Cyber Incident Victim: Kenya Ports Authority
Date:
Mar 2018
Location:
Kenya
Summary
The Kenya Ports Authority was subjected to network reconnaissance activities originating from a Tsinghua University IP address, assessed to be part of Chinese state-sponsored cyberespionage operations. This scanning targeted ports on the organization's infrastructure alongside other Kenyan entities, including the United Nations office in Nairobi and educational networks, coinciding with Kenya's decision to reject a China-East African Community free trade agreement. The activity aligned with China's Belt and Road Initiative objectives, mirroring similar network probing against strategic economic targets in Alaska, Brazil, Mongolia, and Germany, where reconnaissance correlated with trade discussions or geopolitical developments. The Tsinghua infrastructure also attempted connections to a Tibetan network hosting a sophisticated Linux backdoor, though no successful activation occurred. These operations were consistent with China's broader cyber campaigns to advance economic and strategic interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early June 2018, the Kenya Ports Authority (KPA), a state corporation managing Kenya’s seaports, was subjected to aggressive network reconnaissance originating from IP address 166.111.8[.]246, registered to Tsinghua University in China. The activity targeted ports 22 (SSH), 53 (DNS), 80 (HTTP), 389 (LDAP), and 443 (HTTPS) across KPA’s internet-facing infrastructure, alongside Kenyan telecommunications providers, hosting companies, Strathmore University, and the United Nations Office in Nairobi. This scanning occurred two weeks after Kenya declined to sign a free trade agreement with China under the East African Community framework in May 2018, a decision affecting Beijing’s Belt and Road Initiative (BRI) engagement. The Tsinghua IP had previously probed networks in Alaska, Brazil, and Mongolia during periods of economic negotiations with China, including Alaska’s gas pipeline discussions and Brazil’s port construction projects. Reconnaissance against KPA involved systematic probing of IP ranges to identify vulnerabilities, consistent with tactics used against other BRI-linked targets. No malware deployment or data exfiltration was confirmed against KPA in the available data, though the scale of scanning suggested intelligence-gathering objectives. The activity was detected through third-party network metadata analysis by Recorded Future’s Insikt Group, which correlated the timing with geopolitical events.
The incident formed part of a broader pattern of state-aligned cyberespionage targeting entities central to China’s economic interests. Tsinghua University’s infrastructure was linked to scanning campaigns against multiple BRI participants, including Kenya’s port infrastructure critical to China’s Maritime Silk Road investments. The KPA targeting coincided with heightened Chinese engagement in East Africa, including funding for a 480-kilometer railway linking Mombasa to Nairobi. Network telemetry showed a spike in scanning activity following Kenya’s trade agreement rejection, suggesting operational alignment with diplomatic developments. The same Tsinghua IP conducted reconnaissance against German automaker Daimler AG within 24 hours of its profit warning citing U.S.-China trade tensions, reinforcing the pattern of economically motivated activity. Defensive measures were limited to third-party detection via network metadata; no KPA-specific incident response actions were documented. The infrastructure used (Tsinghua IP 166.111.8[.]246) exhibited characteristics of a gateway or proxy, with historical ties to Chinese state-sponsored operations, including previous brute-force attacks and exploitation attempts flagged by Taiwanese and AlienVault threat lists.