On the night of February 28, a hacker operating from the Federal University of Technology, Akure (FUTA), connected a computer to the university’s network and began a cyberattack on the website of PREMIUM TIMES. With a mobile phone as his backup, the attacker continued the operation for the next five days.
At about 8:00 p.m., he started with a reconnaissance scan of the newspaper’s website using a web fuzzer popular with low-grade hackers.
The following morning, at about 6:15 a.m., the attacker returned with another open-source vulnerability scanner – WPScan, free tool bloggers use to test for security vulnerabilities on their sites.
About 90 minutes later, he ran his final probe – a custom script.
The following morning, Sunday, the attacker continued his attacks – a series of distributed denial of service, DDOS, attacks that lasted until that evening. On this day, it appeared his goal was simply to shut down the newspaper’s operations by overwhelming its servers.
He began the day – at about 9:28 a.m – with an attack that exploited the very old Character Generator Protocol found in many obsolete internet-enabled devices like printers.
He ended the day with another DDOS attack exploiting the publicly-accessible Network Time Protocol (NTP) servers. NTP is one of the oldest protocols used by internet-enabled devices to synchronize their clocks.
On that day, he launched a total of seven DDOS attacks.
On Tuesday, March 3, he returned with his final attempt for the campaign.
The attacker failed in all attempts to bring down Nigeria’s foremost investigative newspaper as the medium’s security expert, as well as external security consultant, Qurium, worked round the clock to fend off the attacks.
The attacks happened days after PREMIUM TIMES ran a story detailing a power tussle between the National Security Adviser, Babagana Monguno, and the then Chief of Staff to the President, Abba Kyari. It had also published other investigations as is customary with the newspaper.
Insiders at FUTA told this newspaper that some experts at the university were hired to identify vulnerabilities on the PREMIUM TIMES website with a view to bringing down the platform, an allegation the university management rejected. The university claimed the attacks were executed by an unnamed student of the institution.
“I am told someone asked FUTA to break into PREMIUM TIMES’ server, bring the site down and possibly find the sources talking to its journalists,” one insider said.
PREMIUM TIMES as attackers’ customers
PREMIUM TIMES is one of Nigeria’s most respected investigative newspapers. Since its establishment in 2011, the medium has remained a consistent victim of cyber attacks from both government actors and others at the receiving end of its reporting.
But according to the newspaper’s Editor-in-Chief, Musikilu Mojeed, this is the first time the newspaper was experiencing this magnitude of cyber attacks outside an election season.
Federal University of Technology, Akure
In the lead up to the announcement of the 2015 general elections that saw the first victory of an opposition party in a presidential election in Nigeria, the newspaper struggled to sustain its live coverage of the elections. It was bombarded by DDOS attacks sourced locally and others originating from Russia and Ukraine.
The newspaper reported that the Goodluck Jonathan government, through a contract with an Israeli security firm, had an active programme to obstruct the online presence of newspapers considered unfriendly to the reelection campaign of the administration. Mr Jonathan lost that election.
His successor, Muhammadu Buhari, largely seen as a corruption buster at the time, has since continued and in some areas, expanded many of Mr Jonathan’s cyber attack and surveillance strategies.
READ ALSO: 27 police personnel assaulted during lockdown – Official
The most recent salvo of cyber attacks on PREMIUM TIMES heralds a new direction in efforts to shrink media space in Nigeria.
This is also the first time an attack on the newspaper is sourced from a local university utilising public infrastructure outside the security circle.
The attacks were launched from the server network of FUTA’s Computer Resource Centre (CRC), the Information and Communication Technology (ICT) nerve centre of the University.
On March 5, PREMIUM TIMES’ security consultants, Qurium, reached out to FUTA to inform it of the attacks. Emails were sent to Oronti Adewale (Senior Network Engineer), Adegbenro Adebanjo (university spokesperson), the CRC Director and the vice-chancellor of the university. There was no response.
On March 6, an email was sent to Professor Boniface Alese, a professor of cybersecurity and board member of the Computer Resource Centre, on the matter. Mr Alese responded the following day saying a “male student” who stole the CRC identity carried out the attacks to test his skills.
He then asked for more information about the Denial of Service Attacks. Logs were forwarded with evidence of attacks from the university infrastructure. Mr Alese then refused to provide more details about the student or how he was found in such a short time.
Further emails were sent to the university between March 7 and 10 asking for further details about the attacker and how he was found. The university declined to answer the requests.
FUTA’s response to PREMIUM TIMES
PREMIUM TIMES then wrote an official letter to the university’s vice-chancellor, Joseph Fuwape, complaining about the attack on its platform by the institution.
In a letter to PREMIUM TIMES, FUTA acknowledged the attacks and said it had established the identity of the attacker. It also denied endorsing the attacks saying it “abhors unethical cyber practices like attacks or any such ignoble acts.”
As at the time of filing this report, the attacker’s motivation was still unclear. While he reportedly told university investigators it was a bounty adventure, the school authorities believed the attacker had an external influence and said it was pursuing this line in further investigations.
“We state categorically from the onset that FUTA, as an institution, is not involved in and abhors unethical cyber practices like attacks or any such ignoble acts,” states the response from the university, signed by the Head of the institution’s Directorate of Corporate Communications and Protocol, Adegbenro Adebanjo.
“It also does not encourage its member of staff or any students to do so. Therefore, the attack did not emanate from the premises of the Computer Resource Centre but from one of the academic buildings using CRC connectivity.”
FUTA further noted that in response to PREMIUM TIMES’ inquest, the institution discovered that the attack against PREMIUM TIMES’ website indeed emanated from the identified source but had no official or institutional backing on input.
“On the motive behind the action, he initially told the university officials that he was doing it for pleasure. However, our initial conclusion was that he could have some other motive probably with some external influence other than just random cyberattack for pleasure,” the institution also noted.
“This line of investigation is still ongoing to determine the actual motive and if he has some external backers and collaborators.”
In its response, FUTA, however, failed to provide logs to support its claim. It also did not explain why its Professor Alese was able to find within 12 hours the random “student” it said executed the attacks.
And more than three months after, FUTA is yet to update PREMIUM TIMES on its findings regarding its own suspicion that the attacker acted with some “external influence.”
The university has also declined to disclose the identity of the so-called student just as it rebuffed requests by this newspaper to interview the attacker.