Organisations across Kenya were hit by relentless cyber threats


Read Also
Ngatiari, Njeri deliver standout performance to triumph at NCBA Golf Series Migaa Leg Golf
Coach Matano impressed, Siraj finds form and purpose at KCB Football
Yego seeks golden continental exit in Accra showpiece Athletics



Enjoying this article? Subscribe for unlimited access to premium sports coverage.
View Plans


Kenya entered 2025 with a digital economy expanding faster than its ability to quickly defend it.

By the end of the year, the country had experienced one of the most turbulent cybersecurity periods in its history—marked by overwhelming volumes of cyber threats, a rapid evolution of attack techniques, significant disruptions to essential services, and a race by the government and private sector to build the resilience required for an increasingly interconnected nation.

The lessons learned in 2025 now form the backbone of Kenya’s cybersecurity posture heading into 2026 and beyond, shaping legislation, national strategy, institutional reforms, and international cooperation.

The first and most notable development was the government’s admission, through repeated public briefings, that the scale of cyber threats facing Kenya had reached unprecedented levels.

Data from the Communications Authority of Kenya (CA) revealed that between July and September alone, the National KE-CIRT/CC detected more than 842 million cyber threat events, a sharp rise that underscored the increasing sophistication of threat actors and the vulnerabilities that continue to plague Kenya’s digital infrastructure.

While Kenya had previously faced waves of cyber incidents—including politically motivated attacks, online fraud, and ransomware campaigns—2025 set a new benchmark, forcing policymakers to rethink both the technical and legal frameworks underpinning national cybersecurity.

A major lesson emerged early; cyber threats were no longer abstract risks affecting only large institutions. They had become a national security concern touching every sector—government, financial services, telecommunications, academia, health, transport, and emerging digital businesses.

According to CA Director-General David Mugonyi, organisations across Kenya were hit by “relentless cyber threats from ransomware, Distributed Denial-of-Service (DDoS) attacks and social engineering,” with malicious actors increasingly relying on advanced phishing campaigns and artificial intelligence to scale their operations.

Deepfake-enabled scams, once considered experimental, quickly became common tools for financial fraud, disinformation, and corporate espionage.

The Kenyan experience in 2025 demonstrated that cybercrime was not merely diversifying; it was industrialising.

The rise of cybercrime-as-a-service (CaaS) made it possible for low-skilled actors to purchase sophisticated attack kits on the dark web.

Meanwhile, state-sponsored advanced persistent threats (APTs) expanded their focus on Africa as geopolitical tensions intensified globally.

These realities underscored Kenya’s second major lesson: its cybersecurity defences had to evolve faster than its attackers.

To address this gap, Kenya embarked on a far-reaching legislative and institutional transformation.

In early 2025, Parliament passed the Computer Misuse and Cybercrimes (Amendment) Act, strengthening the legal framework for prosecuting cyber offences and tightening provisions around data protection, digital forensics, and cross-border information sharing.

Public prosecutors and investigators were given clearer tools to pursue cybercriminals, many of whom operate across jurisdictions.

Another turning point was Kenya’s decision to ratify the Budapest Convention on Cybercrime, becoming one of the few African countries to align with the world’s leading framework on cross-border cooperation in digital investigations.

This was a clear admission that cyber threats had become transnational and that Kenya could no longer fight them alone.

Ratification was accompanied by reforms in digital evidence handling, expanded training for investigators, and a commitment to collaborate more closely with Interpol, Europol, and international CERT networks.

However, perhaps the most transformative institutional development in 2025 was the operationalisation of the National Cybersecurity Operations Centre, a new national nerve centre tasked with providing 24-hour surveillance, coordinated incident response, and real-time analysis of threats targeting the country.

The Centre expanded the capacity of the National KE-CIRT/CC, which has existed since 2014 but had increasingly been stretched by the surge in threats.

The new operations centre introduced advanced threat-intelligence tooling, wider stakeholder integration, and improved information sharing mechanisms with the private sector.

Despite this improved infrastructure, the data revealed by KE-CIRT/CC in 2025 painted a sobering picture.

Malware attacks against critical infrastructure rose sharply, with over 31 million attempts detected between July and September alone. Attackers targeted systems with outdated software, unpatched vulnerabilities, and weak authentication protocols—exposing weaknesses in Kenya’s digital hygiene.

Internet Service Providers (ISPs), cloud service providers, and government institutions bore the brunt of these waves, as attackers sought persistent access, data exfiltration, or operational disruption.

Web application attacks, often exploiting weaknesses in SSL/TLS configurations, targeted government portals and service platforms, aiming to compromise login credentials or intercept sensitive data.

While the number of such attacks—over 10 million in three months—showed a slight decline from earlier in the year, the persistence of these vectors highlighted the failure of many institutions to update legacy systems or invest adequately in secure infrastructure.

Mobile application attacks, though fewer in number, revealed another important lesson: the explosive growth of Internet of Things (IoT) devices and connected household gadgets represented a new frontier for cybercrime.

