In today’s day and age, cyber capacity has increasingly become a necessary precondition for any country’s global competitiveness; in trade and commerce, technological advancement, intellectual property, and political and social well-being. As such, cyberspace has quickly become one of the top three global security threats in our current highly globalized world. Africa, expecting a population boom in the coming decades is expected to become a target of this security threat by cyber thieves, terrorists, and countries. With the increasing digitization of banking and financial systems, election systems, education, and healthcare systems, multi-billion dollar infrastructure projects, as well as security and intelligence systems- global financial loss and damages make this sector the third largest economy in the world.
In February of this year, INSA reported that more than 2145 cyberattacks were launched at Ethiopia- primarily targeting Ethiopian financial institutions, educational institutions, security and intelligence institutions, medical institution, media establishments, as well as government offices. However, the report does not detail the countries [geographical locations]/ groups/ or entities launching these attacks. Are there identified entities/ groups/ countries responsible for the attacks? Could you name and rank them?
Normally in Cyberspace, every attack has a source from which it originates. One of the raw measures for our assessment is the IP (internet protocol) address to which it can often be traced. Although the originating country may not necessarily be an indicator of the exact source of the attack, due to the use of VPN or other ways of concealing IP addresses, we are able to identify the origin nonetheless. In INSA’s February report, we disclosed that there were over 2,145 attacks launched on Ethiopia’s various sectors, organizations, and public institutions; the recurring IP addresses include countries one would consider superpowers in today’s international arena. There are less oft-considered nations like the Netherlands and the Korean Republic (DPRK) that also make a list. Given that an IP identification does not necessarily implicate a country, a great solution would be to cultivate cooperation- diplomatically or otherwise- with other nations in identifying the attacks (and attackers) from each other’s cyberspace. This is what we have come to call “cyber-diplomacy”; given the lack of physical boundaries for this problem and its global prevalence, mutual cooperation between countries is vital. In this context, if a country is unwilling to cooperate in this matter, that might also be an answer in itself.
Beyond the identification of countries and geographic locations, determining groups/ entities responsible for cyberattacks requires more advanced methods of attribution; here we look beyond the IP address to identify and attribute the attack to a specific threat actor such as an individual, a group, or a state itself. For example, if malware1 was sent, there are routine ways to analyze and reverse-engineer the origin that would reveal details like the timezone or language of the source of the attack. Although much can be done to further analyze such threats, Ethio-Cert as a division, primarily focuses on identifying and monitoring critical assets, and containing threats to these assets.
Going into further attribution might have its own limitations as it requires technological, financial, systems, and manpower capacities.
Entities like the Cyber Horus group, an Egypt-affiliated known entity/ group operating in the open. Helpfully enough, the group announces its own attacks and identifies itself in attacks- or better- announces the attacks it plans to launch. This helps us scout the geo-political and security landscape better. Previously, domestic organizations and institutions were under the impression that INSA is the sole line of defense against cyberattacks, however, it is now clear – for domestic actors- that cyberdefense requires a collective-level effort.
Given that this particular sector is undisclosed, would you say Ethiopian infrastructure projects are also a target of such cyberattacks?
Cyberattacks, or threats thereof, are attempted periodically and in tandem with the reservoir filling period. These could be direct or indirect attacks. Direct attacks are launched at the project (GERD) itself; this might look like disruptions to source/ input factories directly feeding the project. This could also look like attacks on SACDA2 systems: factories, and grids, given that we digitally operate.
A real-world example of this would be the Iranian Natanz Nuclear plant that was attacked, an attack that destroyed the electricity grid of the site, among other disruptions, delaying the project by several years. This is also to say that even the most isolated systems are rarely hidden from cyberattacks. It is also worth noting that the more resourceful an entity, a state- for example, the higher the capacity to use cyber means to its ends. Silently gathering data and information to one’s own end and publicly disclosing the information is another form of this attack.
There was a past instance of cutting electricity supply to entire cities by attacking control systems to power grids- and INSA has responded with the appropriate measures. Though our duty is to proactively defend against cyberattacks, once they do occur, we ensure that the damage is minimized- without such diligence in cyberspace defense- we can certainly say that there is a will to inflict more damage to cause hurdles in the competition of GERD. It is important to note that once the Dam is fully connected and operational, the risk of a cyberattack is exponential. Security is not something to ensure later, at completion, but a crucial concern at this stage. Alongside the construction of the structure and electrical work of the GERD, building a cyberdefense against the project is a crucial aspect that is often neglected.
It is important to note that once the Dam is fully connected and operational, the risk of a cyberattack is exponential. Security is not something to ensure later, at completion, but a crucial concern at this stage.
