The worrying state of Cybersecurity in Sri Lanka

On February 6th, 2021 many users’ traffic to GOOGLE.LK and a few other websites under the LK Domain Registry redirected to a propaganda page in what seemed to be the work of hacktivists. The page drew attention to several contemporary national issues. Although the media reported the websites themselves have been hacked, the hackers had spoofed the DNS records for the websites affected instead. (What’s DNS and what’s DNS Spoofing?) We are lucky that the attack was just a malicious redirect. However, the continuous and successful cyberattacks mounted against Sri Lanka and our responses so far indicate the country’s cybersecurity is in a worrying state. Keep on reading to learn why? (Read my previous blog post “I’m sticking with WhatsApp: Here’s Why?” if you missed it.)

Sri Lanka isn’t taking Cybersecurity Seriously

The attack on the 6th wasn’t the first time the cybercriminals penetrated the LK Domain Registry’s network. On January 27th, 2013 they mounted an SQL Injection attack which yielded the control of a few top-level domains into their hands. Below is an inclusive list of other attacks in chronological order.

• 01.05.2009 LTTE propagandists defaced the ARMY.LK website
• 22.11.2012 Hacker “Broken Security” breached the President’s web server
• 26.01.2013 Hacker “Davy Jones” defaced three websites operated by the government
• 13.02.2013 “Davy Jones” defaced a website operated by a Sri Lankan consulate
• 26.09.2015 A teenager defaced former President Maithripala Sirisena’s website twice
• 17.05.2020 LTTE Propagandists defaced five websites ending in LK and COM
• 23.05.2020 SLT’s internal computer network was overrun by the “REvil” ransomware

These attacks were successful mainly because the targets were running outdated software. In a report carried out by the News First Website on May 31st, 2020 another local IT group also warned that most websites in Sri Lanka run on top of outdated software. This widespread trend indicates we are not taking cybersecurity seriously.

Sri Lanka is bad at proactive Cybersecurity

Followed by the ransomware attack on its internal computer network Sri Lanka Telecom released an official communique clarifying the situation to its customers. It’s worthwhile to understand why the attack was successful because in the communique the management shamelessly bragged about how they cleaned up the mess after the attack although they could have stopped the attack on its heels.

Our vigilant early warning systems detected the attempt and precautionary measures with the shutdown of some servers were implemented without delay. These servers are isolated and corrective action is being taken. There is no impact to any system that is used to provide SLT services. Thus, there is no risk to any services offered to our customers and also there is no risk to the customer information. System experts are attending to the issue and have already identified all the areas and SLT internal services will be restored in a short time. Our expert teams have detected the threat at a very early stage and successfully isolated the problem.

Management – Sri Lanka Telecom

According to Wezen Group, the “REvil” ransomware exploits a vulnerability in Windows Server 2012 R2 which Microsoft fixed three years ago (KB4471320). SLT could have thwarted the ransomware attack on its internal computer network had they patched its server operating systems on time. (This makes us rethink the safety of our information because important financial bodies like the Hatton National Bank and Commercial Bank of Ceylon are hosting their websites also with SLT.) The fact that SLT as a semi-government telecommunications company failed to prevent a major attack indicates we are not good at proactive security as much as we are at reactive security.

Sri Lanka is clueless about Cybersecurity

On February 10th, 2021 in response to an advertisement for “SLT Storage” (SLT’s Cloud Storage Service) that appeared on Facebook I inquired whether it supports encryption. It was a simple yes or no question but their response was “Hi Yohan, Thanks for getting in touch, please inbox your requirement and the phone number we can contact. thank you.”

A few others also inquired and this time SLT responded saying “Hi, Thanks for your Interest. Please refer to the attached link for more details. www.slt.lk/storage” – The said link however stated nothing about encryption. After I told them that they said end-to-end encryption is available. As far as I know, end-to-end encryption protects data on transmission only. Not the data stored in the server. That allows a cybercriminal gaining access to the servers to access my data also. Apparently, either the SLT marketing team is clueless about their product or there’s no encryption at all. Below is another interesting story that the CEO of a firm specializing in information security shared with Roar Media a leading media platform in the country.

A few years ago, we were demonstrating how our data operations centres use surveillance software to scan a network for vulnerabilities. The client was a very large financial institution servicing thousands of customers. While we were doing this, in real-time in their conference room, we spotted a stream of data moving out of one of the company laptops to a foreign country. And the laptop in question? It happened to be in the room — it belonged to the head of systems security!

Romeish de Mel, CEO – Flix 11

The chief of security didn’t know someone is stealing sensitive data right under his nose. SLT doesn’t know how secure its cloud solutions are. This atmosphere indicates we are clueless about cybersecurity.

In Sri Lanka Cybersecurity is an afterthought

By now, you must be familiar with the “Stay Safe” app developed and launched by two voluntary software engineers under the guidance and support of government-owned ICTA (short for Information and Communication Technology Agency) to help prevent the spread of COVID-19. More details of the app are available here. Although a noble contribution to the country’s future, on December 15th, 2020 Roar Media reported the vulnerabilities in the app could endanger the privacy of any citizen using the app. One of these vulnerabilities allowed anyone to check submitted information on the service with an API call. (Short for Application Programming Interface, it allows two applications to communicate with one another to access data, helping software developers to save time and effort.)

According to the same report ICTA later confirmed it patched this vulnerability. However, this was a very simple loophole ICTA had failed to identify before opening the app to the general public. If it neglected a flaw as simple as an Unauthorized API Call how can we trust it to guard our personally identifiable information against more sophisticated threats? A vulnerability in an app developed at a national level to deal with citizen data, whose development and maintenance is overseen by a government agency indicates we believe cybersecurity is a mere afterthought.

Wrap Up

In a country where digitalization is effectively being encouraged at a national level all of the issues mentioned above stress the worrying state of our country’s cybersecurity — which in turn begs the question: are we truly prepared for a digital Sri Lanka?

Update: HSBC Sri Lanka Website Impersonated

Although the attack on the LK Domain Registry initially appeared to be nothing more than a malicious redirect Twitter user Duminda (@dumindaxsb) revealed attempts by one IP address at impersonating the HSBC Sri Lanka website in a similar fashion (in addition to serving a malicious file to Windows PCs from GOOGLE.LK which aimed to exploit Internet Explorer the browser used in most of Government Institutes). Was the attack on the LK Domain Registry a distraction while the HSBC Sri Lanka website was the real target? I do not know.

---

If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.