SL government emails lose data with no backups due to “administrative problems”

A recent report from The Sunday Times claims that all Sri Lanka government emails (gov.lk domain) have lost data owing to a ransomware attack. According to the ICTA, the data in question falls between 17th May to 26th August 2023 with around 5,000 email addresses impacted by the ransomware. To make matters worse, the ICTA also admits that there’s no backup available to restore the lost data.

The ransomware attack took place on 26 August morning and affected all of Lanka Government Network’s (LGN) gov.lk emails. While the system was eventually restored within 12 hours of the attack, none of the lost email data was recovered as the ransomware’s encryption affected the online backups as well. As per ICTA CEO Mahesh Perera, even an offline backup is unavailable and owes the reason for maintaining regular backups to “administrative problems.” However, following the attack, he stated that the ICTA is now taking offline backups on a regular basis.

While the ICTA says it’s working closely with SLCERT to recover the lost data along with an update to the existing systems. The LGN system has been in use since 2007 when it was shipped with Microsoft Exchange 2003 for government use. By 2014, this was upgraded to Microsoft Exchange 2013 which has been in use until the ransomware attack. It’s worth noting here that Microsoft ended support for Exchange 2013 by April 11 2023 and the company requested customers to migrate systems to Microsoft 365, Office 365, or Exchange 2019 as early as February.

According to the ICTA CEO, the email system was originally planned for an upgrade back in 2021, but has been later due to budget limitations and “certain previous board decisions.”

Lackluster cybersecurity and recovery response

As to how the ransomware itself happened, The Sunday Times report quotes one gov.lk user who had received dubious links in the past few weeks. The user mentions that it’s likely someone may have clicked on one of these links which would have triggered the ransomware.

Incidentally, the attack comes at a time when Chinese hackers breached US government emails via a Microsoft Cloud exploit. The attack in question saw hackers using forged authentication tokens to access email accounts via Outlook Web Access in Exchange Online. While Microsoft initially denied the data breach, the tech giant later confirmed the attack, stating that only Outlook.com and Exchange Online applications were impacted. However, some suspect that the hackers could have gained entry to other Microsoft customer applications with the “login with Microsoft” function.

Of course, this wasn’t the first time Sri Lanka was caught up in an international cyber security breach. Back in 2017, the WannaCry ransomware ravaged about 150 countries including Sri Lanka, and impacted over 200,000 computers. Although, Sri Lanka’s track record around cyber security itself hasn’t been great.

The cyber attack is only the latest incident to happen at the national level. In 2021, the LK Domain Registry itself was compromised. Now, with the government’s own gov.lk email systems compromised and lacking data recovery processes in place, the future of e-government services in Sri Lanka leaves much to be desired. It’s particularly worrying when taken in the context of something at the scale of Sri Lanka’s ongoing eNIC/digital ID project.