Mountaga Cissé, a Senegalese computer engineer and new media consultant tells APA that it is so obvious that the Regulatory Authority for Telecommunications and Posts (ARTP) in Senegal can no longer deny the hacking of its data system by the ransomware Karakurt group of hackers.
By Oumar Dembélé
Several personal data attributed to the ARTP have been freely available on the web since 17 October.
However, the ARTP has not confirmed that it was hacked.
Why is this so?
MC: This is surprising to many. At first, one could understand because it was a rumour, a fact that was not yet proven. It was just a promise to expose data. Internally, people confused the hacking of a website with the hacking of a computer data system. So the first response (from ARTP) was that "yes, our site is online, so we are not hacked". Whereas the hacker in question (Ransomwares Karakurt) was not talking about the website but rather about computer data archives.
The second thing is that the type of ransomware hacking actually blocks the system. You can't work anymore and they ask you to pay (a ransom). But in the case of the ARTP hack, cybersecurity experts say this is a novelty. These hackers are not blocking your system. They copy the data, keep it somewhere, inform you before asking you to pay. And if they don't, it will be published.
These are reasons that make me say that ARTP did not believe in the veracity of this information. That is why it has not communicated until now. In the meantime, there have been changes. Because before 17 October, it was a threat. After this deadline, it became a reality. The facts are in: there was a hacking. Data was shared. I think the ideal situation would have been for ARTP to decide to communicate on this.
What communication strategy should ARTP adopt after this hacking?
MC: The communication strategy is the crisis strategy. Since it is now proven that there is piracy, the first thing to do is to be transparent. They have to tell the Senegalese that they have been hacked and that their teams are working to restore the system and recover the data that has been stolen etc. And then, there is no shame in saying that one has been hacked. Because, often, large agencies in the world are victims of hacking. Even if this was a first in Senegal, ARTP should be transparent about it, explain to Senegalese what they need to know, the risks they run by seeing some of their data disclosed in the public arena.
The hackers had demanded a ransom of thousands of dollars not to stop them exposing the alleged ARTP data. What are the options now?
MC: According to information shared on the internet, the hackers demanded money from ARTP. I think it is not too late. Of the 102 gigabytes of data announced, the hackers have only shared two so far. According to the website of the alleged hacker, the data will be shared until October 24. So ARTP can stop the bleeding. If you have to pay, why not. If it is necessary to seek the help of cybersecurity experts, why not too. It is no longer a matter for internal management. You have to open up and call on more expert hands. I have confidence in the expertise of the ARTP agents. In such cases, we should no longer lock ourselves away to find solutions, but open up.
How should public institutions secure their computer data to avoid attacks from hackers?
MC: Senegal already has what is calls the National Cyber Security Strategy. On paper, it's good. I read it. Now, in reality, is this strategy being implemented? Is there any coordination between state agencies? Because if this hacking happens to ARTP, we can fear that it will happen to other state or government organisations. The State IT Agency (ADIE), which has now become Senegal Numérique SA, was hacked some time ago. Some ministries have also been hacked as well as the Agency for the Safety of Air Navigation in Africa and Madagascar (ASECNA), a few weeks ago. So, we are not immune. I think it is time for Senegal to implement a much more effective computer security policy to avoid this type of problem in the future.