Cyber security in Kenya: Lessons to learn from attack on state agency and insurance firm
“First, they came for the public sector, then for the private sector, then they came for government officials” So would run a poem about the recent happenings in the cybersecurity sector in Kenya.
On March 1, 2023, Medusa, a ransomware organisation, targeted Kenya and hacked the Kenya Airports Authority (KAA) website, demanding a ransom of 500,000 USD within 10 days. KAA operates 9 airports and airstrips in the country, but it appears that they did not comply with the demand. Even after Medusa extended the deadline for two days, the data was still published online and is now freely accessible with a Tor browser.
The attack also brought down the KAA website for a number of days and Medusa has released 514 GB of KAA data, including emails, staff and other people identifying information, and sensitive HR files. Of particular concern is the publication of airport infrastructure layouts, which pose a security threat to the country.
In ransom cases such as this, instructions on how to redeem the files and pay the ransom are usually posted on a ‘.html’ type of file. Victims are usually given the option of verifying that indeed, the hackers have the information as stated.
When it comes to such professional groups, encryption of the data is top-notch. Medusa is known to utilise both AES (Advanced Encryption Standard) and RSA (Rivest–Shamir–Adleman) encryption algorithms to lock up data. This combination of symmetric and asymmetric encryption makes it highly challenging to recover the data, leaving victims with no option but to pay the ransom or face the consequences of having their data published online and face reputational damage.
To carry out the attack, Medusa may have used Initial Access Operations (IAO) and User-Defined Access (UDA) techniques to infiltrate the Kenya Airports Authority’s (KAA) networks and systems. IAO is often used in the early stages of a cyberattack, where hackers exploit system vulnerabilities, such as software or hardware weaknesses, to exfiltrate data. Attackers can deploy malware, trick users into divulging login credentials, or use other methods to bypass security measures. The large volume of data published by Medusa indicates that the attack had been going on for some time.
Around three weeks later, Lockbit3, a ransomware group similar to but larger than Medusa, added Jubilee Insurance to their list of victims on their blog. However, two days later, the company was no longer listed on the site, although a deadline had been set for two weeks later until 14th April. Jubilee Insurance is the largest insurer in East Africa and Mauritius, with Allianz, a global insurance company, acquiring a majority shareholding in the company last year.
The hackers have also targeted high-ranking government officials. Dennis Itumbi, formerly a blogger and now a Cabinet Administrative Secretary, is very active on social media, particularly on Twitter. He holds sway over 2.1 million followers under the handle @OleItumbi. The hackers used his account to advertise cryptocurrency and he only managed to recover it after three weeks on 4th April. This is not the first Twitter account to be hacked in Kenya and will not be the last.
In the past decade, the cost of cybercrime has reportedly tripled and is expected to reach a staggering 10 trillion USD in 2025. Organised criminal groups, such as Medusa and Lockbit, are responsible for 55% of all data breaches.
To safeguard against such attacks, many organisations are turning to cyber insurance. The recent Jubilee Insurance hack is particularly intriguing, as the company’s quick response time suggests that they were well-prepared for such an eventuality and were able to pay the ransom. One of the few available sources of information on the hack is the hackers’ blog, which published the ransom demand. It remains unclear how the company responded to the attack, and they may choose to keep this information confidential for the time being.
Despite the presence of a national cybersecurity body tasked with handling such situations, the Kenya Airports Authority (KAA) seems to have been unprepared for the attack. The National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC) is available to assist local organisations in responding to cyber threats. Computer Security Incident Response Teams (CSIRTs) are important tools in an organisation’s arsenal for combating cybercrime. However, the attack occurred at a time when the country is experiencing a shortage of dollars, which affected the purchase of basic necessities like fuel. To put things into perspective, the ransom demand of 500,000 USD represents roughly 10% of the KAA’s allocated funds for airstrip construction and expansion in the 2022/2023 financial year.
As for Mr. Itumbi, he could have lost his Twitter account due to a weak password. He has previously stated that he misled Israeli hackers during the last elections and this was probably a retaliatory attack. As the saying goes, “He who sups with the devil needs a long spoon.”
What is evident is that the country’s cyber defenses are currently inadequate, and there is an urgent need to strengthen them.