Ransomware Attack Wipes Out Sri Lankan Government Emails5,000 Email Accounts Affected by Attack on 2013 Version of Microsoft Exchange
A major ransomware attack on the Sri Lankan government's cloud infrastructure compromised approximately 5,000 government email accounts and wiped out numerous emails that had not been protected by offline backups. The agency said some employees lost three months of email messages.
The island nation's Information and Communication Technology Agency said the ransomware attack on Aug. 26 affected the email accounts and data belonging the President's Office, Cabinet Office, Ministry of Education and Ministry of Health.
Affected ministries used the government's Lanka Government Network, which hosts the
gov.lk domain. LGN ran on the obsolete Microsoft Exchange Version 2013, which reached end of life in April of this year.
"Initially, we used Microsoft Exchange Version 2003. The email facility was given to government offices. In 2014, it was upgraded to Microsoft Exchange Version 2013," ICTA CEO Mahesh Perera told local media agencies. "This was in use 'til the attack. But that version is now obsolete, outdated and vulnerable to various types of attacks," he said.
Perera said the government has been trying to upgrade the Lanka Government Network to the latest Exchange version since 2021 but has been "constrained by fund limitations and certain previous board decisions."
Sampath de Silva, ICTA's director of strategic communications, said the ransomware attack led to the encryption of the email server and the loss of crucial government information because the network was backed up between May 17 and Aug. 26.
He said the emails sent and received by government ministries and offices in the three months may be lost forever as the malicious actors also encrypted the online backups for the LGN server.
Perera said the Lanka Government Network was restored within 12 hours after the ransomware attack was discovered, and the agency has initiated a daily offline backup process alongside updating the system to the latest version.
According to Sri Lanka's Sunday Times, a spear-phishing email was possibly the source of the ransomware attack.
Sri Lanka's Ministry of Technology announced on Wednesday that it has ordered an investigation into the impact on the government's email systems. State Minister of Technology Kanaka Herath entrusted the ICTA and the Sri Lanka Computer Emergency Readiness Team to prepare a report on the incident and submit it within two weeks.
The ministry said the investigation will determine the extent of the breach and its ramifications for intra-governmental communication and the extent of data loss incurred by government agencies. It also will estimate the financial value associated with the data loss.
The government investigation also will review steps taken so far by ICTA to defend against similar attacks in the future. The Sri Lanka Computer Emergency Readiness Team on Monday announced that it had begun investing the ransomware attack.
The Estonia-based e-Governance Academy's National Cyber Security Index, which measures how prepared central governments are to prevent and manage cyberthreats, ranked Sri Lanka 13th out of 23 Asia-Pacific countries and 83rd out of 175 countries worldwide in 2023.
The index ranked the island nation 117th on information and communication technology development as well as on metrics such as cyber crisis management, protection of personal data, and e-identification and trust services.