Investigation Launched into Large-Scale Extortion Cyber Attack on Sri Lanka Government Cloud System
An investigation has been launched in Sri Lanka following a large-scale extortion cyber attack on the government cloud system, Lanka Government Cloud (LGC). The attack, which affected the LGC services and reserve systems, has been confirmed by the Center for the response to computer incidents and coordination of Sri Lanka (Cert-CC), according to their social media post.
The attack is believed to have started on August 26th when a user of the GOV.LK domain reported receiving suspicious links over several weeks. It is suspected that one of the employees inadvertently clicked on one of these links, leading to the encryption of the LGC services and reserve systems by the attackers.
Mahesh Perepra, the head of the Sri Lanka Information and Communication Technology Agency (ICTA), revealed that all 5,000 email addresses using the GOV.LK domain, including those of the Cabinet of Ministers, were targeted in the attack. While the system and backup copies were restored within 12 hours, the affected accounts have irretrievably lost information from May 17 to August 26, 2023.
Perepra further highlighted that the LGC system, which was initially launched in 2007 based on Microsoft Exchange 2003, was overdue for an update. The mail server was last updated in 2014 to Exchange 2013, but it has now become evident that this version is outdated and highly vulnerable.
The ICTA had planned to update the LGC system to the latest version from 2021, but the decision was repeatedly postponed due to limited funding and previous management decisions. Following the attack, the agency has initiated a security overhaul, including daily autonomous backups and upgrading the mail server to the latest version.
This incident has shed light on the Sri Lanka government’s insufficient promotion of cybersecurity measures in both state institutions and the private sector. The country ranks 83rd out of 175 in the index of national cybersecurity by the Estonian Academy of Estonia.
In June 2023, the Sri Lanka government introduced long-awaited cybersecurity legislation, which will establish the first national cybersecurity body.
This incident serves as a reminder that many organizations often underestimate the importance of basic cybersecurity measures, such as regular data backups