Indirect attacks on the GERD might look like, attacking websites and government pages; hacking into public websites and defacing them by injecting malicious codes to display the attacker’s messages is yet another trick. We have a past experience where the message stock widespread fear or panic. At the individual level, high-level authorities (influential people) might be victims of phishing ploys- malware or ransomware that might compromise their work. The indirect attacks are often intended to impose a psychological effect. On our end, we have proactive measures in place for addressing these threats. The first SOC: security operations center. We have 24/7 monitoring and proactive defense operations on systems and networks of national assets; like key infrastructure, services and customers, financial institutions, and others. Our real-time proactive defense includes scanning and detecting vulnerabilities. What kinds of gaps exist? Our team checks if the network traffic is healthy, monitors malicious threats from known databases, and builds situational awareness so as to create effective countermeasures.
In June 2020, associated with the first filling of the GERD reservoir, the Cyber Horus group launched a cyberattack on government institutions’ websites within a five-day span. This creates a psychological impact on the population on a highly anticipated national milestone event. Secondly, in a similar timeframe in June of 2021, there was a similar attack on 37,000 computers associated with the second round of filling by the same group. Additionally, in October 2022, we observed similar activity targeting websites of government institutions, for example, the Ministry of Foreign Affairs (MFA). Ethio Cert, as a rapid response team, does not move further into determining the extent and severity of these attacks as our focus is detection, containment, and mitigation.
We also receive requests, tips, and reports from sectoral CERT units of national organizations and institutions that enable us to devise a nationwide early warning system. This loops back to the earlier point on building a collective defense system in cyberspace. Although reactive in our response, small businesses, and enterprises also reach out when they are subject to malware and ransomware attacks where we attempt to mitigate the damages and restore lost files.
Given the manifold threats being made against the Grand Ethiopian Renaissance Dam (GERD) primarily from Egypt, has the Administration aggregated information on the amount and frequency of such cyberattacks on this infrastructure from Egypt?
It is rare for an attacker/actor to overtly launch attacks from a geographic space and make it easy to attribute. However, the easiest way to identify threats originating from Egypt is their own disclosure through official means like their national mainstream media. Though such threats are not acceptable in diplomatic correspondence, the same is true in cyberspace, where Egypt- affiliated groups identify themselves and their activities; like the Cyber Horus group mentioned earlier.
Describe, for a non-technical audience, what constitutes an attack. And relate it to the broader context of the GERD project.
These groups would first conduct a reconnaissance of our systems to craft the payload, i.e. what they will send. They will then “deliver” the attack on a service operator or website. They will then escalate the attack by attempting to get admin access, which, among other actions would allow the exfiltration of data from internal systems and files; though the damage might not be maximal, this data is what would be used for malicious ends like propaganda use.
In general, building a robust cyberdefense encompasses three aspects, which also constitute the key threats: Confidentiality, Integrity, and Availability. Ensuring confidentiality of protected and privileged information and data by mending vulnerabilities; is a key component of our work as the damages from a breach in confidentiality could, at worst, create crises of national proportions.
Integrity has to do with modifications or changes to existing data; for example in the finance sector – if one change’s the name of a bank account holder, or adds zeros to a sum of money- this constitutes a breach of the integrity of data- and results in financial damages and loss of trust. Lastly, availability means a continuous, and uninterrupted, stream of service; As a familiar example, power outages and network loss or degradations (operation at suboptimal levels) mean that availability is compromised. This aspect, availability, should be of utmost concern once the GERD is online and operational. Especially for a country that wishes not only to utilize hydroelectric power from the project but aspires to sell electricity to neighbors in the region; providing uninterrupted service to buyers, availability is of critical importance. We also need to update knowledge and public awareness of these threats that may arise.
In the unfortunate incident that Egypt launches a successful cyberattack against Ethiopian major infrastructure or public institutions, what is INSA’s level of preparedness to fend against an attack, and/or take counteroffensive measures?
The mandate of our particular unit is to reduce the probability of a successful attack and foil a possible attack at the reconnaissance level. Although we do not take offensive measures, our work and mandate is to ensure that a successful attack does not happen.
Our early prevention work includes securing ports, which serve as gateways or doors, to systems of operation, and routinely monitoring threat scans. In the instance of DDos3, malware, and ransomware (attempt to exfiltrate, overload, or crash systems) we take the appropriate action depending on the threat level. Though we prepare for cyberdefense measures in advance, let’s say that a bank has been targeted; the rapid response team is deployed to then identify the threat- then we monitor the threat before responding. If the threat is on a network, systems, or other SCADA- we respond with the appropriate course of action. We then eradicate the threat, much like cleaning an infection. We then attempt to recover lost files and mend damages after which we compile ‘lessons learned’ which help as input to better build our defense for future attack attempts. This might look like adding this new threat to our database to prevent the same breach. This cycles us back to our initial work: preventative defense. In addition to National CERT, there are also sectoral CERT units that perform this work in the finance sector, in national institutions and assets, and in key national infrastructure. INSA is the agency that ensures this level of coordination.
