The Inter-Ministerial Committee (IMC) overseeing information and technology affairs in Sri Lanka has recently encountered a significant cyber attack. The CEO of the government’s Information and Communication Technology Agency (ICTA), Mahesh Perera, has confirmed the attack and the resulting data loss.
On August 26, speculations began to arise that a cybercriminal had deployed ransomware, leading to the encryption of the entire ICTA website. This attack had a widespread impact, affecting all Sri Lankan government offices that use the gov.lk email domain. As a result, these offices lost access to their emails.
Fortunately, the ICTA website was successfully restored within just 12 hours after the attack was detected. However, due to the time it took to restore the systems, the lost emails could not be recovered in time. This loss of email data spans the period between May 17, 2023, and August 26, 2023.
According to Mahesh Perera, the email facility used by government offices was initially Microsoft Exchange Version 2003. It was later upgraded to Microsoft Exchange Version 2013, which was in use at the time of the attack. However, it has since been discovered that this version is now obsolete, outdated, and vulnerable to various types of attacks.
The use of legacy systems poses a significant risk to data security as older versions do not receive essential security updates. In the case of ICTA, the use of outdated systems played a role in exposing sensitive emails to potential cyber attacks. To mitigate such risks, company staff were urged to upgrade to Microsoft 365, Office 365, or Exchange 2019 before February 2023.
The ICTA cyber attack has also affected the Cabinet Office emails, with a total of 5,000 email addresses suspected to have been impacted. Currently, no ransomware group has claimed responsibility for the email encryption.
Unfortunately, the ICTA had no offline backups of the emails, leaving them exposed to permanent deletion in the event of a cyber attack. The delay in system upgrades has been attributed to administrative problems, which further exacerbated the data loss.
While it is suspected that the attack was carried out by a ransomware group, it is not yet clear which specific group or hacker breached Sri Lanka’s ICTA systems. The Cyber Express, a cybersecurity news outlet, checked the website and found it accessible. They reached out to the agency for additional details and are awaiting a response.
Apart from the loss of email data, online backup systems were also corrupted due to the cyber attack on ICTA. In response to this security incident, the agency has decided to take offline backups daily and upgrade their applications as a best practice for enhanced security.
Efforts are underway to recover the lost emails. The Sri Lanka Computer Emergency Readiness Team (SLCERT) is actively working on the data restoration process. Additionally, ICTA and the Cabinet office use the Lanka Government Network (LGN), a government-owned private network known for its cost-effectiveness and security. However, the encryption of the server has left the LGN cloud backups inaccessible.
Users of ICTA’s services have been experiencing minimal service due to the ransomware attack. They have been urging for the restoration of their access to the service. The agency is working to address the technological lag and staffing shortages to mitigate the effects of the security breach.
In conclusion, the cyber attack on Sri Lanka’s ICTA has resulted in significant data loss, including the loss of emails exchanged between May 17, 2023, and August 26, 2023. The attack, suspected to be carried out by a ransomware group, affected government offices across the country. The incident highlights the importance of regularly updating and securing systems to prevent such attacks. Efforts are underway to recover the lost data and enhance security measures to prevent future incidents.