On 6 February, many users’ traffic to google.lk rerouted to a propaganda website in what looked to be the work of hacktivists. The website brought attention to various current national concerns, including challenges experienced by plantation workers and the Tamil community, as well as the issues of Tamil political prisoners and ‘forced cremations’ of COVID-19 victims. The event originally made the rounds on social media after a tweet by Groundviews founder Sanjana Hattotuwa. This was followed by notifications from many tech agencies, including the LK Domain Registry. This is Sri Lanka’s country code top-level domain registrar for .lk. It’s an autonomous non-profit organisation established at the University of Moratuwa, and has been active since 1990.

A few hours in, the google.lk redirect looked to have been rectified. However, according to cyber security expert, Asela Waidyalankara, officials at this time were already investigating into probable intrusions to other .lk domains. 

Meanwhile, Professor Gihan Dias, LK Domain Registry’s Domain Registrar, revealed that roughly 10 domains were impacted by the fraudulent reroute. He said that they were “looking at the holes and identifying them”, and that the domain registrar would guarantee the event won’t be repeated.

Meanwhile, a breakdown by Twitter user Duminda (@dumindaxsb) indicated efforts by one IP address at mimicking the HSBC Sri Lanka website in a similar method.

He also observed that a malicious file was delivered on google.lk to Windows workstations during the 6 February event. Duminda speculates that this may be an Internet Explorer (IE) exploit. There are numerous government and business entities that continue to utilize IE. This indicates that the hack might possibly harm thousands of machines on the island. Duminda also advises that if you’ve visited google.lk or any hijacked site and downloaded/accessed a file, it’s advisable to format your computer immediately. This is independent of what browser you’ve used.


What Happened During The Attack?

The assault itself was made feasible using a mechanism called DNS cache poisoning. This is when bogus information is inserted into a DNS cache, which produces an inaccurate answer and visitors are led to the fraudulent websites. The ramifications of such an assault might vary from users unintentionally providing login credentials to nefarious parties, to user machines getting infected with malware.

Although the 6 February event was first deemed an isolated act, what we have discovered since then provides causes for worry.

Reporting from Cyber Security Works shows that nic.lk domain identities and their passwords have already been revealed in the dark web. To make things worse, it turns out that these admin login and password combinations have been used on many websites since 2012. That’s eight years of using the same credentials.

What this implies is that despite we appear to have fended off one attempt, another is highly possible — especially given how any bad individuals may just exploit the revealed data on the dark web.


How Can We Prevent It From Happening Again?

Almost a week after the hack, LK Domain Registry made a statement on the event. Addressing the consequences of the hack, the statement states, “There is no indication of any additional unauthorised access to our systems. We have also not identified any indication of alterations to any .lk websites, or of any information being taken from any other .lk websites. We have not identified any serious indication that any malware had been spread through the website linked to by the attackers.”

Commenting on the security failings, the statement further adds, “Together with TechCERT, we have detected deficiencies in our security processes, and have upgraded our systems to prevent these vulnerabilities. A number of additional security upgrades have also been implemented.”

But doubts remain as to how deep this breach extends; if @dumindaxsb’s results are any indicator, the situation is more significant than a simply malicious reroute. In other words, this won’t be the last time Sri Lanka might confront a cyber assault of this size. 

But what can authorities truly do to prevent such occurrences from taking place?

The first step would be to realize that we as a nation have ignored cybersecurity for a long time. Time and time again, we have seen authority authorities overlook security when it comes to digital solutions. A noteworthy recent example is the Stay Safe effort.

Recognising the issue is just half of the answer. The second half demands a proactive attitude towards security instead of a reactive one ― especially in a setting where digitalization is actively being encouraged at a governmental level. But the fact that the same domain credentials for nic.lk, Sri Lanka’s top-level country code domain provider, has remained in use for eight years, demonstrates the seriousness of vulnerabilities in our cybersecurity strategy.

Then there's the issue of communication, or more accurately, the lack thereof.

Official routes of communication were deficient throughout the breach. Given that national-level IT infrastructure was infiltrated and individuals were kept in the dark about what was going on, this isn't ideal. One of the most crucial aspects of being proactive is having open lines of communication with all key parties.

All of this points to the troubling status of our country's cybersecurity, raising the issue of whether we are really prepared for a digital Sri Lanka.