Liberia: Alleged Hacking of LoneStar Cell/MTN Network Occurred Months after Orange Acquired Cellcom


Monrovia – According to court transcripts including oral submissions for the Prosecution in the case involving a large scale and unlawful interference, known as a cyber-attack, aimed at disrupting the regular operation of Lonestar Cell-MTN, telecommunications company, at the time of the alleged offense, Orange had already completed the purchase of Cellcom, raising new questions about the motive of Mr. Daniel Kaye, the man accused of hacking into Lonestar’s telecommunications system?

Report by Rodney D. Sieh, rodney[email protected]

Mr. Kaye was arrested at Heathrow airport in February 2017 and extradited to Germany pursuant to a European arrest warrant put out by the German authorities in relation to an act of computer sabotage against Deutsche Telekom. 

As part of Mr. Kaye’s attack on Lonestar in November 2016, one of the devices that the Mirai#14 code discovered and infected were internet routers operated by Deutsche Telekom. Instead of rendering those routers zombie devices subject to DK’s command and control as part of the botnet, the routers instead simply crashed. The crashing of the routers, and the resulting disruption in service experienced by German internet users, was the subject of the German investigation and proceedings. 

The German authorities interviewed Kaye and during those interviews he admitted that the attack on the Deutsche Telekom routers was his responsibility; he ultimately pleaded guilty to the charges against him in Germany. The German proceedings are tangential to the English proceedings and concern only a discreet aspect of DK’s activities. The investigation by the German authorities focused on what happened to the Deutsche Telekom routers, in reality a side effect of DK’s wider criminality.

Deal Sealed in April 2016; Hacking Oct. 2016

Most of the evidence relied on by the prosecution is drawn from Kaye’s admissions during the interviews with the German authorities. The German investigation files were served as evidence in the case. Mr. Kaye admitted to the German authorities that he was responsible for causing the Deutsche Telekom routers to crash; he was acting on behalf of a third party working for Cellcom who ordered the attacks on Lonestar; the aim of the attack on Lonestar was to cause customers to switch providers and subscribe to Cellcom; 

Mr. Kaye was originally charged in relation to ten offences, including offences relating to cyber-attacks on Lloyds and Barclays banks in London. The prosecution dropped charges in relation to seven of those offences on a ‘no evidence’ basis, including offences relating to attacks on the banks; a not guilty verdict was entered in relation to those offences

Relating to the hacking case in Liberia, court documents in possession of FrontPageAfrica show that all the dates referenced in the case range from October 2016 to February 2017 with relations to all activities and payments acknowledged by the court. 

On April 8, 2016, Orange Group announced the completion of its acquisition of the mobile operator Cellcom. The buyout was carried out via Orange Cote d’Ivoire, which agreed to acquire Cellcom Telecommunications’ Liberian subsidiary at the start of 2016. 

Although the purchase price was not disclosed, the sale gave Orange immediate rights to Cellcom’s 1.4 million subscribers, paving the way for the arrival of one of Africa’s leading players in the telecoms industry. 

Orange Breaks Silence

The deal offered Orange a playing field to provide marketing expertise and world-class technical capability to further strengthen the operator’s established network and enhance customer service as Liberia became the 20th market in Orange Group’s Africa and Middle East footprint.

In its first official response to the controversy, Orange in a statement this week said it is taking the matter seriously.

“Orange has been made aware of the reports of [DDOS/Cyber] attacks carried out against Lonestar in or around 2015 and 2017 and the alleged involvement of Avishai Marziano in such attacks. Mr. Marziano previously performed certain roles in the operation of Cellcom Liberia prior to Orange acquiring control of Cellcom Liberia in April 2016. He continued to provide services to Orange Liberia for a transitional period after Orange acquired control of the company. Mr. Marziano has not had any role or involvement with Orange Liberia since February 2017. Orange takes these matters seriously and is carrying  out an investigation.”

