Sri Lanka’s government email network was hit by a ransomware attack that wiped months of data from thousands of email accounts, including ones belonging to top government officials, authorities confirmed on Monday.
The attack, which started at the end of August, affected nearly 5,000 email addresses using the gov.lk email domain. The victims include Sri Lanka’s council of ministers which forms the central government of the country.
The targeted system, Lanka Government Cloud (LGC), was encrypted along with backups of the system. Although officials were able to restore LGC within 12 hours of the attack, they didn’t have backups from May 17 to August 26, so all affected accounts lost data from that period, according to Mahesh Perera, the head of Sri Lanka’s Information and Communication Technology Agency (ICTA).
The country’s computer emergency response team (CERT|CC) has started an investigation into the incident and is working to recover the lost data.
Perera told media outlets that the Sri Lankan government doesn’t plan to negotiate with the attackers or pay any ransom to retrieve the lost data.
It’s currently unknown which hacking group is behind the incident. To gain access to the targeted system, the attackers might have used malicious links sent to government employees, according to ICTA. The hackers likely exploited a vulnerability in an outdated version of Microsoft Exchange that hadn’t been updated.
Officials wanted to upgrade the system in 2021, but those plans were delayed due to budget constraints and previous board decisions, Perera told local media.
ICTA said it is taking steps to improve security after the attack. This includes implementing daily offline backups and updating the email application to the latest version.
The agency did not respond to a request for comment.
The Sri Lankan government has faced previous criticism for its lack of attention to cybersecurity. The country doesn’t have a dedicated cybersecurity authority and only introduced cybersecurity legislation in June of this year.