Between May 17 and August 26, 2023 [3] [5] [6] [7] [8], a major ransomware attack targeted government offices in Sri Lanka [5] [8], resulting in severe data loss and raising concerns about the country’s cybersecurity measures.

Description

The attack specifically targeted government offices under the President’s Office, Cabinet Office [2] [3] [4] [5] [6] [7], Ministry of Education [5] [6] [7], and Ministry of Health [5] [6] [7]. Approximately 5,000 email addresses using the “gov.lk” domain were impacted, highlighting the vulnerability of the government’s digital infrastructure [5] [8], particularly the Lanka Government Cloud (LGC) and its “mail@gov.lk” email domain [8].

The attack originated from suspicious links received by a user with a gov.lk domain email address [1]. The attackers quickly encrypted LGC services [1], affecting all 5,000 email addresses [1] [4]. Although the system was restored within 12 hours [1] [2], data from May 17 to August 26, 2023 [1] [4], was permanently lost due to the attack. The incident revealed the lack of offline backup for the critical two-and-a-half-month data period [8], exacerbating the damage caused [8].

In response to this incident, measures are being implemented to prevent future data loss [8]. These include daily offline backup processes and upgrading relevant applications with enhanced defenses against virus attacks [3] [5] [6] [8]. The Sri Lanka Computer Emergency Readiness Team (SLCERT) and the Information and Communication Technology Agency (ICTA) are collaborating to recover the lost data [6].

The Cabinet Office and other entities in the Lanka Government Network (LGN) were impacted [3]. The LGN is a Government-owned private network that connects Government organizations in a cost-effective and secure manner [2] [3]. The email facility used by government offices was initially provided through Microsoft Exchange Version 2003 and was later upgraded to Version 2013 [3]. However, this version is now considered obsolete and vulnerable to various types of attacks [3].

The ransomware attack occurred on August 26 [1] [2], encrypting the site and corrupting the server and online backup systems [2]. While the system was restored within 12 hours [1] [2] [4], two-and-a-half months of data storage were lost [2]. The lack of regular backups was attributed to administrative problems [2].

Conclusion

The ransomware attack on Sri Lanka’s government offices had significant impacts, resulting in severe data loss and exposing vulnerabilities in the country’s cybersecurity measures. The incident highlighted the need for offline backups and the upgrading of outdated applications to enhance defenses against attacks.

Efforts are underway to recover the lost data, with the collaboration of the Sri Lanka Computer Emergency Readiness Team and the Information and Communication Technology Agency [6]. Additionally, the government has introduced cybersecurity legislation to address concerns and improve measures.

It is crucial for organizations and the public to remain vigilant, as evidenced by warnings from the Sri Lanka Computer Emergency Readiness Team about fraudulent text messages claiming to be from financial institutions.

Furthermore, the brain drain caused by the economic crisis poses challenges for the organization, necessitating the recruitment of new staff to maintain effective cybersecurity measures in the future.

References

[1] https://www.the420.in/sri-lanka-government-cloud-hack-cybersecurity-ransomware/
[2] https://srilankamirror.com/news/massive-ransomware-attack-on-state-email-domain/
[3] https://www.lankaxpress.com/major-ransomware-attack-strikes-sri-lankas-government-email-system/
[4] https://www.infosecurity-magazine.com/news/ransomware-sri-lanka-government/
[5] https://asianmirror.lk/news/item/35453-ransomware-attack-hits-sri-lankan-government-offices,-leading-to-severe-data-loss
[6] https://www.newswire.lk/2023/09/11/sl-govt-emails-missing-after-massive-ransomware-attack/
[7] https://www.newsfirst.lk/2023/9/10/massive-ransomware-attack-on-state-email-domain-icta
[8] https://telo.org/ransomware-attack-hits-sri-lankan-government-offices-leading-to-severe-data-loss/