Mr. Babatunde Osho, former Chief Executive of Lone Star in a written submission to the court, said Mr. Kaye’s criminality had been devastating. “The DDOS perpetrated by Daniel Kaye seriously compromised Lonestar’s ability to provide a reliable internet connection to its customers. In turn, Mr. Kaye’s actions prevented Lonestar’s customers from communicating with each other, obtaining access to essential services and carrying out their day-to-day business activities. A substantial number of Lonestar’s customers switched to competitors. In the years preceding the DDOS attacks, Lonestar’s annual revenue exceeded $80m (£62.4m). Since the attacks, revenue has decreased by tens of millions and its current liabilities have increased by tens of millions.”

Judge Alexander Milne QC agreed: “It appeared from Mr. Osho’s statement that the attacks on Lonestar went on between October 2016 and February 2017. While the reduction in Lonestar’s business during that time may not be entirely attributable to the cyber-attacks carried out by David Kaye, it would be farfetched to suggest that the attacks had not had a significant commercial impact on Lonestar. 

Judge Milne QC while accepting Mr. Osho’s statement that Lonestar spent USD 600k on remedial action and future proofing measures, ruled that while the convict, an expert hacker, was hired by a senior official at Cellcom, and paid monthly retainer, Cellcom itself did not sanction the attacks that had a significant impact on Lonestar’s ability to provide services to its consumers, resulting in revenue loss of tens of millions of dollars as customers left the network. “There is no record to suggest that Cellcom knew what the employee was doing but the individual offered Kaye up to $10,000 a month to use his skills to do as much as possible to destroy Lonestar’s service and reputation.”

Cellcom/Orange ‘Did Not Authorize’

Defence lawyer Jonathan Green objected in its entirety to the victim impact statement by the former CEO of Lonestar: the figures, that is, losses of nearly USD 70 million as a result of the 3 attacks that took place against Lonestar, are wholly unrealistic and unsupported by evidence. “According to the IMF, in October 2016, Liberia had a population of 4.6 million people with a per capita income of USD 1.5 a day: it is unlikely, with that in mind, that the evidence put forward regarding loss suffered is sustainable. The Judge challenged the Defence on this point nothing that Liberia is one of the central points for shipping around the world, and therefore Lonestar’s profits may rely on international trade rather than the income of individual citizens. 

Green accepted this may be the case, but that in any event that was not addressed in Mr. Ohso’s statement and that what was important to remember was that the attacks that Kaye carried out were not attacks on a cellular network, but on data only. What happened as a result of Kaye’s attacks was that a slow and sporadic internet service became even slower and more sporadic; what most certainly did not happen was the collapse of the internet and telecommunications network in Liberia.”

Transcript of the judge’s sentencing indicates that he believes Cellcom/Orange did not authorize or know about this but that “an employee” instigated this “during 2016 and the attack(s) happened in November of 2016 and payments occurred between December 2016 to February 2017.

Mr. Kaye was paid a sum of money between late 2016 and early 2017 for his services. This included USD 10,000 found on him at the time of his arrest in February 2017. Mr. Kaye told the German authorities, when interviewed by them, that the payment arrangement was a rolling one: he was to be paid USD 10,000 on a monthly basis for his services, and he had already received payments as part of that arrangement for attacks carried out between September and December. His motivation therefore was financial. 

Prosecutors say Mr. Kaye created a Mirai#14 botnet with the intent to use it to target Lonestar. He reportedly carried out the cyber-attack on Lonestar by way of a distributed denial of service (“DDOS”) attack. “For that purpose, Kaye created a computer virus (known as Mirai#14) by tweaking a code, known as Mirai, available in the wider hacking community. Kaye created Mirai#14 for the purpose of deploying it to satisfy the arrangement that he had with Cellcom and with the specific intent of targeting Lonestar.”

According to prosecutors, Mr. Kaye carried out the DDOS attack on Lonestar by instructing the Mirai#14 code to seek out devices connected to the internet (such as video recorders and wireless routers), and to then infect those devices and turn them in to ‘zombie’ devices, which would be taken away from their usual tasks to operate instead under the command and control of Kaye, as operator of the Mirai#14 botnet. Once Mr. Kaye had had amassed a swam of zombie devices, he used them as a conduit for an attack on Lonestar by commanding them to connect to the Lonestar servers all at once, thereby overwhelming Lonestar’s server. 

