NEWSMassive ransomware attack on state email domain

NEWSMassive ransomware attack on state email domain

All Government offices using the “gov.lk” email domain, including the Cabinet Office, have lost data from May 17 to August 26, 2023, after a massive ransomware attack, the Information and Communication Technology Agency (ICTA) has confirmed.

The virus could have affected around 5,000 email addresses, ICTA CEO Mahesh Perera said, admitting that there was no offline backup for around two-and-a-half month’s worth of data. Since the online backup system had also been corrupted, users lost emails for that period. The Cabinet Office is among the entities in the Lanka Government Network (LGN). It uses the [email protected] email domain.

Following the attack, ICTA is taking measures to start daily offline backup and to upgrade the relevant application to the latest version which has stronger defences against virus attacks. And the Sri Lanka Computer Emergency Readiness Team (SLCERT) is working closely with ICTA to try and retrieve the lost data, Mr. Perera said.

The LGN is the Government-owned private network that was introduced to connect Government organisations in what the ICTA maintains is “a cost-effective and secure manner”.

The service is being provided from 2007, Mr. Perera said. “Initially, we used Microsoft Exchange Version 2003,” he explained. “The email facility was given to Government offices. In 2014, it was upgraded to Microsoft Exchange Version 2013. This was in use till the attack. But that version is now obsolete, outdated and vulnerable to various types of attacks.”

One gov.lk domain user said that their official email had been receiving suspicious links over the past few weeks and that someone may have clicked one, triggering the ransomware attack. ICTA had planned from 2021 to upgrade the email facility to the latest version but had been constrained by fund limitations and certain previous board decisions, the CEO said.

With the ransomware attack on the morning of August 26, the site was completely encrypted. While ICTA maintains several backups in the LGN cloud, the encryption process that corrupted the server replicated to the online backup systems.

The system was restored within 12 hours of the attack and the backup was also brought back, but without two-and-a-half months of storage. “As a result of this time gap, certain old emails were lost but the service was restored,” Mr. Perera said.

ICTA continues to receive complaints from users seeking full access to the service. The reason for not maintaining regular backup was attributed to “administrative problems”.

Meanwhile, like many other offices, ICTA has been affected by the brain drain triggered by the economic crisis and is recruiting new staff.