Cyber Incident Victim: African Union
Date:
Mar 2023
Location:
Ethiopia
Summary
A massive cyber attack targeted the African Union, compromising multiple IT assets in its data center and rendering services and applications inaccessible. The incident forced an emergency shutdown of the network to prevent further damage, with over 200 corrupted devices identified for cleanup. While cloud-based data remained secure, staff could not access critical resources, disrupting operations and prompting some employees to work remotely using mobile hotspots. Partial recovery efforts leveraged existing disaster recovery systems and functioning applications. The organization attributed the disruptions to a cyber attack but did not confirm its origin; unverified speculation among staff pointed to either external actors or malware infiltration linked to navigating Ethiopia’s internet restrictions. Official sources acknowledged ongoing IT system investigations without confirming attack details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A massive cyber attack targeting the African Union (AU) commenced on March 3, 2023, compromising the organization’s data center and rendering critical services and applications inaccessible. The attack corrupted over 200 endpoint devices—including laptops and desktops—prompting an emergency shutdown of the AU’s entire campus network to prevent further spread. Internal communications, including a memo from Deputy Chairperson Monique Nsanzabaganwa, confirmed the severity of the incident, which disrupted routine operations for staff across the organization. Employees reported being unable to access work emails or internet services for at least a week following the attack, with some departments completely locked out of systems while others retained partial functionality. The disruption forced numerous staff to work remotely or cease operations entirely due to connectivity barriers, though AU management emphasized that cloud-stored data remained secure despite the on-premises infrastructure compromise. Initial assessments ruled out immediate data loss risks due to the AU’s disaster recovery capabilities, though physical IT assets required extensive remediation.
In response, AU management collaborated with stakeholders to isolate affected systems and initiate restoration procedures. The organization’s Management Information Systems (MIS) department directed staff to use mobile hotspots or internet dongles to access surviving applications while technicians cleaned infected devices at an offsite facility. MIS confirmed its disaster recovery systems could restore some lost data but mandated that all compromised devices undergo cleansing before reconnecting to the network. The AU Communication Service, led by Wynne Musabayana, declined to publicly confirm or deny the attack, while Media Center Coordinator Molalet Tsedeke acknowledged ongoing efforts to diagnose the root cause of the IT failure. Despite repeated inquiries, Ethiopia’s Information Network Security Agency (INSA) provided no official commentary on the incident. Restoration timelines remained unclear as internal divisions grappled with uneven system availability and operational delays.