How hackers accessed URA system to defraud Shs2.4 billion

Left, Robinhood Byamukama, Guster Nsubuga and their accomplice hack into the URA system. Illustrations by Alex Kwizera.

In 2011, when a suspicious entry in the vehicle registration database was made, Uganda Revenue Authority turned their focus on Jacob Emmanuel Murwon, the customs officer.

Toyota Noah vehicles registration number UAQ 747Q, UAQ 773Q and UAQ 697Q had earlier been given to caterpillar vehicles.
Murwon, who had exclusive rights to the URA system, told his superiors that he had not created any user rights in the previous five months.

It was the birth of an internal investigation that uncovered one of the biggest hacking the tax collectors had ever experienced.

Murwon’s desktop was taken for a forensic examination that revealed that a spyware had been installed and that it was sending whatever Murwon would send to another address.
With the discovery of the spyware, URA officials had to find who had compromised their system and how much damage he or she had done.

Preliminary investigations discovered that more than 150 cars had got number plates but none had paid taxes in the banks. The bank receipts, which the tax collectors had based on to clear the vehicles were also forged.

To get the suspects, investigators had to follow the trail.
They had to establish ownership of the Toyota Noah vehicles and how the owner obtained the number plates. These three vehicles were in the hands of MK Publishers Limited. In the URA documents, the three vehicles were supposed to be re-exported to Burundi.

Ronald Majwega Kironde, general manager, MK Publishers Limited, was summoned.

Kironde told Alex Nuwagira, the then supervisor, tax investigations department, URA, that he gave money to pay taxes to one Ibrahim Sajjabi, the director of Framas Auto Parts, and who also told him that he had passed on the money to Guster Nsubuga to execute the payments.
Kironde said Nsubuga later handed him the logbooks for the vehicles.

As internal investigations continued, Nuwagira now had to hunt for Nsubuga to give him his side of the story.

Still interested in the easy money, Nsubuga and three of his colleagues drove into URA premises at Nakawa, a Kampala suburb, parked in the yard and continued with what they had been doing for almost a year.

Security operatives and URA enforcement officers led by Bruno Mwebesa moved in. Nsubuga and his colleagues were caught off-guard.
Mwebesa’s team arrested Nsubuga, Richard Kibalama, Farouk Mugeere, alias Ngobi, and Patrick Owora.
Three laptops (a Dell, Samsung and Lenovo brands), an inverter, an external hard disk and other electronic gadgets were recovered.

The URA forensic team was most interested in the laptops.
Isaac Kayemba, the URA manager forensic investigations, took over. Kayemba subjected the laptop disks to imaging in their laboratory and he had to take one of Samsung to South Africa for faster imaging.

“I discovered that the Dell laptop had been used to gain access to our computers and servers,” Kayemba said in a statement.
Kayemba also found programmes URA uses in vehicle registration. Forensic experts also found URA’s Automated System for Customs Data a computerised customs management system which covers most foreign trade procedures, on the laptop disk.

The system handles manifests and customs declarations, transit and accounting procedures. An external disk had URA staff user’s identities with corresponding passwords. Email addresses [email protected] and [email protected]. There were several correspondences between the two emails.
To their shock, the Dell laptop was owned by MTN, a telecommunication company.

Investigators now moved to MTN to find out who they had given the Dell laptop. MTN officials told investigators that the seized laptop was given to one of their workers, Robinhood Byamukama.

He was arrested. Details of Byamukama gave the investigators a clue on how their system that is well protected could have been penetrated without their notice for too long.

Byamukama was identified an experienced software programmer who had worked with URA for more than three years.

In a statement, URA Human Resource supervisor, Ronald Kasule, said Byamukama was recruited in URA January 23, 2006, as a software programmer. For three years, Byamukama worked under the supervision of Rose Mary Kisembo, who was the URA manager Software Engineering.

As Byamukama and his accomplices were languishing in police cells at then Special Investigations Unit at Kireka, Wakiso District, URA forensic team were making more gains in discovering details on the disks.
In the disk imaging, Kisembo found communications between Nsubuga and Byamukama.

