By Aaron Ross, James Pearson and Christopher Bing
NAIROBI (Reuters) – Chinese hackers have targeted the Kenyan government in a series of widespread digital intrusions over several years against key government ministries and institutions, according to three sources, cybersecurity research reports and Reuters’ own analysis technical data related to hacks.
Two of the sources believed that the hacks were aimed, at least in part, at obtaining information about the debt owed to Beijing by the East African nation: network.
“Further compromises may arise as the requirement to understand upcoming repayment strategies becomes necessary,” said a July 2021 research report written by a defense contractor for private clients.
China’s Foreign Ministry said it was “unaware” of any such hack, while the Chinese Embassy in Britain called the accusations “baseless”, adding that Beijing s opposes and combats “cyberattacks and theft in all their forms”.
China’s influence in Africa has grown rapidly over the past two decades. But, like several African countries, Kenya’s finances are strained by the rising cost of servicing external debt – much of which is owed to China.
The hacking campaign demonstrates China’s willingness to leverage its espionage capabilities to monitor and protect economic and strategic interests overseas, two of the sources said.
The hacks constitute a three-year campaign that has targeted eight of Kenya’s government ministries and departments, including the presidential office, according to an intelligence analyst in the region. The analyst also shared with Reuters research documents including the timeline of the attacks, the targets and provided technical data relating to the compromise of a server used exclusively by Kenya’s main spy agency.
A Kenyan cybersecurity expert described similar hacking activity against the ministries of foreign affairs and finance. All three sources asked not to be named due to the sensitive nature of their work.
“Your allegation of hacking attempts by Chinese government entities is not unique,” Kenya’s presidential office said, adding that the government had been the target of “frequent infiltration attempts” by hackers. Chinese, Americans and Europeans.
“As far as we are concerned, none of the attempts have been successful,” he said.
He did not provide further details or answer follow-up questions.
A spokesperson for the Chinese Embassy in Britain said China is against “irresponsible measures that use topics like cybersecurity to sow discord in relations between China and other developing countries.” .
“China attaches great importance to Africa’s debt problem and is working hard to help Africa deal with it,” the spokesperson added.
TIPS
Between 2000 and 2020, China committed nearly $160 billion in loans to African countries, according to a comprehensive Chinese lending database hosted by Boston University, much of it for infrastructure projects in large scale.
Kenya has used more than $9 billion in Chinese loans to finance an aggressive campaign to build or upgrade railways, ports and highways.
Beijing has become the country’s biggest bilateral creditor and has gained a foothold in East Africa’s biggest consumer market and a vital logistics hub on Africa’s Indian Ocean coast.
In late 2019, however, when the Kenyan cybersecurity expert told Reuters he had been brought in by Kenyan authorities to assess the hack of a government-wide network, Chinese loans dried up. And Kenya’s financial strains were showing.
The flaw examined by the Kenyan cybersecurity expert and attributed to China began with a “spearphishing” attack at the end of the same year, when a Kenyan government employee unknowingly downloaded an infected document, allowing hackers to infiltrate the network and gain access to other agencies.
“Many documents from the Ministry of Foreign Affairs were stolen as well as from the Department of Finance. The attacks appeared to be focused on the debt situation,” the Kenyan cybersecurity expert said.
Another source – the intelligence analyst working in the region – said the Chinese hackers had waged a massive campaign against Kenya which started in late 2019 and continued until at least 2022.
According to documents provided by the analyst, Chinese cyber-spies have subjugated Kenya’s president’s office, his ministries of defence, information, health, land and interior, his center for the fight against against terrorism and other institutions to persistent and prolonged hacking activity.
Relevant departments did not respond to requests for comment, declined to be interviewed, or were unreachable.
In 2021, the global economic fallout from the COVID-19 pandemic had already helped push a major Chinese borrower – Zambia – into defaulting on its external debt. Kenya has succeeded in securing a temporary moratorium on debt repayment from China.
In early July 2021, cybersecurity research reports shared by the intelligence analyst in the region detailed how hackers secretly accessed an email server used by Kenya’s National Intelligence Service (NIS).
Reuters was able to confirm that the victim’s IP address belonged to the NIS. The incident was also covered in a report by the private defense contractor reviewed by Reuters.
Reuters could not determine what information was taken in the hacks or conclusively establish the motive for the attacks. But the defense contractor’s report says the breach of the NIS may have been aimed at gathering information on how Kenya planned to handle the payment of its debt.
“Kenya is currently feeling the pressure of this debt burden…as many projects funded by Chinese loans are not yet generating enough revenue to be self-financing,” the report said.
A Reuters review of internet logs describing Chinese digital espionage activity showed that a server controlled by the Chinese hackers also accessed a Kenyan government shared webmail service more recently, from December 2022 to February this year.
Chinese officials declined to comment on the recent violation, and Kenyan authorities did not respond to a question about it.
“REACHED DIPLOMACY”
The defense contractor, pointing to identical tools and techniques used in other hacking campaigns, identified a Chinese state-linked hacking team as carrying out the attack on Kenya’s intelligence agency .
The group is known as “BackdoorDiplomacy” in the cybersecurity research community, due to its efforts to advance Chinese diplomatic strategy goals.
According to Slovak cybersecurity firm ESET, BackdoorDiplomacy reuses malware against its victims to gain access to their networks, allowing their activities to be tracked.
Provided by Reuters with the IP address of the NIS hackers, Palo Alto Networks, a US cybersecurity company that tracks the activities of BackdoorDiplomacy, confirmed that it belongs to the group, adding that its previous analysis shows that the group is sponsored by the Chinese state.
Cybersecurity researchers have documented BackdoorDiplomacy hacks targeting governments and institutions in a number of countries in Asia and Europe.
Incursions into the Middle East and Africa seem less common, making the focus and scale of its hacking activities in Kenya particularly noteworthy, according to the defense contractor’s report.
“This angle is clearly a priority for the group.”
The Chinese Embassy in Britain denied any involvement in the Kenya hacks and did not directly answer questions about the government’s dealings with BackdoorDiplomacy.
“China is the main victim of cyber thefts and attacks and a strong advocate of cyber security,” a spokesperson said.
(Reporting by Aaron Ross in Nairobi, James Pearson in London and Christopher Bing in WashingtonAdditional reporting by Eduardo Baptista in BeijingEditing by Chris Sanders and Joe Bavier)