‘Anonymous Sudan:’ Inside billion-shilling cybercrime underworld

The hacking of government systems this week, including the E-citizen, the recently relaunched government online portal hosting over 5,000 services, comes on the back of recent reports that Kenya is increasingly becoming a target of cybercriminals.

E-citizen, a portal hosting State services from more than 100 ministries, counties, departments and agencies, joins a growing list of government platforms that have been sabotaged by cyber-attacks in recent times.

The hackers jammed the system “by making more than ordinary requests into the system, hence slowing it down,” according to ICT Cabinet Secretary Eliud Owalo, adding that no data was accessed or lost.

In May this year, one of Kenya’s largest private universities, Kabarak University, went viral after a hacker seized the institution’s social media page and blocked the administrators from accessing the Facebook site.

The criminal then demanded money to return the social media page, and for three days, desecrated the site with political tirades mocking the government as well as funny memes.

Also Read: CS Owalo - Yes, eCitizen was hacked

In the same month, reports emerged claiming China, Kenya's biggest foreign creditor, had since 2019 staged hacking attacks on Kenya’s government ministries and state departments as its debt piled up.

According to a Reuters report, the attackers stole a treasure trove of documents relating to Kenya’s foreign debt during the three-year campaign that targeted the Office of the President, the National Intelligence Service, the National Treasury and the Ministry of Foreign Affairs, among others.

Also in April this year, the Kenya Airports Authority confirmed its network had been breached in a cyberattack by a notorious group dubbed Medusa. The attackers released voluminous data including procurement plans, physical plans, site surveys, invoices and receipts.

Earlier in 2019, hackers had breached 18 Kenya government websites, including the National Youth Service, the ICT-Authority run Integrated Financial Management System (IFMIS), Judicial Service Commission (JSC), Immigration department and Petroleum ministry.

The hackers calling themselves the Kurd Electronics Team defaced the websites by displaying their logo.

According to an annual report released this year during Kaspersky’s Cyber Security Weekend (CSW) in Kazakhstan, ransomware is now a leading cybercrime, accounting for up to 66 percent of incidents reported globally.

In his presentation on “Navigating the Digital Minefield: A Guide to Cybersecurity Threats in 2023”, Dr Amin Hasbini, Head of Global Research and Analysis Team at Kaspersky, a global cybersecurity and digital privacy company founded in 1997, revealed that Kaspersky recorded some 22,000 ransomware notifications in Kenya.

Also Read: Microsoft Outlook breach - US to hold 'Chinese' hackers 'accountable'

The main targets for ransomware are governments (19.2 percent), financial organisations (18.4 percent), industrial enterprises (17.4 percent) and telecommunication sector (9.2 percent).

There are two main types of ransomwares: simple ransomware, which may lock the system without damaging any files, and the more advanced malware that employs the cryptoviral extortion technique.

This is where a malware corrupts data when it encrypts user data and asks for payment in exchange for the decryption key.

In an effort to safeguard their data, businesses across the world have deployed techniques to encrypt their data.

Data encryption is a way of translating data from plaintext (unencrypted) to ciphertext (encrypted). Users can access encrypted data with an encryption key and decrypted data with a decryption key.

Unfortunately, advanced ransomware can decrypt the information, encrypt it afresh, enabling the hackers to hold businesses hostage until ransom is paid..

For three years, beginning 2019 until 2022, encryption has been the leading problem facing businesses, the survey showed.

The conference heard of the cyberattacks against businesses last year, 80.9 percent in the third quarter of 2022 were related to Microsoft Office.

In 2022 alone, Kaspersky blocked 507 million user attempts to follow malicious phishing links to obtain data that would be used for possible ransomware attacks. A quarter of these links had targeted Middle East and Africa.

Cybercriminals have devised several means of gaining initial foothold in their victims’ servers and systems. The beginning of the attacks known as the initial access involves different techniques that include phishing, which is used to obtain log ins and passwords.

Should it fail, brute force is employed. A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys.

It is a simple yet reliable tactic for gaining unauthorised access to individual accounts and organizations' systems and networks.

Another method used by hackers is the use of vulnerability exploitation which bypasses the logins and passwords and goes straight to the systems connected to the internet.

Also Read: Why hackers set their sights on content creators

After breaching the systems connected to the internet, the hackers capture the victims’ systems. Another process that hackers use to move from initial access to control capture is through the sending of emails that have infected attachments.

These attachments carry malicious software that breach the systems, bypass the logins and passwords. From control capture there is the infection of the “environment” to gain full access of the system. This now leaves the system open to data theft, data copies removal and data encryption. This the point at which a demand for ransom is made.

To effectively curb ransomware attacks, Ekaterina Rudina, a senior analyst at Kaspersky’s Industrial Control Systems Cyber Emergency Response Team, recommended that companies must have a mature security posture.

This involves the establishment of a strategy to best mitigate, transfer, accept or avoid information risk related to people, processes and technologies.

Businesses should also upskill their employees on how best to defend their online services and operations.

“Companies should also invest in a strong threat intelligence posture that allows them to have full readiness for the kind of threat actors that target them and also employ the right technologies that can predict, prepare, detect, block, remediate and maintain a strong security posture,” Ms Ekaterina said.

For Victor Ivanovsky, Kaspersky’s Group Manager, Business Development, a robust data encryption and key management solutions should offer a centralised management console for data encryption and encryption key policies and configurations, encryption at the file, database and application levels for on-premise and cloud data, role and group-based access controls and audit logging to help address compliance as well as an automated key lifecycle processes for on-premise and cloud encryption keys.

On its part, the IBM recommends that in the fight against ransomware, companies must invest in better data encryption options and rely on cloud service providers (CSPs) to store information.

“An organis ation’s sensitive data must be protected, while allowing authorised users to perform their job functions. This protection should not only encrypt data, but also provide robust encryption key management, access control and audit logging capabilities,” IBM’s website on cyber safety states.

[email protected]