Many IoT products used in Kenyan homes and businesses lacked basic security protocols, creating millions of entry points for cyber intrusions. As Mugonyi noted, the rapid proliferation of such devices meant that cybersecurity could no longer be limited to traditional IT infrastructure—security now had to extend to smart TVs, surveillance cameras, automated gates, and office appliances.

The 2025 threat landscape also exposed human vulnerabilities. CA’s advisories highlighted widespread reliance on default credentials, inadequate cyber-risk awareness, and insufficient deployment of multi-factor authentication (MFA).

As a result, the Authority issued more than 19 million advisories between July and September alone, emphasising patch management, strong password policies, network firewall configuration, and endpoint protection.

The fact that so many advisories were necessary illustrated a core lesson: Kenya’s cybersecurity problem was as much behavioural as it was technological.

Communications Authority of Kenya (CA) headquarters, Nairobi/FILE






Another major learning curve came through the expansion of cybersecurity capacity-building programmes, especially the high-profile Cyber Threat Intelligence (CTI) training hosted in August 2025 in partnership with the UK’s Foreign, Commonwealth & Development Office (FCDO) and facilitated by KPMG UK.

This programme trained 87 participants from 25 organisations, focusing on threat analysis, crisis communication, incident simulations, and benchmarking Kenya’s threat posture against global best practices.

The training highlighted the reality that modern cyber defence requires not only technology but also skilled personnel capable of understanding attacker techniques, anticipating threats, and coordinating multi-agency responses.

The discussions held during this programme revealed another key takeaway from 2025: the threat landscape was evolving too fast for individual institutions to operate in silos.

Effective defence required a “whole-of-nation” approach that connected government agencies, regulators, private companies, academia, and international partners. The National KE-CIRT/CC Cybersecurity Committee (NKCC), composed of more than 50 organisations, played a central role in strengthening trust networks and improving information sharing.

Quarterly meetings facilitated the exchange of sector-specific threat intelligence and helped harmonise response strategies across Kenya’s critical information infrastructure ecosystem.

The year also saw increased public engagement and awareness efforts. In September 2025, KE-CIRT/CC participated in the inaugural UoN Data Privacy and Cybersecurity Awareness Webinar, alongside the Office of the Data Protection Commissioner (ODPC) and county government representatives.

These sessions served as reminders that cybersecurity maturity in Kenya could not advance without empowering citizens, students, and small businesses with the knowledge to identify, report, and prevent cyber incidents. Through these engagements, Kenya learned that cybersecurity was no longer a specialist domain—it had become a civic responsibility.

The rise in attacks in 2025 also illuminated the economic implications of weak cyber defences. Financial sector institutions reported escalating losses from digital fraud, leading to increased scrutiny from regulators and pressure to invest in stronger security systems.

E-government platforms experienced attempted outages that threatened service delivery, illustrating how cyber disruptions could easily escalate into governance challenges.

Supply chain attacks targeting vendors and third-party providers raised alarms among large corporations, which learned that the weakest link in the chain could compromise the entire ecosystem.

One of the most important lessons Kenya learned was that cybersecurity must evolve at the same pace as digital transformation, not lag behind it.

As the government pushed forward with digital public services, mobile-money integration, artificial intelligence adoption, and cloud migration, attackers followed the same trajectory, targeting new digital touchpoints as they emerged.

The vulnerabilities created by the use of deprecated systems, insufficient investment in modern infrastructure, and the slow update cycles of public institutions were repeatedly exploited throughout the year.

2025 also made clear that technological advancements—as powerful as they are—do not necessarily translate into security unless accompanied by policy clarity.

The draft National Cybersecurity Strategy 2025–2030, released during the year, sought to address this gap by outlining a coherent national roadmap that emphasised risk management, resilience building, capacity development, and the protection of critical infrastructure.

Among its central pillars were commitments to strengthen regulatory oversight, promote secure digital innovation, enhance cybersecurity education, and integrate AI into threat detection systems.

The draft strategy was one of the clearest reflections of Kenya’s determination to convert the lessons of 2025 into a long-term policy vision.

Another key lesson came from the rising use of artificial intelligence by both defenders and attackers. While Kenyan organisations began experimenting with AI-powered monitoring tools, attackers also leveraged generative AI to automate phishing campaigns, generate polymorphic malware, and create convincing deepfakes.

The dual-use nature of AI reinforced the need for governance frameworks and ethical standards that could help mitigate unintended consequences.

By the end of 2025, it had become clear that Kenya’s cyber threats were not isolated anomalies—they were symptoms of a global trend.

Cyber geopolitical tensions, digital conflict between competing states, the growing complexity of global supply chains, and the expansion of cloud-based ecosystems all increased Kenya’s exposure.

Kenya’s experience mirrored global patterns but also reflected uniquely local challenges, including uneven investment in cybersecurity among small businesses, limited awareness among citizens, and fragmented defences across county governments.