Cyber Incident Victim: Lanka Government Network
Date:
Aug 2023
Location:
Sri Lanka
Summary
A massive ransomware attack targeted the Lanka Government Network, specifically the gov.lk email domain. The attack resulted in the encryption of servers and the loss of approximately two and a half months of email data for thousands of government addresses, including the Cabinet Office. This occurred because the online backup system was also corrupted during the incident. The outdated email application was identified as a vulnerable point of entry for the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A massive ransomware attack targeted the Lanka Government Network, specifically affecting all government offices utilizing the "gov.lk" email domain. The incident, which culminated on the morning of August 26, 2023, resulted in the complete encryption of the system and a significant data loss spanning from May 17 to August 26 of that year. The Information and Communication Technology Agency, which maintains the network, confirmed the breach. The attack impacted a wide array of government institutions, including the critical Cabinet Office, which relies on the [email protected] domain for its communications. The Lanka Government Network is a government-owned private network established in 2007 to connect various government organizations in a cost-effective and secure manner, providing them with essential email services.
The ransomware virus was estimated to have affected approximately five thousand email addresses. According to the ICTA CEO, Mahesh Perera, the root cause of the extensive data loss was the absence of an offline backup for the affected period. This lack of a redundant offline system was compounded by the fact that the online backup infrastructure was also corrupted during the attack. The encryption process that targeted the primary server successfully replicated to these online backup systems, thereby compromising the data stored within them as well. Consequently, users permanently lost all emails sent and received during the two-and-a-half-month window from mid-May to late August. The system itself was restored to operational status within twelve hours of the initial encryption event, and a backup was reinstated, though it did not contain the data from the lost period, leading to continued user complaints about missing communications.
The vulnerability that facilitated this attack was linked directly to the obsolete technology underpinning the email service. The ICTA CEO explained that the network initially used Microsoft Exchange Version 2003 since its inception. This was upgraded to Microsoft Exchange Version 2013 in 2014, which remained in use until the day of the attack. This particular version, by 2023, was considered obsolete, outdated, and highly vulnerable to various types of cyber attacks. The agency had identified the need for an upgrade to a more secure, modern version as early as 2021; however, these plans were stalled due to financial constraints and certain previous board decisions, leaving the entire government email system exposed to known security threats.
The attack vector was suspected to be a phishing campaign that preceded the main incident. One user of the gov.lk domain reported that their official email account had been receiving numerous suspicious links over the weeks leading up to the attack. It is believed that a user within the network may have clicked on one of these malicious links, which then triggered the ransomware deployment. This method of initial access is common and exploits human error to gain a foothold within a network before deploying encryption payloads across connected systems, including any linked backup solutions.
In the aftermath of the incident, the ICTA, in collaboration with the Sri Lanka Computer Emergency Readiness Team, began efforts to investigate the breach and attempt to retrieve the lost data. The primary focus of the response, however, shifted toward implementing immediate corrective measures to prevent a recurrence. These measures include the initiation of a daily offline backup procedure to ensure data redundancy that is isolated from the primary network and therefore protected from similar widespread encryption events. Furthermore, the agency is taking steps to finally upgrade the relevant email application to the latest available version, which boasts stronger defenses against virus and ransomware attacks.
The incident also highlighted broader systemic issues within the agency responsible for the nation's critical IT infrastructure. The reason cited for not maintaining regular backups was attributed to internal administrative problems. These operational shortcomings occurred against a backdrop of a significant brain drain experienced by the ICTA, mirroring a national trend triggered by the ongoing economic crisis in the country. The loss of experienced personnel has created a capacity gap, forcing the agency to recruit and train new staff while simultaneously dealing with a major cybersecurity incident and its complex fallout. The combination of outdated technology, insufficient funding for crucial upgrades, administrative challenges, and a reduced workforce created a perfect storm of vulnerabilities that were ultimately exploited by a ransomware attack, leading to a substantial and irreversible loss of government data.