Obvious Commercial, Financial Damage

Once the Lonestar server became overwhelmed, according to court papers, Lonestar could not operate in its usual parameters. “Lonestar’s primary business was taken out of action, having an immediate effect on its customers and subscribers. The attack therefore caused obvious commercial and financial damage to Lonestar, both directly and indirectly. Following the attack, Lonestar was forced to apply resources towards remedial action and to put in place protective measures to future proof its systems.”

Orange/Cellcom sources have told FrontPageAfrica that the Lonestar losses claim is being exaggerated and is completely bogus and a scam.

The Orange Official who preferred not be named said, since 2012 market trend shows a continuous decline in Lonestar’s revenue performance and devaluation of their brand. “While Lonstar’s revenue declined, their subscriber base however grew. Which means that the average revenue per user went down, as well as, the total market revenue decreased.  It is very clear that the results shows Lonestar suffered instability as a company, poor management, bad strategical decisions refusing to adjust to changes in the market and public boycott against the company and its controversial local stakeholders,” the Orange official said.

The Orange official also expressed concern why LoneStar Cell MTN would file a civil suit in the United Kingdom instead of Liberia, especially so when LoneStar Chairman during the period the alleged hack took place, Mr. Benoni Urey and his partner, Emmanuel Shaw, were both on UN imposed travel ban and asset freeze. “It is most likely that neither would appear in court in the U.K. if we asked for their presence for questioning….so why UK?” asked the Orange Official.

According to the Orange source, LoneStar Cell MTN began to decline in revenue since 2015 when it could not compete in the GSM space in Liberia.

In March 2016, the Chairman of LoneStar by then, Mr. Urey, wrote former President Ellen Johnson Sirleaf to draw her attention to what he considered as uncontrolled competitive price war being waged in the Liberian telecommunications industry.

The letter indicated that the long running and unending promotions, as well as freebies like the free calls to the USA, $1 for 3 days calls, $1 for 5 days and $5 for 3Gb date for one month, etc. were negatively impacting government revenue and revenue to the GSM Companies and the Liberia Telecommunications Authority.

An attached analysis to the communications to the President showed that revenue loss in 2013 and 2014 amounted to US$22 million. “In 2013 when the promotions were introduced LoneStar tax obligation to the government dropped from $47.9 million to $38.6 million in 2014 ( 9% drop year on year equivalent to USD9.3 million) and to $27.5 million in 2015 (20% drop year on year, equivalent USD11 million). There could be further economic repercussions if these promotions are not stopped; regrettable, no one sees the need to act and save the telecom industry,” the letter to President Sirleaf at the time noted.

 Regarding the size of the Mirai#14 botnet, court papers say, upon Kaye’s arrest, an application installed on Kaye’s mobile phone called a ‘Mirai Monitor’ measured connections to hundreds of thousands of devices. “Additionally, open source reports suggest that the Mirai#14 botnet was the largest botnet that existed at the time of its creation; Kaye referred to this in his interview with the German authorities.”

Although Lonestar is a private company, it forms a key part of the telecommunications network of Liberia, court filings say. “There being only a small number of telecommunications providers in Liberia (Lonestar being one of the small number of major providers), Kaye’s attacks affected the integrity of the telecommunications activity of an entire nation. This fact was made all the more serious in this case because Kaye was acting for Cellcom seeking to knock out its competitor.”

Mirai#14, according to the court ruling, since its creation, remains capable of being repeatedly deployed. “Creators or controllers of these botnets usually rent them out so that other individuals in the cyber-hacking community can use them to carry out attacks of their own. It is also possible that the creator/controller of a botnet loses control of the code used to create them. The code may end up in the hands of nefarious people capable of exploiting it for their own ends and using it to build and deploy their own malicious botnets with the code being used, therefore, for purposes far beyond its originally intended purpose.”

Officers of the National Crime Agency interviewed Kaye in the UK on 23 and 24 February 2017 prior to his extradition to Germany. On that occasion, Kaye gave a false account of his involvement in the Lonestar attacks. Kaye stated that he was a cyber security consultant who was interested in Mirai#14 and wanted to know more about it so that he could shut it down. He denied knowing who owned or controlled Miria#14.