A major cyber-attack that caused an outage of more than 5,000 public services in Kenya for more than 48 hours while disabling Internet-based and mobile payment platforms has exposed the growing threat of payment service disruptions to the economy.
The attack hit a critical section of the country’s financial system with M-Pesa, a mobile service product that is fast turning into an artery for the circulation of money in Kenya’s economy, also disrupted.
Activities on the M-Pesa App — which handled transactions valued at Sh1.3 trillion in the year to March—were particularly affected in what is turning into a major test of the country’s preparedness against cyber-attacks as the government moves most of its services online.
But it is the hacking of e-Citizen — a government e-services portal — that has shocked the national intelligence and financial systems on the risk of a shutdown of public services days after the government shifted to the platform.
ICT Cabinet Secretary Eliud Owalo described the attack as a distributed denial-of-service (DDoS) attack, which disrupted the servers by jamming the platform with meaningless Internet traffic to successfully bar legitimate users from access.
Mr Owalo said the attack had been carried out by a group that identified itself as Anonymous Sudan.
“There was a cyber-attack on the eCitizen platform but no data was accessed or lost. We are addressing that, and we are not just coming up with instant remedial measures to address the current situation but are also ensuring that we build an elaborate risk mitigation framework,” said the Cabinet Secretary.
By the time of going to press some payment platforms were getting back online. However, the eCitizen, which provides critical government services like the issuance of driver’s licences, passports and visas, was still down.
“Further to our earlier communication, accessibility to some of our services including Driver Testing and Licensing and Public Service Vehicle licensing is affected by an intermittent connection on the eCitizen network,” said the National Transport and Safety Authority (NTSA) in a statement.
Some households also had problems paying their electricity bills through their M-Pesa App.
“We are experiencing a system hitch due to a network breakdown from our service provider. Consequently, some of our services such as the purchase of prepaid tokens through M-Pesa and USSD [Unstructured Supplementary Service Data] code *977# are unavailable,” said Kenya Power in an update.
Other companies that came out to announce disruption of services included the Kenya Railways, with passengers having difficulty paying for services on the standard gauge railway.
The disruption cut across the whole economy- from payment of bus fares by those going home after work to visa processing for those who want to leave the country.
Safaricom had not issued an official statement on the attack by the time of going to press, but the Communications Authority of Kenya director-general Ezra Chiloba told the Business Daily that the agency had issued an advisory to relevant agencies on how to deal with the threat.
Mr Chiloba said the eCitizen platform first experienced service disruption characterised by service unavailability on Sunday, July 23, 2023.
“The National KE-CIRT/CC has been monitoring Kenya’s cyberspace and issuing daily cyber threat advisories to critical information infrastructure organizations, which include energy companies, banks, and telecommunications companies, among others.”
He said that based on the reported incident, the National KE-CIRT/CC undertook and continues to undertake technical cyber threat analysis on the eCitizen platform and related services.
“We have issued relevant advisories for action. National KE-CIRT/CC continues to monitor the situation on a 24/7 basis.”
The National Computer and Cybercrimes Coordination Committee (NC4) director, Evans Ombati, confirmed that the organisation, which is mandated to monitor the national cyber threat landscape, has in recent days noticed abnormal global internet traffic targeted at Critical Information Infrastructures (CIIs) in Kenya.
“NC4 has established that in the recent past, there has been increased/abnormal global internet traffic targeted at several CIIs in Kenya, aimed at disrupting essential services, particularly in telecommunications, banking and education sectors,” he said.
“In this regard, it is recommended that the Kenya Education Network Trust informs all research and education institutions in Kenya to implement necessary cybersecurity measures and share with NC4 on any malicious traffic and incidents.”
The attack is a major test of President William Ruto’s plan to develop a digital super highway as part of his job-creation agenda.
Last month, while unveiling more services into the e-Citizen portal, the head of State talked of ushering the country into the era of e-governance that was supposed to make life easier for every citizen, irrespective of their status in society.
“This is the power and promise of Gava Mkononi: you have your government in the palm of your hand,” said the President.
However, he acknowledged that with most of the government services being taken online, the danger of being hacked was also pronounced.
“The imperatives of governing in the digital age come with many opportunities, as we have seen, and challenges as well. A major challenge that should concern all of us relates to the domain of cyber security,” said the President.
The protracted grounding of the eCitizen portal meant the stagnation of critical government services that Kenyans seek to access from the platform around the clock.
Among the most popular services sought by citizens on the portal are visa applications, business registrations, police clearance and applications for provisional driving licences.
Others are Higher Education Loans Board (Helb) services, foreign nationals’ initial registrations, civil registrations for marriages, Kenya Ports Authority (KPA) and the Kenya Revenue Authority (KRA) services.