Cyber Incident Victim: Kenya Airports Authority
Date:
Feb 2023
Location:
Kenya
Summary
The Kenya Airports Authority experienced a cyberattack by the Medusa group, involving unauthorized access through an engineer's compromised credentials and resulting in the exfiltration of 514 GB of non-sensitive operational data such as procurement plans, site surveys, and financial documents. The breach caused temporary website disruption, but the Authority asserted no significant operational or financial impact, declined ransom demands, and enhanced security measures; Medusa, known for employing sophisticated encryption in ransomware attacks, leaked the data online despite the victim's non-compliance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Kenya Airports Authority (KAA) confirmed a cyberattack in February 2023 perpetrated by the Medusa hacking group, which infiltrated its network and exfiltrated approximately 514 GB of data. An anonymous KAA official disclosed that attackers compromised the system using an engineer’s Identity Card and passport credentials, though the exact intrusion method remained unspecified. Medusa leaked documents including procurement plans, physical layouts, site surveys, invoices, and receipts, causing the KAA website to remain disrupted for several days during the data release. The group demanded ransom, but KAA refused to engage, citing uncertainty over whether the hackers retained copies of the accessed data. Authority representatives emphasized that only publicly available information was exposed, asserting no operational or financial systems were significantly impacted. Following the breach, KAA implemented security enhancements to fortify affected systems, though specific technical measures were not detailed. The incident highlighted vulnerabilities despite the organization’s claim that sensitive data remained uncompromised.
Medusa, first identified in 2021, resurfaced in 2023 after a period of inactivity and was linked to other high-profile attacks, including one against Minneapolis Public Schools. The group employed AES and RSA encryption algorithms to lock data, complicating decryption efforts and pressuring victims to pay ransoms to avoid public leaks. Kenya’s Communication Authority reported a 133% surge in cyber threats during the 2021–2022 financial year, totaling 359.2 million incidents, attributed to expanding internet access widening the attack surface. While KAA downplayed the breach’s severity, the scale of leaked data and Medusa’s reputation underscored persistent cybersecurity challenges facing Kenyan institutions. The Authority’s refusal to negotiate with attackers aligned with common advisories but left unresolved risks of reputational damage from exposed operational documents.