M-Pesa, key govt services unavailable as Kenya grappled with cyberattack
A number of online services were unavailable for the better part of Thursday, July 27, following a cyberattack that affected both public and private entities. Last evening, the Interior Ministry said normal service had resumed on the government’s e-Citizen platform.
Kenyans were yesterday denied access to essential services such as buying electricity tokens, transacting on M-Pesa, digital banking and various government services on e-Citizen following a cyber-attack targeted at both public and private institutions.
The outage of M-Pesa services paralysed operations across many sectors including collection of revenue such as parking fees by counties, putting into question Kenya’s readiness for a full shift towards digital payments.
Some Sh29.55 trillion was transacted on M-Pesa in the financial year to March 2022, translating to about Sh81 billion daily, underlining the impact of the service’s disruption to the country.
Safaricom could not be reached for comment on the causes of the disruption to its M-Pesa services.
Kenya Power said it experienced a system failure due to a network outage at its payment service provider, which left thousands of the utility’s prepaid customers unable to purchase their tokens via M-Pesa and USSD code *977#.
“However, customers can purchase tokens from our banking halls, Airtel Money and authorised banks,” the utility said.
Standard Chartered Bank Kenya was among banks whose digital banking systems were affected.
“Our online banking/SC mobile app bank to M-Pesa and mobile banking *722# services are unavailable. Our ATMs/cash deposit machines remain available,” the bank wrote to customers.
Train services were also disrupted, with Kenya Railways announcing that the network outage by its service provider affected purchase of tickets.
National Transport and Safety Authority (NTSA) also issued a statement indicating that it services had also been attacked.
“Accessibility to some of our services including driver testing and licensing and public service vehicle licensing is affected by an intermittent connection on the e-Citizen network,” it stated.
At 6:30pm last evening a, the Interior Ministry announced that “all services through the e-Citizen platform (ecitizen.go.ke) have resumed following a regrettable downtime since Sunday, July 23, 2023”.
“The attack not only indicates that we are surrounded by malicious actors, both locally and internationally, but also vindicates the government’s relentless pursuit of stronger cyber security measures to safeguard our Critical Information Infrastructure and data from such threats,” the ministry said in a statement, assuring Kenyans that it was reviewing its controls to remain steps ahead of criminals.
The attack comes barely four weeks after President William Ruto launched thousands of government services on the e-Citizen platform to increase efficiency and minimise corruption. The hacking has exposed the risks to the digitisation plan, as any successful hacks into the systems could lead to the loss of huge amounts of sensitive data belonging to individuals and government agencies.
Earlier, government officials had dismissed claims that e-Citizen had been hacked, saying that they had successfully fended off attempts to overload the system, which caused the platform to experience intermittent disruptions.
“The attack on the e-Citizen platform involved an unsuccessful attempt to overload the system with extraordinary requests with the intention of clogging the system, but our technical teams blocked the source IP address from which the requests originated,” ICT Cabinet Secretary Eliud Owalo said in a statement.
Mr Owalo was quick to allay fears that Kenyans had lost troves of personal data as a result of the attack, saying the government was working to resolve the problem and secure the site.
“To be clear, neither the privacy nor the security of data has been compromised. The system was not hacked,” the CS said. “However, as a result of the attack efforts, the system is experiencing intermittent interruptions that are affecting the normal speed of access to services on the platform. We will shortly return to optimal utilisation levels.”
Kenyans attempting to access e-Citizen yesterday received a host error message following the Distributed Denial of Service (DDoS) attack. “Web server is down error code 521,” the site said.
But what will worry Kenyans is that the government seemed powerless to stop the attack, given that the country’s top cyber security team had last week warned various agencies that such an attack would happen and asked them to put in place adequate safeguards.
The National Computer and Cybercrime Coordination Committee (NC4) last week wrote to authorities revealing that it had observed a sharp increase in hacking attempts targeting critical information infrastructure (CII).
“NC4 has observed that in the recent past, there has been an increase in global internet traffic targeting various CIIs in Kenya with the aim of disrupting essential services, particularly in the telecommunications, banking and education sectors. This traffic constitutes DDoS attacks,” NC4 director Evans Ombati said in a memo.
The attack yesterday also disrupted the processing of e-visas, with Foreign Affairs Principal Secretary Korir Sing’oei advising travellers that they would get visa-on-arrival services.
A group calling itself Anonymous Sudan claimed responsibility for the attack. However, this could not immediately be confirmed. On social media, the group said it was targeting other government digital services.
“We have taken down their ... site for 3 days and counting. We hope Kenyans now know who the Sudanese are and the next one will be worse, we are preparing something very big,” they said in a post on Telegram.
After CS Owalo released his statement denying the success of the hack, the alleged hackers took to the Telegram channel, which had 109,200 subscribers yesterday, to taunt him.
“Government ministries already released dozens of statements... This is just the tip of the *, you saw nothing,” the group said.
Anonymous Sudan describes itself as a hacktivist group and says it’s waging cyber strikes out of Africa on behalf of oppressed Muslims worldwide.
“One reason why Anonymous Sudan’s campaigns are effective is they target “layer 7,” or the application layer, of victims’ internet infrastructure — that’s where web servers receive input from users and, in a computationally draining process,” Charl van der Walt, head of cybersecurity research for Orange Cyberdefense, part of the French telecom Orange SA, told Bloomberg.
Kenyan companies, especially financial institutions, have been prime targets for hackers in recent years, with a Central Bank of Kenya report showing that Saccos lose more than Sh201,000 daily to hackers.
