Kenya

The consequences of a cyberattack can be detrimental to both the victim and data subject (in case of a data breach) if adequate response measures are not put in place. Had the cyberattack been successful, the personal data of many citizens would be at risk of getting exploited. To address the issue of a cyberattack, both cybersecurity and legal measures need to be enforced. As earlier alluded, Kenya already has legislation addressing cybercrime-related offences. The concept of a DDoS attack has been impliedly highlighted in the Computer Misuse and Cybercrimes Act (the Act).²⁵ While the Act does not specifically use the term “DDoS attack,” it includes provisions that cover the actions involved in carrying out DDoS attacks. Examples of some key provisions of the Act related to DDoS attacks include sections 9 through 11 of the Act that focus on unauthorised access to critical infrastructure. If a DDoS attack targets critical infrastructure such as processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic wellbeing of Kenyans and the effective functioning of Government as defined by the Act, it may fall under this provision.

Section 14 is on unauthorised access to computer programs or data criminalises unauthorised access to computer systems, computer programs, or data. DDoS attacks often involve unauthorised access to computer systems to overwhelm them with excessive traffic. The aforementioned section outlines that a person who causes, whether temporarily or permanently, a computer system to perform a function, by infringing security measures, with intent to gain access, and knowing such access is unauthorised, commits an offence and is liable on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both. Additionally, section 16 criminalises unauthorised interference with the computer systems.

DDoS attacks can disrupt the normal functioning of a computer system by overwhelming its resources, leading to unauthorised interference. Anyone found guilty of unauthorised interference that threatens national security as is the case in the recent cyberattack is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.

DDoS attacks similar to other cybercrime offences pose a threat to data protection principles. These principles enshrined in section 25 of the Data Protection Act 2019 include; processing in accordance with the right to privacy; lawful, fair and transparent processing; collection of personal data for specified, explicit and legitimate purposes; data minimization, data accuracy and storage limitation. In processing personal data, data controllers or data processors (in this case the government, affected banks and Safaricom which owns M-Pesa) are required to design technical and organisational measures to safeguard and implement the data protection principles.²⁶ The timely intervention by technical teams ensured the privacy and security of data were not compromised.²⁷ Failure to do so would not only have resulted in a data breach but also opened a Pandora’s Box that exposed citizens’ personal data to other malicious activities.

Although Kenya has a well-developed cybersecurity infrastructure,²⁸ the recent cyberattack is a tell-tale sign that digital infrastructure development and cybersecurity cannot be divorced but instead should be developed in tandem.

Conclusion

In conclusion, the recent cyberattack on Kenya’s digital infrastructure, orchestrated by a group claiming to be Anonymous Sudan, has highlighted the vulnerability of the nation’s essential services and raised significant concerns about the potential threats to its digital ecosystem. The attack disrupted critical services such as electricity supply, mobile money transfers, government services, and digital banking, exposing the reliance of Kenyans on these systems.

This incident underscores the importance of cybersecurity measures to safeguard the country’s digital infrastructure. The Kenyan government, like many others worldwide, has enacted legislation aimed at addressing various cybercrime activities, including Distributed Denial of Service (DDoS) attacks. While Kenya possesses a robust cybersecurity framework and legal provisions to combat such threats, this attack serves as a reminder that continuous efforts are required to stay ahead of evolving cyber threats. Collaboration among government agencies, private sector entities, and international partners will be essential to bolster the nation’s resilience against future cyber threats.

Image is by Giacomo Buccio