In one email, Nsubuga using his email [email protected], asked Byamukama to use details of a vehicle registration number UAL 849T and use them to update another vehicle registration UAH 035P “and then get ownership details from UAN 849T, the identity of Eugene Nuwagaba.
Kisembo examined their database and physical documents that confirmed that the details of the cars were changed.
“A Nissan Caravan details changed to a Subaru Forester in the electronic database. The changes affected both the chassis and the engine,” she said in her statement.

Detectives took Byamukama to his home where a search was carried out and his document that had email [email protected] were recovered. The email in the document was the same as that which was used in the communications retrieved from the seized laptops.

Investigators went backwards to understand whether the vehicles had been given registration after paying taxes. An examination was done on the receipts which were sanctioned by one Phiona that were used to get registration for the questioned vehicles.
They started with enquiring from Nakawa Barclays Bank branch Operations Manager, Teddy Nanfuka, whether the bank slips had root in their bank.

Nanfuka said they didn’t have a worker called Phiona at the branch.

Eleven vehicles had been declared and cleared through the falsified Automated System for Customs Data account of Barclays-Phiona.

When she looked at the receipts, she identified a different code 0218 which had been used yet theirs was 0215. Even the stamp on the slips was forged.
Nuwagira said: “When we computed the diverse defaults as a result of the compromised URA computer system a loss of Shs2,461,447,275 and 78 cents was incurred”.
Despite overwhelming evidence, the suspects continued to deny any involvement in the crime.

The prosecution journey
Detectives submitted their file to the Director of Public Prosecutions preferring four charges of electronic Computer Misuse Act, and two from the East African Community Customs Management Act. The charges are against Nsubuga, Mugere, Awora and Byamukama.

The DPP sanctioned the charges and the suspects were taken to court and thereafter remanded.

After the trial in the High Court, Anti Corruption Division, Justice Paul Mugamba agreed with the prosecution that Nsubuga and Byamukama without authorisation used and incepted URA computer services contrary to sections 15(1) and 20 of the Computer Misuse Act resulting in loss of Shs2.4b but acquitted Mugere and Owora.

Nsubuga and Byamukama were also convicted of the charge electronic fraud contrary to section 19 of the Computer Misuse Act resulting in the loss of Shs2.4b but acquitted Mugere and Owora.

On the Count of unauthorised access of data contrary to sections 12(2) and 20 of Computer Misuse Act, Justice Mugamba said: “These activities show the involvement of both Nsubuga and Byamukama who interfered with data to the extent that they modified it and to a certain extent damaged it.

I find both Nsubuga and Byamukama culpable and in agreement with the gentleman assessor I convict both Nsubuga and Byamukama under count III”.

Justice Mugamba acquitted all on charge of fraudulent evasion of payment of duty, contrary to section 203(e) of the East African Community Customs Management Act 2009.

The sentence
Guster Nsubuga, the first convict, and Robinhood Byamukama, the other convict, singularly and through their counsel express their regret for what they did and ask this court to be lenient when passing sentence. Besides their young age both told court that they have families and that they are bread winners for their respective families.

The state on the other hand seeks a stiff sentence to be handed down to each of the convicts, arguing that what they did resulted in tremendous loss to the exchequer of URA and compromised the security system of the country. Doubtless it shakes the faith people here and abroad have in that body fondly known as URA.

Ramifications of cyber-crime are not as obvious as those of robbery for instance in the short term. In the long run one notices the greed of those who seek to disinherit the poorest of the poor through discreet methods such as the convicts sought to employ and did apply to sordid effect.

I have anxiously considered the recommendation of the prosecution to invoke S.20 of the Computer Misuse Act where convicts in like offences are liable to life imprisonment for offences under count 1, count 3 and count 4. I note the convicts have no previous record and that they are relatively young men. I have taken into account the period they have spent on remand and the fact that they have young families.

Of course I bear in mind their remorse. Consequently, I sentence each of the convicts to 12 years’ imprisonment on count 2. On count 1, 3, and 4 I sentence each one of them to 8 years’ imprisonment. On count 5, each of the convicts is sentenced to a fine $4,500. The custodial sentences are to run concurrently.
Concerning pecuniary losses possibilities may be sought elsewhere if applicable.

JUDGE PAUL K. MUGAMBA, APRIL, 3 2013