On Monday, the government admitted to a hacking attack targeting State House, the Health, Education, Labour, Environment, ICT, Tourism and Interior ministries, among others.
The files are many, and have two things in common —that the Office of the Auditor-General shouted itself hoarse about weak systems nearly begging for hackers to attack, and the detailed reports are gathering dust in many of the State’s corner offices across the country.
Year after year, reports compiled by the Auditor-General Nancy Gathungu’s boots on the ground have pointed out potential attack points at both national and county government levels.
Auditor-General Nancy Gathungu.
On Monday, the government cited some of the same weak spots when admitting to a hacking attack targeting the heart of the Government — State House, the Health, Education, Labour, Environment, Information and Communication Technology (ICT), Tourism and Interior ministries, among others.
Just months earlier, the Communications Authority also chimed in, stating that system updates and limited training of staff had left several State institutions vulnerable to hack attacks.
“The detected cyber threats can be attributed to several factors, including inadequate system patching, limited user awareness of threat vectors such as phishing and other social engineering techniques, as well as the growing adoption of AI-driven attacks and machine learning technologies by malicious actors,” Communications Authority Director-General David Mugonyi said in the report.
Communications Authority of Kenya Managing Director David Mugonyi.
For the financial year ended June, 2023 the Auditor-General warned that eCitizen — the government’s online service delivery platform — did not have an ICT policy, steering committee, an approved business continuity plan, or even a secondary backup site.
That means the system, holding volumes of data, could come to a standstill if struck and stalled by hackers.
Days into the following financial year, the eCitizen platform was attacked, and access to over 5,000 government services from ministries, county governments and agencies was paralysed.
ICT policies
A Sudanese hacker group later claimed responsibility, saying they had taken down a number of Kenyan websites, including key government portals like eCitizen and several major companies, to protest what they described as Kenya’s interference in Sudan’s affairs.
Transactions on the State’s e-Citizen payment platform are prone to privacy violations due to weak data protection controls.
Statements posted by the hacker claimed the attacks were retaliatory, though the group did not provide evidence to support allegations of Kenyan meddling in the affairs of the country.
At the time, then ICT Cabinet Secretary Eliud Owalo said no data was lost during the attack.
In her report for the financial year ended June, 2024 Ms Gathungu indicated that 39 National Government Constituencies Development Funds did not have ICT policies.
In the same period, 13 water companies had implemented weak ICT policies and controls, open to attack by hackers.
“The absence of robust ICT frameworks increases exposure to cyber risks, compromises the safeguarding of information assets, and weakens the alignment of technology with business objectives. Ultimately this may impair operational efficiency and hinder sustained service delivery to the public,” the report stated.
The year before, someone at the Ministry of Health managed to override controls of the Integrated Finance Management and Information (IFMIS) system, before creating a new account which was used to loot an undisclosed amount of taxpayers’ money.
The cybersecurity breach on government websites was confirmed by Interior PS Raymond Omollo, who pointed an accusing finger at PCP@Kenya.
Ministry of Interior Principal Secretary Raymond Omollo.
Since 2018, when Edward Ouko was Auditor-General, the office has issued several warnings, many of which have gone ignored. But even when implemented, this has only been half-hearted.
Several state departments were also inaccessible for the better part of yesterday, with the Immigration Department, the Directorate of Public-Private Partnerships, the Directorate of Criminal Investigations (DCI), and the State House website among those affected.
Disrupted services
Additionally, the Hustler Fund, the Immigration State Department, the Government Press and the Nairobi City County were also affected by the cyber-attack that disrupted services.
The attackers made the websites inaccessible and defaced pages by altering their visual appearance and content as well as replacing legitimate information with unauthorised material.
The attack left Kenyans, who rely on government websites for information and services frustrated, as the government moved to restore the websites.
Attempts by users to log into the websites were met by messages that read:
“Access denied by PCP”, “We will rise again”, “White power worldwide”, and “14:88 Hail hitler”.
However, other websites of institutions like eCitizen, the National Transport and Safety Authority (NTSA), the Judiciary, the Kenya National Examinations Council (KNEC), and the National Police Service, were not affected by the attack.
Ministries such as Defence and the National Treasury, were also not affected.
No group has claimed responsibility for the attack, which left many Kenyans unable to access key government services and information.
Interior PS Raymond Omollo said the government had managed to regain control of the attacked websites, adding that investigations are ongoing to find and prosecute the hackers.
“The attack is suspected to have been carried out by a group identified as PCP@Kenya. The government initiated its incidence response and recovery efforts, supported by various stakeholders to mitigate the effects of the incident and restore accessibility to the affected websites,” Mr Omollo said in a statement.
“This attack is in breach of Kenyan and other international laws and conventions, including the Computer Misuse and Cybercrimes Act, the Kenya Information and Communications Act and the Data Protection Act and those found culpable shall face the full force of the law,” Mr Omollo added.
Kenya government sites have in the recent years been an easy target for cyber-attacks.
According to the Communications Authority of Kenya, in the period between July and September, there were 842 cyber threat events.
Most of the attacks, the authority says, exploited system vulnerabilities. Six years ago according to the CA, cyber-attacks in the country stood at 7.7 million annually.
A January 2023 report by the authority shows that the most targeted industries in Kenya by cyber attackers are financial services, healthcare, education, energy and utilities, as well as government agencies.
The private sector, too, has had its fair share of attacks, mostly in the financial services sector.
A Central Bank of Kenya report showed that Kenyan banks lost Sh1.59 billion to hackers in 2024 alone, with reported attacks rising to 353 from 173 in 2023.
Follow our WhatsApp channel for breaking news updates and more stories like this.
