# Burkina Faso Critical Infrastructure OSINT **Started:** 2026-03-03 **Type:** Passive OSINT / Open Source Discovery **Scope:** Government, military, energy, water, telecom, and all critical infrastructure **Target List:** [targets/burkina-faso-websites.txt](targets/burkina-faso-websites.txt) (255 domains) --- ## Country Context - **Regime:** Military junta under Captain Ibrahim Traore (2 coups in 2022) - **Capital:** Ouagadougou - **TLD:** `.bf` — registry operated by ONATEL, administered by ARCEP - **Gov domain:** `.gov.bf` (ministries), `.bf` (agencies/SOEs) - **Language:** French (all sites in French) - **Total .bf domains registered:** ~2,018 (small TLD = easier to enumerate) - **Geopolitical shift:** Pivoting away from Western partners (France, US) toward Russia/Wagner — affects digital infrastructure and OPSEC posture - **Jan 2026 restructure:** Traore reduced government from 24 to 22 ministries with major renames/merges --- ## Interesting Findings ### 1. Military / Defense - Ministry of Defense renamed to **"Ministry of War and Patriotic Defense"** (Jan 2026) — still hosted at `defense.gov.bf` - **defense.gov.bf runs TYPO3 CMS** on PHP 7.3.31 (EOL), Apache, with strong security headers (HSTS preload, CSP, XSS protection) - **Domain created 2025-03-11** — only ~1 year old, very new deployment - **SIG (government press office)** is the domain registrant - **Custom Mooré-language nameservers:** ntoo.gouv.bf, wobgo.gouv.bf, oubri.gouv.bf — cultural OSINT signal - **Google Analytics UA-144182518-5** — shared account series with securite.gov.bf - **No dedicated military website exists** — armed forces have zero public web presence - **National Intelligence Agency (DSE)** — no website found - `infos@defense.gov.bf` — only email discovered (generic contact) ### 2. Cybersecurity Posture - **ANSSI** (anssi.bf) is the **BEST secured site** in all of Burkina Faso's web estate - **Django framework (Python)** — ONLY non-PHP site in the entire government - **2-year HSTS with preload** — strongest HSTS of all targets - **Zero subdomains** — perfect subdomain discipline - **Modern security headers:** COOP, Permissions-Policy, Referrer-Policy, CSRF protection - **No server header disclosed** — fingerprint deliberately hidden - **Personnel discovered:** Sakman Zongo (`sakman.zongo@ssi.gov.bf`) - **Email domain is ssi.gov.bf** (not anssi.bf) — official email on gov.bf infrastructure - The stark contrast between ANSSI's security and the rest of gov is the biggest finding ### 3. Tech Stack Patterns | Target | CMS | Server | PHP | Hosting | Security | |--------|-----|--------|-----|---------|----------| | Presidency | WordPress 6.9.1 | Apache | PHP | Switzerland (Infomaniak) | HSTS, no CSP | | Defense | TYPO3 | Apache | 7.3.31 | Unknown | HSTS+CSP+XSS (strong) | | Security | TYPO3 | Apache | 7.3.31 | Unknown | HSTS+CSP+XSS (strong) | | ANSSI | Django | Hidden | N/A | Unknown | HSTS+COOP+all (strongest) | | ARCEP | WordPress | Varnish | N/A | Burkina Faso (196.43.247.56) | X-Frame only | | ONEA | WordPress + Joomla | Cloudflare | N/A | US (Bluehost) | Cloudflare WAF | | ONATEL | N/A (test page) | Apache 2.4.62 | N/A | Burkina Faso (196.28.243.151) | None | | SONABEL | Unknown | Unknown | N/A | Africa (102.211.121.6) | Geo-blocked | | SONABHY | Static (Netlify) | Netlify | N/A | US (AWS) | HSTS | | Police | Joomla + K2 | Apache 2.4.51 | 7.3.32 | Unknown (Debian) | None | | Police Academy | Unknown | Apache | N/A | US (PlanetHoster) | 403 | **Key patterns:** - Defense + Security = **shared TYPO3 infrastructure** (same PHP, same GA account UA-144182518) - ANSSI = only Django site (Python > PHP for security) - 3 sites use WordPress, 2 use Joomla, 2 use TYPO3, 1 uses Django - Multiple PHP 7.3.x deployments — all end-of-life ### 4. Web Hygiene Issues - **ONEA domain EXPIRED** (2025-05-17) — national water utility domain at risk of hijack - **ONATEL shows default RHEL test page** — national telecom has no deployed website, just Apache defaults - **ARCEP has WILDCARD DNS** — *.arcep.bf resolves to same IP, enables phishing/subdomain takeover - **eauburkina.com** — `http://localhost/eauburkina` dev reference left in production JavaScript - **Police Academy full cPanel stack exposed** — cpanel, whm, webmail, webdisk, ftp all publicly resolvable - **ONATEL dbadmin subdomain** — database admin panel publicly resolvable - **police.gov.bf** exposes X-Logged-In, X-Powered-By, full server version, Joomla session cookies - **police.gov.bf** contains `contact@ytcvn.com` — Vietnamese contractor email in government police site - **securite.gov.bf Content-Language set to "ab" (Abkhaz)** — should be "fr", copy-paste config error - **presidencedufaso.bf** exposes PHPSESSID, 3 slider plugins (LayerSlider, RevSlider, WPBakery) - **PHP 7.3.x on 3+ sites** — all past end-of-life (Dec 2021) ### 5. Government Structure Intelligence - **22 ministries** as of Jan 2026 (down from 24) - Key merges: - Agriculture + Environment/Water = **Ministry of Agriculture, Water, Animal and Fisheries Resources** - Infrastructure + Housing = **Ministry of Homeland Construction** - Civil Service renamed → **Ministry of Servants of the People** (propaganda-style naming) - Humanitarian Action → **Ministry of Family and Solidarity** - **servicepublic.gov.bf** is the master government directory — lists all agencies with contact info - **presidencedufaso.bf/les-sites-web-ministeriels/** — official list of all ministry websites - **Shared gov web infrastructure confirmed:** Defense, Security, SIG all use TYPO3 + same GA account - **SIG (Service d'Information du Gouvernement)** manages defense domain — press office controls military web ### 6. Critical Infrastructure Gaps - **SONABEL (electricity)** — alive at 102.211.121.6 with own DNS (dns1-4.sonabel.bf) but geo-blocked from US - **ONATEL (telecom)** — returns 403 test page, no actual website deployed despite being the TLD operator - **ONEA domain expired** — national water utility at domain hijack risk - Country imports **70% of electricity** from neighbors (Togo, Ghana, Cote d'Ivoire) - Only **20% electrification rate** (5.49% rural, 86.21% urban) - Water utility (ONEA) is the most digitally developed critical infra org (Cloudflare protected) ### 7. Domain & Hosting Intelligence - `.bf` TLD has only ~2,018 registered domains — very small namespace - ONATEL operates the `.bf` registry, ARCEP is the domain authority - **ARCEP wildcard DNS** — *.arcep.bf resolves, meaning