Cyber Incident Victim: NIC.lk

On February 6, 2021, a group of unidentified hacktivists compromised multiple Sri Lankan websites using the .lk country-code top-level domain. The attackers altered DNS records for several domains, redirecting users to a defacement page displaying a message addressing social and political grievances within Sri Lanka. High-profile domains affected included Google.lk and Oracle.lk, alongside local business and news websites. The defaced page specifically referenced concerns about the tea industry, press freedoms, alleged government corruption, judicial system flaws, and racial, minority, and religious tensions. This incident occurred two days after Sri Lanka’s national independence day on February 4, aligning with the message’s nationalistic undertones. The attack began in the early morning hours of February 6 and persisted for several hours before mitigation efforts commenced.

NIC.lk, the registry managing Sri Lanka’s .lk domain space, publicly acknowledged the incident on its website, confirming a disruption to its domain registration system that impacted “a few domains.” The organization stated it addressed the issue “expeditiously,” restoring normal operations by approximately 8:30 a.m. local time on February 6. The Telecommunications Regulatory Commission of Sri Lanka corroborated the incident via an official tweet but did not disclose technical details or the total number of compromised domains. NIC.lk did not respond to media inquiries regarding the attack vector or attribution. Public awareness of the incident spread through social media, with multiple users reporting the redirections during the active window. No additional technical impacts, such as data breaches or prolonged service outages, were reported following the restoration of DNS configurations.