IEBC servers were breached, forensic analysis shows

Wafula Chebukati

 IEBC Chairman Wafula Chebukati (centre) with IG Hilary Mutyambai (left) and DCI boss  George Kinoti outside Jogoo House, Nairobi on July 28 when they announced the resolution of the stalemate  over the arrest of three Venezuelans.

Photo credit: Lucy Wanjiru | Nation Media Group

The three Venezuelans who were arrested upon landing in Nairobi two weeks before the General Election had not been contracted by the electoral commission but had access to its servers five months before the disputed polls, a forensics analysis shows.

The analysis, of computers confiscated from Salvador Javier, Jose Gregorio and Joel Gustavo by the Directorate of Criminal Investigations (DCI), shows that the three were among dozens of non-Independent Electoral and Boundaries Commission (IEBC) staff who had extensive access to the agency’s servers, the Nation understands.

This access, granted through a company linked to a senior politician from North Eastern, is currently among various electoral fraud matters being investigated by the DCI, whom the Azimio coalition wants to be summoned to the Supreme Court to testify in their petition.

It was not clear last evening if the investigations agency would testify, but the Nation learnt that the DCI wanted to arrest the foreigners but was held back by the assurances of Mr Wafula Chebukati, the beleaguered IEBC chairman.

Mr Chebukati, in a meeting held on July 28, assured DCI George Kinoti and Police Inspector-General Hillary Mutyambai that IEBC’s systems were impenetrable and that it is only accredited employees who had access to it.

Mr Chebukati also told the DCI and IG during the meeting at Jogoo House that the three Venezuelans had been contracted by IEBC to provide support on behalf of Smartmatic International, the company contracted to provide electoral management technology by the commission.

Detectives who have been on the case since July now believe that was not the case, and that the three worked for a different entity linked to the North Eastern politician.

Meanwhile, as detectives last evening pondered their next move, a separate forensic analysis by the East African Data Handlers (EADH) on the six data transmission servers used by IEBC showed that several unauthorised individuals gained access to the system.

There were also several successful attempts to download Form 34C, which was used by Mr Chebukati to announce the winner of the presidential election.

Form 34C is a summation of all forms 34B which contain tallies from each of the 290 constituencies. The forms 34B were to be generated by tallying the results of the presidential poll from polling stations through forms 34A.

An analysis on IEBC’s systems by EADH shows that there was a backward tallying of the presidential results where Form 34C was edited several times in order to correspond to forms 34B and 34A, which the audit shows were being intercepted and edited too.

“It is obvious the downloading and the translation of Forms 34B and Forms 34C indicates that the process was not forward tallying on the designed tallying chain— 46,232 forms 34A create 290 forms 34B and they create the final 34C,” says a report on the analysis.

“In this case, the data seem to be working from forms 34C that are seemingly being downloaded into a .csv file, modified or edited and transmitted,” it further states.

A CSV file, is simply a text file whose information is separated by commas. Hackers prefer to use it because its contents can be edited by anyone who has access to the system using programmes that don’t have to direct communicate with each other, which makes it difficult for investigators to trace the source of the intrusion.

Despite IEBC insisting its systems were foolproof, the analysis by EADH shows that there was not only multiple access to the servers by unauthorised persons, but also that they could intercept communication between the Kiems kits and the presidential tallying centre at Bomas of Kenya.

The level of interception was so grave that a number of forms 35, which were used for the parliamentary elections, found themselves inside the servers used for tallying the presidential poll.

“It seems as though there was a middleware that was intercepting, receiving, and/or sending information between the Kiems kit or the county tallying servers and the presidential tallying server and verification of specific forms,” says the analysis. For example, on August 12, one of the IEBC’s servers was accessed remotely using IP address 10.13.0.49 at 12.16pm.

“The connection was disconnected at 1:27pm and reconnected at 4:13pm, which was terminated almost immediately and then reconnected at 4:47pm,” the report states.

Such connections were being made by persons who had not been gazetted as IEBC officials for the elections, including a login by the name Dickson Kwanusu that not only modified data in the system but on several occasions downloaded Form 34C.

The login trail

“All the IEBC officials for the 2022 General Election were published in the Kenya Gazette. Dickson Kwanusu does not appear as one of the officials on the documents yet he appears multiple times making and executing requests in the election verification process,” says the investigation.

The login trail by Kwanusu, the report states, on August 14 at 4.29pm made an ambiguous and intentional modification on the system to override the whole tallying process in order to generate a Form 34C. This was a day before Deputy President William Ruto was declared the president-elect as tallying was still ongoing.

The investigation shows there were 27 attempts to generate Form 34C between August 12 at 3:48pm and the time winner was declared on August 15.

Ideally there should have only been one attempt to generate Form 34C after tallying of the votes in all polling centres and constituencies had been completed. The big question investigators are now trying to answer is what was the need to generate all those forms 34C.

Apart from Kwanusu, others who logged into the system despite not being accredited include Abdi Hadir Abdi who performed verification of 659 forms 34A, Harun Gathiru, Mohamud Mohamed and Isaiah Khuyole.

Forensic analysis findings by EADH correspond to those of the DCI, which has separately said Salvador Javier, Jose Gregorio and Joel Gustavo, the three Venezuelans who were arrested on July 21, were also accessing IEBC’s systems before, during and after the polls.

Gregorio was arrested at the Jomo Kenyatta International Airport after arriving from Istanbul, Turkey. His arrest, which also led to the apprehension of his colleagues Javier and Gustavo from an apartment in Riverside, Nairobi caused a brief stand-off between the IEBC and the police before Mr Chebukati intervened.

While demanding their release, Mr Chebukati is said to have assured the DCI and the IG that the Venezuelans had no access at all to IEBC servers. Investigations however show that it could have been a smoke screen as the three had in their computers almost everything on IEBC’s systems.

Welcome!

You're all set to enjoy unlimited Prime content.