the domain authority has a DNS misconfiguration - **Presidency hosted in Switzerland** (Infomaniak) — junta's website outside Africa - **SONABHY hosted on Netlify** (US) — national fuel company on US static hosting - **Police Academy hosted on PlanetHoster** (US) — law enforcement training on US hosting - **ARCEP hosted in Burkina Faso** (196.43.247.56) — one of few in-country hosted sites - **ONATEL hosted in Burkina Faso** (196.28.243.151) — in-country but showing test page ### 8. Telecom Landscape - 3 mobile operators: **Orange** (48%), **Moov Africa/ONATEL** (43%), **Telecel** (10%) - Orange dominates mobile internet at 67.7% - **FasoNet** (ONATEL subsidiary) — dominant ISP for wired broadband - ~50 ISPs licensed but only 3-4 actually compete - AS numbers: ONATEL = AS25543, Orange BF = AS37577 - **ONATEL has 14 subdomains** including dbadmin, api, id, service, efacture — extensive infrastructure - **ONATEL DMARC reveals personnel:** e.guigma@onatel.bf ### 9. State-Owned Enterprises | SOE | Sector | Domain | Status | Hosting | |-----|--------|--------|--------|---------| | SONABEL | Electricity | sonabel.bf | Geo-blocked | Africa (102.211.121.6) | | SONABHY | Hydrocarbons/Fuel | sonabhy.bf | UP | US (Netlify) | | ONEA | Water & Sanitation | onea.bf | UP | US (Cloudflare/Bluehost) | | SOFITEX | Cotton/Textiles | sofitex.bf | Unknown | — | | SONAPOST/La Poste | Postal Service | sonapost.bf | Unknown | — | | LONAB | National Lottery | lonab.bf | Unknown | — | | CNSS | Social Security | cnss.bf | Unknown | — | | CARFO | Civil Servant Pensions | carfo.bf | Unknown | — | | BUMIGEB | Mining/Geology | bumigeb.bf | Unknown | — | | ONATEL | Telecommunications | onatel.bf | 403 Test Page | BF (196.28.243.151) | ### 10. Email Intelligence | Email | Source | Domain | Risk | |-------|--------|--------|------| | infos@defense.gov.bf | Web scraping | defense.gov.bf | LOW | | infos@securite.gov.bf | Web scraping | securite.gov.bf | LOW | | secretariat@arcep.bf | Web scraping | arcep.bf | LOW | | sonabhy@sonabhy.bf | Website | sonabhy.bf | — | | infos@ssi.gov.bf | Website | anssi.bf | — | | sakman.zongo@ssi.gov.bf | Website | anssi.bf | — | | web.anssi@ssi.gov.bf | Website | anssi.bf | — | | e.guigma@onatel.bf | DMARC record | onatel.bf | — | | infos@ikasolution.bf | WHOIS (ONEA) | onea.bf | LOW | | youattara@ikasolution.bf | WHOIS (ONEA) | onea.bf | LOW | | ismael.odg@ecodev.dev | WHOIS (Presidency) | presidencedufaso.bf | — | | brice.s@cvp.bf | WHOIS (SONABEL) | sonabel.bf | — | | dns_contact@fasonet.bf | WHOIS (ONATEL) | onatel.bf | — | | contact@ytcvn.com | Police website | police.gov.bf | — | --- ## Target Summary by Sector | Sector | Domains | Priority | |--------|---------|----------| | Presidency & Executive | 8 | HIGH | | Military / Defense / Security | 5 | HIGH | | Ministries | 21 | MEDIUM | | Assembly / Judiciary / Oversight | 6 | MEDIUM | | Gov Agencies | 18 | MEDIUM | | Cybersecurity (ANSSI) | 1 | HIGH | | Energy | 7 | HIGH | | Hydrocarbons | 2 | HIGH | | Water & Sanitation | 2 | HIGH | | Telecoms & ISP | 12 | HIGH | | State Enterprises | 18 | MEDIUM | | Aviation | 4 | MEDIUM | | Banking | 12 | LOW | | Universities / Education | 7 | LOW | | Media / Broadcasting | 16 | LOW | | Investment / Economic | 3 | LOW | | Legal / Professional | 4 | LOW | | Religious / Community | 3 | LOW | | Health | 4 | LOW | | Private / Commercial | 30 | LOW | | NGO / Civil Society | 8 | LOW | | **Interesting Subdomains** | **64** | HIGH | | **TOTAL** | **255** | | --- ## Per-Target Reports | Target | Sector | Report | |--------|--------|--------| | SONABEL | Energy | [DUMP/SONABEL/SONABEL.md](DUMP/SONABEL/SONABEL.md) | | ONEA | Water | [DUMP/ONEA/ONEA.md](DUMP/ONEA/ONEA.md) | | ARCEP | Telecom Regulator | [DUMP/ARCEP/ARCEP.md](DUMP/ARCEP/ARCEP.md) | | GOUVERNEMENT | Executive | [DUMP/GOUVERNEMENT/GOUVERNEMENT.md](DUMP/GOUVERNEMENT/GOUVERNEMENT.md) | | ONATEL | Telecom | [DUMP/ONATEL/ONATEL.md](DUMP/ONATEL/ONATEL.md) | | PRESIDENCE | Presidency | [DUMP/PRESIDENCE/PRESIDENCE.md](DUMP/PRESIDENCE/PRESIDENCE.md) | | DEFENSE | Military | [DUMP/DEFENSE/DEFENSE.md](DUMP/DEFENSE/DEFENSE.md) | | SECURITE | Internal Security | [DUMP/SECURITE/SECURITE.md](DUMP/SECURITE/SECURITE.md) | | POLICE | Law Enforcement | [DUMP/POLICE/POLICE.md](DUMP/POLICE/POLICE.md) | | POLICE-ACADEMY | Police Training | [DUMP/POLICE-ACADEMY/POLICE-ACADEMY.md](DUMP/POLICE-ACADEMY/POLICE-ACADEMY.md) | | SONABHY | Fuel | [DUMP/SONABHY/SONABHY.md](DUMP/SONABHY/SONABHY.md) | | ANSSI | Cybersecurity | [DUMP/ANSSI/ANSSI.md](DUMP/ANSSI/ANSSI.md) | --- ## THOT Domain Harvester Results - **Total .bf entries from crt.sh:** 927 - **Unique root domains:** 298 - **Interesting subdomains:** 64 (mail, intranet, admin, autodiscover, ebank, cpanel, zabbix, git) - **Domain ON (alive check):** 71+ alive (scan still running as of 2026-03-03) - **Domain Intel scans completed:** 11 high-priority targets - **Email Hunter scans completed:** 5 targets (14 emails discovered) --- ## Next Steps - [ ] Wait for Domain ON to finish — pull complete alive domains list - [ ] Validate all 255 domains — confirm which are live, geo-blocked, or dead - [ ] DNS enumeration (A, AAAA, MX, NS, TXT, CNAME) across all targets - [ ] Subdomain brute-force on gov.bf and key .bf domains - [ ] Passive recon (Shodan, Censys) for IP ranges, open ports, services - [ ] robots.txt / sitemap.xml harvesting on all live sites - [ ] Wayback Machine snapshots for historical analysis - [ ] Google dorking: `site:gov.bf filetype:pdf|doc|xls|env|sql|bak|conf` - [ ] WordPress/Joomla/TYPO3 version fingerprinting - [ ] SSL/TLS certificate analysis (cert transparency logs) - [ ] WHOIS on all .bf domains - [ ] ASN mapping — map all gov/crit-infra IPs to AS numbers - [ ] Check for exposed admin panels (/wp-admin, /administrator, /typo3) - [ ] Enumerate eservices.cnss.bf, econcours.bf, alias.gov.bf (user-facing portals) - [ ] Probe sif.bf (new land platform — likely fresh, less hardened) - [ ] Investigate ARCEP's wildcard DNS and bbPress forum - [ ] Probe ONATEL dbadmin.onatel.bf, api.onatel.bf, id.onatel.bf - [ ] Probe SONABHY elearning.sonabhy.bf, cms.sonabhy.bf - [ ] Probe Police Academy moodle.academiedepolice.bf, bibliotheque - [ ] Map shared GA account UA-144182518 across all gov.bf sites - [ ] Try SONABEL from West African VPN exit node - [ ] Run Huntr against full target list - [ ] Document exposed credentials in `EXPOSED CREDENTIALS/` - [ ] Write final report in `REPORTS/`