November 24, 2025 • Patrick Meki

Introduction
Kenya recently witnessed a coordinated cyberattack that disrupted several high-profile government websites, with the hacker group PCP@kenya claiming responsibility. The attackers defaced multiple platforms belonging to ministries, state departments, and county administrations.
This incident took place amid a growing wave of cyber threats with over 842 million attacks recorded between July and September 2025 highlighting the region’s increasing exposure to sophisticated cyber actors.
When considered alongside past incidents such as the Communication Authority breach in 2017 and the eCitizen outage in 2023, it’s clear that Kenya’s digital ecosystem remains a major target for cyber threat groups.

What Really Happened?
The November 2025 attack affected platforms belonging to:

1. Ministry of Health
2. Ministry of Education
3. Ministry of Interior & National Administration
4. Ministry of Energy & Petroleum
5. Ministry of Labour & Social Protection

Othe government offices and entities compromised included:

1. The Directorate of Criminal Investigation (DCI)
2. The Directorate of Immigration Services (DIS)
3. Nairobi City County
4. Directorate of Public-Private Partnership
5. The Hustler Fund
6. Government Press

Key Attributes of the Attack
The websites faced a defacement campaign with attackers replacing the legitimate website content with extremist and neo-Nazi slogans such as:
“Access denied by PCP,” “White power worldwide,” and “14:88 Heil Hitler.” These messages clearly showed the ideological, propaganda-driven nature of the attack. 
Moreover, as a result of the attack, the compromised website faced a significant temporary website downtime for hours, disrupting government operations and causing public confusion. However, there was no immediate evidence of sensitive data being leaked, but the coordinated nature of the attack indicates a high level of planning.

Potential Root Cause
The most critical question is how PCP@kenya managed to compromise such a wide range of unrelated government websites simultaneously.
The scale and synchronization strongly suggest that the attackers did not breach each ministry independently. Instead, they likely exploited a shared digital dependency used across multiple government institutions.
The two most probable causes might be:

1. Compromise of a shared Govt hosting environment

As a result of the attack, it’s debatable to say that many government ministries and departments rely on centralized hosting infrastructure most likely managed through ICT Authority’s data centers.
If attackers gained access to the hosting control panel, a shared administrative interface, or a core web server that was supporting the multiple ministries, they could easily push out defacement files to every site hosted on the shared platform.

2. Exploitation of a common CMS vulnerability

A significant number of government websites are built on the same Content Management System (CMS), often even the same version i.e. WordPress, Joomla just to mention a few.
If an unknown or unpatched vulnerability existed within the CMS, attackers could use a single exploit especially a Remote Code Execution (RCE) vulnerability to deface every website running on that platform.
With this understanding, I can now confidently justify the attack, as it clarifies the root cause of the attack with the identical defacement seen across the multiple websites, the near-simultaneous timing of the intrusion, and the consistency of the attacker’s messages.

South-End Tech POV
This attack reveals that Kenya’s government websites are tightly interconnected behind the scenes, regardless of their different functions. When the shared backbone is weak, the entire ecosystem becomes vulnerable.

Conclusion
The PCP@kenya attack is a clear reminder that cyber threats in Kenya are evolving, becoming more coordinated and more sophisticated. With government websites interconnected through shared hosting and CMS platforms, a single exploited vulnerability can cause widespread disruption across ministries.
Strengthening the government’s digital backbone through improved segmentation, secure hosting practices, continuous patching, and enhanced monitoring is crucial to preventing similar large-scale incidents in the future.

 

Contact South-End Tech Limited

For cybersecurity assessments, infrastructure hardening, and advisory support, our team is ready to assist government agencies and organizations across Kenya

Telephone: +254 115 867 309 | +254 740 196 519

Email: cybersecurity@southendtech.co.ke | info@southendtech.co.ke |

 

---

Comments (0)