Sri Lanka state email domain attacked by ransomware, lost 4 months data

The Sri Lanka "gov.lk" email domain, utilized by all government offices, including the Cabinet Office, suffered a massive ransomware attack resulting in the loss of critical data spanning from May 17 to August 26, 2023. This incident has been officially confirmed by the Information and Communication Technology Agency (ICTA) of Sri Lanka.

The attack is estimated to have potentially affected around 5,000 email addresses. Apparently there was no offline backup available for the data spanning the two-and-a-half-month period in question. This lack of redundancy meant that users were unable to recover any emails from that timeframe. Notably, the Cabinet Office, a component of the Lanka Government Network (LGN), was among the affected entities, employing the mail@gov.lk email domain.

In the aftermath of the attack, ICTA is implementing remedial measures. These include the initiation of daily offline backup routines and an upgrade of the relevant email application to the latest version equipped with enhanced security measures against virus attacks. Collaboratively, the Sri Lanka Computer Emergency Readiness Team (SLCERT) is working closely with ICTA to explore avenues for recovering the lost data.

The LGN, which is a government-owned private network designed to facilitate cost-effective and secure communication among government organizations, has been operational since 2007. It initially utilized Microsoft Exchange Version 2003, later upgrading to Microsoft Exchange Version 2013, which remained in use until the ransomware attack. However, this outdated version was found to be vulnerable to various types of cyberattacks.

A user of the gov.lk domain reported receiving suspicious links via their official email in the weeks leading up to the attack, suggesting a potential entry point for the ransomware is phishing. ICTA had planned to upgrade the email system to a more secure version since 2021 but faced constraints related to funding limitations and previous board decisions.

Following the ransomware attack on August 26, the entire system was encrypted, rendering it inaccessible. Although ICTA had maintained backups in the LGN cloud, the encryption process extended to the online backup systems, further complicating recovery efforts. Ultimately, the system was restored within 12 hours of the attack, but data from the two-and-a-half-month period remained irretrievable.

As a result of this data loss, certain older emails were permanently gone, but essential services were eventually restored, assured Mr. Perera. ICTA has been inundated with user complaints seeking full access to the email service, with the lack of regular backups being attributed to "administrative problems."