Analysis: IEBC Servers Were Hacked

According to the investigation, 27 attempts were made to generate Form 34C between August 12 at 3:48 pm and the time winner was declared on August 15.

A forensics analysis reveals that the three Venezuelans arrested upon landing in Nairobi two weeks before the General Election had not been contracted by the electoral commission but had access to its servers five months before the disputed polls.

According to the analysis of computers seized by the Directorate of Criminal Investigations (DCI) from Salvador Javier, Jose Gregorio, and Joel Gustavo, the three were among dozens of non-Independent Electoral and Boundaries Commission (IEBC) staff who had extensive access to the agency’s servers.

This access, granted through a company linked to a senior North Eastern politician, is currently being investigated by the DCI, whom the Azimio coalition wants summoned to the Supreme Court to testify in their petition.

Last evening, it was unclear whether the investigations agency would testify, however, the DCI wanted to arrest the foreigners but was held back by Mr Wafula Chebukati, the beleaguered IEBC chairman.

Mr Chebukati assured DCI George Kinoti and Police Inspector-General Hillary Mutyambai in a meeting on July 28 that the IEBC’s systems were impenetrable and that only accredited employees had access to them.

During the meeting at Jogoo House, Mr Chebukati also informed the DCI and IG that the three Venezuelans had been contracted by the IEBC to provide support on behalf of Smartmatic International, the company contracted by the commission to provide electoral management technology.

Detectives on the case since July now believe that was not the case, and that the three worked for a different entity associated with the North Eastern politician.

Meanwhile, as detectives deliberated their next move last evening, an East African Data Handlers (EADH) forensic analysis of the six data transmission servers used by IEBC revealed that several unauthorised individuals gained access to the system.

There were also several successful attempts to download Form 34C, which Mr Chebukati used to announce the presidential election winner.

According to an EADH analysis of the IEBC’s systems, there was a backward tallying of the presidential results in which Form 34C was edited several times in order to correspond to forms 34B and 34A, which the audit shows were intercepted and edited as well.

“It is obvious the downloading and the translation of Forms 34B and Forms 34C indicates that the process was not forward tallying on the designed tallying chain— 46,232 forms 34A create 290 forms 34B and they create the final 34C,” says a report on the analysis.

“In this case, the data seem to be working from forms 34C that are seemingly being downloaded into a .csv file, modified or edited and transmitted,” it further states.

Despite IEBC’s assurances that its systems were impenetrable, the EADH analysis reveals that unauthorised persons not only had multiple access to the servers, but they were also able to intercept communication between the Kiems kits and the presidential tallying center in Kenya.

The level of interception was so severe that a number of forms 35 used for parliamentary elections ended up inside the servers used to count presidential votes.

“It seems as though there was a middleware that was intercepting, receiving, and/or sending information between the Kiems kit or the county tallying servers and the presidential tallying server and verification of specific forms,” says the analysis. For example, on August 12, one of the IEBC’s servers was accessed remotely using IP address 10.13.0.49 at 12.16 pm.

“The connection was disconnected at 1:27 pm and reconnected at 4:13 pm, which was terminated almost immediately and then reconnected at 4:47 pm,” the report states.

Such connections were made by people who had not been gazetted as IEBC officials for the elections, including a login named Dickson Kwanusu, who not only modified data in the system but also downloaded Form 34C on several occasions.

“All the IEBC officials for the 2022 General Election were published in the Kenya Gazette. Dickson Kwanusu does not appear as one of the officials on the documents yet he appears multiple times making and executing requests in the election verification process,” says the investigation.

According to the report, Kwanusu’s login trail on August 14 at 4.29 pm made an ambiguous and intentional modification on the system to override the entire tallying process in order to generate a Form 34C. This was a day before Deputy President William Ruto was declared the president-elect, as tallying was still taking place.

According to the investigation, 27 attempts were made to generate Form 34C between August 12 at 3:48 pm and the time winner was declared on August 15.

After tallying the votes in all polling stations and constituencies, there should have been only one attempt to generate Form 34C. The big question that investigators are now attempting to answer is why all those forms 34C were generated.

Others who logged into the system despite not being accredited include Abdi Hadir Abdi, who verified 659 forms 34A, Harun Gathiru, Mohamud Mohamed, and Isaiah Khuyole.

The EADH’s forensic analysis findings match those of the DCI, which has separately stated that Salvador Javier, Jose Gregorio, and Joel Gustavo, the three Venezuelans arrested on July 21, were also accessing IEBC systems before, during, and after the elections.

After arriving from Istanbul, Turkey, Gregorio was arrested at Jomo Kenyatta International Airport. His arrest, which also resulted in the arrest of his colleagues Javier and Gustavo from an apartment in Riverside, Nairobi, resulted in a brief standoff between the IEBC and the police before Mr Chebukati intervened.

Mr Chebukati is said to have assured the DCI and the IG that the Venezuelans had no access to IEBC servers while demanding their release. Investigations, however, reveal that it could have been a smoke screen, as the three had almost everything on IEBC’s systems on their computers.