Hackers stole the passwords of staff at the Ministry of Foreign Affairs with which they used to steal data from the ministry’s communication system, the government revealed on Thursday.
Information, Communication and Technology Cabinet Secretary Joe Mucheru said that some junior staff at the ministry received a random email from hackers asking them to change their passwords.
“The said hackers were able to send the email to the ministry, and some of the people in the ministry actually responded. They clicked and changed their credentials. And some of the ones who were affected then sent emails to everybody else as spam,” Mr Mucheru said in an interview in Nairobi.
“As a result then, they were able to access some of the documents. But most of the documents are classified open. They never got any classified documents.”
On Thursday, online hacking group Anonymous revealed it had conducted a “sophisticated cyber-attack” on the Ministry of Foreign Affairs server, stealing about one terabyte of data, and leaking it to the public through the dark web.
“The dumped data contains confidential and non-confidential PDF and Docx files from the ministry server including email conversations, security related communication, international trade agreements and letters discussing the security situation in (South) Sudan where government forces are fighting the Sudan People’s Liberation Army (SPLA),” a statement published by HackRead, an online platform for hacking and cybersecurity news reported on the incident.
The phishing expedition happened over the past three weeks and is suspected to have involved Kenyan IT students at Kenyan universities, who were cooperating with other hackers around Africa.
The group announced it will be releasing the documents in phases in protest against government corruption under Operation Africa (OpAfrica), a banner launched in 2015 against child abuse, child labour and corruption in the African countries.
On Thursday, the group said it stole email conversation between senior diplomats at the ministry and regional leaders, communication on security issues, international trade agreements and letters discussing security in South Sudan.
They are reports from the Kenyan mission in Juba at the start of the conflict, when the Kenya Air Force was called in to rescue Kenyans caught up in the chaos.
The documents are also about updates from the ministry’s arm charged with Horn of Africa affairs and on negotiations between Riek Machar and President Salva Kiir.
It involved discussions with countries pushing to have the two sign a peace deal, and also about an incident when President Uhuru Kenyatta suggested to the two to sign a power-sharing agreement early in February last year but which Dr Machar rejected.
One of the documents was a request by the US Embassy in Nairobi to the ministry to facilitate clearance of a security detail for President Barrack Obama’s visit last year.
Another was a set of email reports from Kenyan diplomats in Juba, updating officials on the situation when that country went through civil war from 2013.
Other documents are updates from the Kenyan embassy in Oman which was charged with organising the repatriation of Kenyans stuck in Yemen when the conflict there exploited.
Most of the documents published so far are a set of email messages from embassies in Nairobi to the ministry such as requests from protocol officials to arrange for receiving dignitaries in Nairobi.
In one instance, the hackers stole an email conversation between ICT officials warning staff about an imminent hacking.
On Thursday evening, Foreign Affairs Cabinet Secretary Amina Mohamed told the Nation from Dakar, where she is attending a conference, that she had not been briefed on the extent of the breach, but promised to provide an update later.
In Nairobi, Mr Mucheru, whose ministry is responsible for the safety of government data, argued the breach does not jeopardise government records.
“We are secure with both email and hard copy. But on this instance, it happened because people shared their passwords. If someone gives away their pin or passwords, you cannot stop them (hackers),” he said.
“This is normal, form a cybersecurity point of view, we are clear on who were involved, it is not that we did not see,” he said.