ICTA reveals of email data loss in latest cyberattacks

COLOMBO (News 1st); The Information and Communication Technology Agency of Sri Lanka revealed that a recent cyberattack resulted in the loss of email data linked to the President's Office, Cabinet Office, and several other state institutions.

CEO of ICTA Mahesh Perera, told News 1st that as the data systems operating the gov.lk domain were not regularly updated, the cyberattack was unavoidable .

The cyber attack had targeted the Microsoft Exchange Server, where emails of the gov.lk domain are stored, and are managed by ICTA. 

The cyberattack in the form of a ransomware attack took place on August 26, 2023. 

What is a ransomware attack?

In a ransomware attack, a simple click on a link sent via email could compromise the entire network and allow hackers to access it. 

The hackers can then block authentic users from accessing the information on the network.

The cyberattack, which has been identified as a ransomware attack, encrypted a host of emails of the President's Office, Cabinet Office, Ministry of Health, Ministry of Education, and other state institutions. 

In a message, the hackers demanded a ransom to allow access to the encrypted emails.

The Sri Lanka Computer Emergency Readiness Team, or SLCERT has informed ICTA that it is unable to decrypt the emails. 

Is the state e-mail domain insecure?

ICTA says, the domain, set up in 2007 was last updated in 2013.

It points out, the domain should be updated every 4-5 years.

ICTA goes on to state that, although it requested permission to update the system in 2021 and 2022, it had not been given. 

ICTA believes, the system not being updated has resulted in it being unsafe, allowing the attackers to hack the domain with ease. 

Was there no backup?

Following the attack on the 26th of August, ICTA had attempted to recover the lost data through secure websites that maintain automatic backups, but that too had failed since those too had been attacked. 

ICTA went on to note that it managed to restore data through an external data storage system, but it did not contain data from the past two and a half months. 

ICTA revealed that nearly 5,000 email addresses were affected by the ransomware attack.

Although News 1st attempted to contact The Sri Lanka Computer Emergency Readiness Team or SLCERT for a comment on the matter, they did not respond. 

However, SLCERT has mentioned in its website that an investigation on the matter is underway.

In 2021, a similar data loss was revealed when sensitive data of the National Medicines Regulatory Authority or NMRA was wiped out. 

Data of the NMRA included in the government cloud was deleted at once.

A software engineer employed at the private company managing the data system was initially accused, claiming the data was deleted by him. 

Incidentally, this data system did not have a backup, similar to the state's email domain. 

Later it was revealed in court that the software engineer of the private company managing the system had deleted the data for 7 hours. 

Presenting facts in court, the Senior Deputy Solicitor General said since this was a part of the organized medical mafia, a thorough investigation will be conducted on all those who are connected to the crime and will be brought before the law. 

When an employee attached to the private company was produced in court, it was revealed that the deletion of extremely sensitive data was not a mistake, but was done on purpose.

But, no one has been held accountable for this crime, to this day.