Central bank warns staff of impending cyber attack

The Central Bank of Kenya (CBK) has warned its employees of an impending cyber-attack targeting key government installations, including the big bank that sits at the heart of Kenya’s financial services sector.

The CBK issued the warning through a notice to employees, asking them to be extra-vigilant in order to prevent the cyber criminals who have infiltrated three central banks this year.

“In light of this risk, we advise all staff to be cautious when opening emails and accessing the internet. Do not open emails from unknown sources,” the CBK notice says.

Two months ago, the cyber criminals attacked and stole Sh8.1 billion ($81 million) from Bangladesh’s central bank and BBC News reported that an unnamed commercial bank also came under attack causing loss of an undisclosed amount of money.

Swift, the technology company that oversees the financial messaging network that underpins global money transfers, said the second attack showed that the Bangladesh theft was not an isolated incident but ‘‘part of a wider and highly adaptive campaign targeting banks.’’

Hacktivists, as the internet criminals are popularly known, have also targeted the Central Bank of Cyprus, which briefly came under cyber-attack, days after a hacking outfit said it conducted a similar attack on the Greek central bank’s site.

The Kenyan central bank is not new to breaches of its internet security, having been taken over by Gaza Hacker Team in July 2013.

Hackers targeted the Exchange Rates section of the CBK site and defaced it with messages in both English and French that read: “…But all your interests and your citizens in all parts of the world will be our legitimate targets! So, if you want the safety of yourselves, possessions and interests from our revenge, depart all soldiers from our land ‘Mali’.’

Central Bank of Kenya governor Patrick Njoroge on Tuesday refused to comment on whether the Kenyan central bank had noticed an overt threat, but stated that all central bankers were on the lookout.

“All I can say is it has been very embarrassing for those jurisdictions where this has happened. My peers around the world meet each other, we discuss some of these things and all of us are cognizant of the impact of this,” he said at a Press briefing Tuesday.

READ: Cybercrime costs Kenya government Sh5bn a year: report

The most prominent attacks in Kenya have, however, been propagated by activists who have not gone after financial institutions and individuals with money.

The Kenyan government has especially been a target of sustained attacks by hacktivists, who use computers and computer networks to promote a political agenda by hijacking websites and leaking documents.

Hackers associated with the global movement ‘Anonymous’ have in the past stated that the ongoing cyber-attacks on the web and social sites operated by the government, the military and top leaders is part of an effort to expose corruption in Kenya.

Last month, the Foreign Affairs ministry came under attack from activists who said they had initiated ‘Operation Africa’ to stand against corruption, child abuse, and child labor.

The hackers claimed that they had mined one terabyte of data from the ministry and would be dumping the data on the deep web.

ICT secretary Joseph Mucheru, however, said the incident was a phishing attack, as opposed to a hacking attack on computer systems, and that no classified material had been accessed.

In the past, hackers have infiltrated Twitter accounts belonging to the Kenya Defence Forces and defaced several government websites.

In 2014, the cell Anon_0x03 took control and used Deputy President William Ruto’s verified Twitter account to tweet a list of government websites it had hacked.

The Cell is reported to have hacked the Immigration and Registration of Persons, the National Environment Trust Fund and the Integrated Financial Management Information System (IFMIS), which contains sensitive financial data.

READ: Kenya up 24 places in US firm’s ranking of global cyber attacks exposure

In 2012, an Indonesian hacker called direxer took down 103 sites and after that more than 10 government websites were hit including the Attorney-General’s Office (April 2013) and the Transport ministry (March 2014).

Kenya Police suffered several attacks in 2011 while the Treasury website (ww.treasury.go.ke) was hacked by ReisBEY Muslim Turkish Hacker in November 2010.

The rise in financial fraud at this time when the world is getting increasingly connected has opened up Kenya to the risk of attack by financially motivated hackers.

Kenya should be worried given that it has an extensive mobile money culture, which has weak controls to guard against network attacks.

The value of funds transacted through mobile phones in Kenya stood at Sh2.8 trillion in 2015 with over 31.6 million mobile money customers transacting in the country, according to CBK data.

Kenya Cyber Security reports that there is a sharp increase in financial fraud within banks through mobile money, system tampering and mobile network exploitation.