SOC Protect

Call us

Panic at the African Union after a new cyber attack

The intrusion by the Russian hacker group BlackCat paralysed the institution's intranet, financial services and mailboxes. More than 200 computers were infected.

Astonishment at the headquarters of the African Union (AU) in Addis Ababa. On 3 March, ten days after the close of the organisation's annual summit, which brings together the continent's heads of state, there was a sudden blackout. The computer system crashed. "A massive cyber attack has compromised the capacity of our data centre and cut off access to our services and applications", warned the Commission's vice-president, Monique Nsanzabaganwa, in an internal memo on 7 March, which Le Monde has obtained.

The attack immediately paralysed the institution's intranet. Financial services were inaccessible, as were mailboxes and staff performance management software. More than 200 computers were infected, causing panic within the pan-African organisation.

"We're in the dark"

Several African diplomats initially thought it was an attack by a foreign power. The name of Israel initially circulated in the wide marble corridors of the headquarters in Addis Ababa, Ethiopia. Some wanted to believe that the Hebrew state was taking revenge for the expulsion of its diplomat Sharon Bar-li during the last AU general assembly, against a backdrop of controversy over the observer status granted to Israel.

The hackers eventually identified themselves when demanding a ransom. According to several sources within the institution, the BlackCat group of Russian hackers sent an e-mail asking for 3 million dollars to put an end to their attack.

In the absence of any response from the AU to its numerous requests, Le Monde has been unable to determine the exact amount of the ransom, or whether it has been paid, but a West African diplomat based in Addis Ababa sums up the reasons for the organisation's embarrassment. "The institution has no insurance against such risks of intrusion", he explains. "So far, all the bodies are trying to hush up the affair," confides another diplomatic source. "We're in the dark, the Commission hasn't given us any details about the attack since 7 March", concludes a frustrated member of a North African embassy.

Fortunately for the organisation, the data stored in its data centre - located in Nairobi - was backed up the day before the attack and is believed to be partly intact. Since then, it has taken the intervention of teams from Interpol, Afripol and the African Development Bank - which paid $6 million for the operation - to clean up the computers, restore certain services and begin updating a particularly fragile security system.

"The sieve"

According to a North African diplomat, "less than 40%" of the AU's IT services have been restored two months after the attack. There is no Wi-Fi, no mailboxes. "Staff have to work remotely, with their own equipment, their own computers and their own Internet modems", he explains. In other words, they're on their own.

This is not the first attack by the Russian hacker group BlackCat. It targets large organisations and made a name for itself by stealing 700 gigabits of data from the Italian energy agency GSE. In another attack in 2022, the Russian group demanded a ransom of $5 million from the Austrian region of Carinthia in exchange for the delivery of data recovery software that it had stolen from the administration.

For the AU and hundreds of concerned diplomats, the question of the vulnerability of IT systems is once again being raised. One case in particular is haunting people's minds. In 2017, the organisation's IT unit discovered that its sensitive data had been mysteriously siphoned off at night. An investigation by Le Monde revealed that the data was being sent to servers in Shanghai, China being the generous builder and donor of the AU headquarters in Addis Ababa.

However, Beijing delivered the turnkey building in 2012, after rigging the walls and conference rooms with spy microphones. The AU has since acquired its own servers, but has never been able to stop hackers. Ironically, several members of the organisation have nicknamed it "the sieve".

Source: Le Monde

Noé Hochet-Bodin