In addition, setting privacy and security standards, and pushing for a legislative framework to protect citizen data is also a priority. Ensuring compliance with data protection protocols is another aspect of the institution’s work. For example, if any bank is to issue VISA cards to customers, they will not only need to comply with PCI DDS4, the industry standard, but also fulfill their obligations to INSAs audit requirements
To follow up on the point about individual-level effort, what safeguards would you recommend to everyday citizens to protect their digital identity?
There are 3 components to cybersecurity: People, Processes, and Technology (PPT). This question relates to the people component of cyberdefense and an aspect that narrows or widens the chances of an information breach. People, be it unknowingly or out of negligence become targets of data theft or breach. This is why public awareness campaigns are crucial. For example, in phishing attacks, people receive email links saying “You’ve won a lottery” or “XYZ has sent you a message on Facebook”; with a prompt click here to open! These messages are often crafted to entice the user based on their internet history. If the email is about a Facebook message, there would be a replicate Facebook page with subtle changes to the URL link; for example zeros in the place of Os to a subtle change that would often be overlooked. When the user attempts to log into the fake URL, the phishers would then steal the login credentials and reroute the user to the original Facebook URL. The user might be surprised to later find that they have been locked out of their account, and discover suspicious activity.
Before logging into any website, especially for URLs shared over email and other mediums, users must always check the link before entering their credentials. The same goes for online banking platforms, users must pay close attention to the URL of their bank’s website before entering their username and pin codes. If one is to receive an email or text that they have received a sum of money, they might immediately click the attached link and hastily enter their user and passcodes, a minor mistake that could jeopardize their finances. To avoid this problem, users must set up multifactor authentication systems on their devices to increase security.
Another safeguard is to always download apps and software from the original source, or a trusted provider. This could be the AppStore for iOs users or the Google Play Store for Android users. In Ethiopia, people often ask their music/ multimedia stores to download music or movies for them- with no knowledge of the source. The same is true for computer applications, like MsOffice and Windows applications, where users will obtain ‘cracked’ software to avoid paying for them. This is yet another common negligent practice that leaves internet users susceptible to the theft of their data. These gaps in awareness can be addressed by public awareness efforts and education.
At the organizational level, companies need the utmost due diligence in their procurement process as they might be vulnerable to supply chain threats for purchasing, en masse, the cheapest possible products (anti-virus software, for example) with no knowledge of the source.
What recommendations does the Administration forward to public sector employees, and regular people, to safeguard the security and privacy of their information?
Although there is much to be done in the protection of private data for individuals, through legislative means and public awareness; state institutions like ours primarily prioritize issues of national security. Due diligence, at the individual level, is important and also requires national-level awareness campaigns on private data protection. INSA does some public awareness activities on our social media channels and websites, through mainstream media channels, TV, and radio. In addition, we host a national cybersecurity awareness month, a month dedicated to building public awareness of cyberspace, and the threats, furnished with various activities for all sectors. Exhibitions, such as the one held this year at the National Science Museum, have an exponential benefit to the field and we hope to continue such engagements with the public in the coming years.
How would Ethio-CERT encourage young scholars to pursue the cybersecurity field?
First, youngsters need to identify their interests and talents. They need to know their hobbies and leanings. If they take a keen interest in coding and programming, there are various open-source learning opportunities online. Family support is also crucial in nurturing and connecting youngsters to the necessary resources to develop their talents. INSA also hosts various events for youngsters and young professionals with knowledge and interest in networking, windows/Linux, and operating systems. In the Capture the Flag (CTF) hacking marathon we hosted in this year’s Cyber Awareness month, we identified over 45 talented youngsters, as young as twelve years old, with a natural talent in the various assessments we offered. INSA has a host of initiatives, like the Ethio-cyber Talent Center (https://www.insa.gov.et/), designed to encourage young minds with an inclination in the field of cybersecurity.
Footnotes:
1 Malware or malicious software, is any program or file that is intentionally disruptive or harmful to a computer, network, or server.
2 SCADA (supervisory control and data acquisition) is a category of software applications for controlling industrial processes, which is the gathering of data in real-time from remote locations in order to control equipment and conditions.
3 Distributed Network Attacks (DDoS) attack takes advantage of the specific capacity limits that apply to any network resources and attempt to overwhelm/ crash systems.
4 The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards.