Cyber Incident Victim: Prime Minister of Sri Lanka
Date:
Aug 2015
Location:
Sri Lanka
Summary
The official website of Sri Lanka's Prime Minister was compromised by a hacktivist operating under the alias Dr.MwNs, who defaced the homepage with a "#ForSyria" message and played an Islamic devotional song. The attacker, known for breaching hundreds of Turkish websites and previously accessing Bhutan Telecom's servers, replaced the site's content with a "Hacked by Dr.MwNs" notice. Evidence from the hacker's social media indicated Arabic proficiency and prior intrusions, including compromising infrastructure linked to Google's Bhutan domain. The defacement remained active at the time of initial reporting, demonstrating the perpetrator's pattern of targeting governmental and telecommunications entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 5, 2015, the official website of Sri Lankan Prime Minister Ranil Wickremesinghe’s office (pmoffice.gov.lk) was compromised by a hacktivist operating under the alias Dr.MwNs. The attacker replaced the homepage with a defacement page displaying a "Hacked by Dr.MwNs" message and played Maher Zain’s "Thank You Allah" song automatically for visitors. The breach was publicly documented through a Zone-H mirror entry (ID 24670165), which archives website defacements. Analysis of the hacker’s Zone-H submission history revealed prior compromises of hundreds of Turkish websites, while their Twitter account (@DrMwNs) showed evidence of unauthorized access to Bhutan Telecom Ltd’s servers, which subsequently provided entry to Google’s Bhutan domain. The hacker’s Arabic-language tweets and use of the #ForSyria hashtack suggested alignment with Syrian causes, though no explicit political demands were made on the defacement page itself. The attack disrupted public access to official government information and services hosted on the prime minister’s website.
The incident exposed vulnerabilities in Sri Lanka’s governmental digital infrastructure, with the website remaining defaced at the time of initial media reporting. No immediate containment actions or technical responses from Sri Lankan authorities were documented in available sources. The hacker’s modus operandi focused on reputation damage through visible defacements rather than data theft or destructive attacks. Historical patterns from Dr.MwNs’ activities indicated a preference for high-profile targets across multiple nations, with Turkish and Bhutanese entities among previously affected systems. The compromise of Google’s Bhutan domain via third-party telecom infrastructure demonstrated the attacker’s capability to exploit supply-chain weaknesses. The prime minister’s website served as both an operational platform and symbolic target, amplifying the psychological impact of the breach despite limited technical sophistication in the defacement itself.