By Karen Hapuarachchi
The commemoration of the civil war has been held every 18 May since the war ended in 2009. Since 2014, Cyber Attacks on State Websites have been repeating every 18 May, just as it did yesterday (18) when the official websites of the Energy Ministry, Health Ministry, Sri Lankan Embassy in China, and Rajarata University experienced cyber attacks.
[caption id="attachment_136962" align="alignright" width="267"]
Information Technology Society of Sri Lanka (ITSSL) Chairman Rajeev Y.M. Kuruwitage[/caption]
The annual 18 May cyber attacks
A person who weaponises computers in order to gain unauthorised access to data and damage, alter, or destroy a network or system is known as a hacker, and such an attack as a cyber attack. Thereby, The Morning Business caught up with the Information Technology Society of Sri Lanka (ITSSL) Chairman Rajeev Y.M. Kuruwitage to get to the bottom of these attacks.
“These Cyber Attacks occur annually on the same date (18 May), and we have predicted these attacks by warning and releasing statements regarding this for about three years,” Kuruwitage commented.
He further stated that there is one particular group that is suspected to be orchestrating these attacks. As the hacking of websites is a different field of study, research, and practice, Kuruwitage explained that when a hacker succeeds in a cyber attack, due to all the effort and energy involved, the cyber attack is claimed, or a clue, sign, or hint of the hacker is intentionally left over.
He also stated that this can be due to the fact that a hacker would not undergo long processes, such as the ones mentioned above, if it was not for a particular reason, and usually the hacker would want to illustrate the reason.
“If there was a physical attack such as a bombing, the terrorist would reveal the organisation that is behind such an attack. Similarly to this, there are forums where hackers reveal the details and claim the cyber attack,” Kuruwitage commented.
Accordingly, these hackers would go so far as to reveal the technology and methods that were used to succeed in these attacks.
However, the hacker group that is suspected to be behind these attacks involved distorting the original website to publish content and messages related to the civil war.
Who is the hacker group?
Kuruwitage stated that instances of these messages include graphic videos relating to the war such as Sri Lankan soldiers committing war crimes, and a song that was recited to represent the other side of the race in the civil war.
“We can clearly see who these hackers are from the messages they leave behind. Another fact that supports this includes the same hacker group claiming these attackers in the hacker forum as well,” Kuruwitage stated.
Accordingly, ITSSL has kept tabs on the hacker group ever since 2018 while issuing statements along with SLCERT such as the statement published five days back that predicted the recent 2021 cyber attack and warned about the recent international cyber attacks as well.
The statement also advised state websites to initiate updates in order to safeguard the critical infrastructure of state websites such as the Ceylon Electricity Board, the Energy Ministry, and the Health Ministry.
Can anyone become a hacker?
One particular point that arose during the interview involved ITSSL informing that it is the same websites that have been under attack annually.
“Websites have certain vulnerabilities such as in the plug-ins. The updates that are critical to safeguard these attacks. Some state websites have not updated themselves for years and are more vulnerable, thereby, the websites get attacked,” Kuruwitage stated.
Accordingly, there are conspiracies that suggest that the cyber attacks may be conducted from the inside as the same websites have been attacked for a number of years.
He further stated that a website can simply be understood as a file and when surfing the internet and clicking on a website downloads data in the file of the website. Therefore, Kuruwitage illustrated hacking as distorting the original data in the website file and adding data that the hacker wants to add.
Is this a threat to National Security in the country?
“Although most people may feel indifferent about these attacks, suppose we go about our lives ignoring these threats and one day, these hackers develop their skills enough to attack the Colombo Stock Exchange (CSE)?” Kuruwitage asked.
Accordingly, a cyber attack on CSE would lead to a financial crisis in the country, and he further stated that an attack on the CSE would then be recognised as a threat to national security. Therefore, if it is so, why aren't cyber attacks on state websites still not considered a national threat to security?
Similar to these attacks, ITSSL revealed that www.google.lk – the Sri Lankan Google domain that started in February 2021 – was hijacked, not hacked. Accordingly, the attack involved the accounts in the company managing the website being compromised and the DNS being redirected.
“When this happened, the leaders in the country reported in media reports that although a website was hacked, it does not show itself as a threat to national security of Sri Lanka,” Kuruwitage stated.
Similar to this, he also informed that along with the other incidents that occured yesterday, another group of hackers reporting to originate from Turkey claimed a cyber attack on CEB.
ITSSL further urged the need for laws on Cyber Security as a measure to safeguard not only state websites, but also private websites, due to the risk of these hackers improving their skills to the point where they can attack secured and updated websites as well.
It was also highlighted that the leaders in the country need to realise the importance of cyber security as the global leaders such as the US and Europe hold cyber attacks as a threat to national security.
International Cyber Attacks
ITSSL also mentioned that Sri Lanka is not the only country where hackers have threatened the national security of a country.
“There was an instance where Billionaire Elon Musk’s tweet got hacked. An incident that caught the US President’s attention is also important,” Kuruwitage commented.
According to BBC reports, hackers were responsible for taking a major US fuel pipeline offline last Monday (10).
Similar to the messengers that the hackers in Sri Lanka left over, the hackers responsible for this, DarkSide, left a message on the website as well. International reports also stated that this was a “ransomware cyber-attack”.
The pipeline carried 2.5 million barrels daily, which accounted for 45% of the East Coast's supply of diesel, petrol, and jet fuel. $ 2 million was required for the hackers to provide the decrypter in order for the website to operate normally.
“If the $ 2 million of ransom was not paid immediately, it would be doubled to $ 4 million,” the message the hackers left noted.
Accordingly, the hackers have stolen almost 100 gigabytes of data hostage, threatening to leak it onto the internet. There was also a screenshot of the hacker’s website on the dark web which detailed its success with the data stolen in attacking a large US manufacturer.
It is also believed that the hackers developed a software used to encrypt and steal data from companies.
How can Cyber Security be improved?
Due to the threats and instances mentioned above, The Morning Business also conducted an exclusive interview with SL CERT Information Security Engineer Ravindu Meegasmulla in order to clarify any measures that can be taken to strengthen Cyber Security and safeguard websites from these attacks.
“To avoid these attacks, you should take precautions in order to avoid these attacks. You can have backups and cache these backups so that in the event of a cyber attack, the website can immediately operate normally,” Meegasmulla commented.
Accordingly, information on people who access a particular service and tasks are recorded in logs. For instance, a website server consists of access logs and error logs.
“The first measure that can be taken against cyber attacks is to maintain logs in house and archive them. If something happens, the logs are the key, the awareness about cyber attacks and threats is also very important,” Meegasmulla advised.
Also, prior to launching a website, SL CERT advises to run a security assessment, and if it is a big network, then a network security assessment would be best, they said. Meegasmulla also mentioned that there are companies and experts who run these assessments.
The third measure involves maintaining access to the developers of the website. As websites can be developed by a third party, in the event of a cyber attack, the people who own the website may not have direct access to the third party company.
Thereby, it was strictly advised to maintain direct contact with these third party companies in order to fight against these attacks as well.
“There is nothing called 100% security. If the hackers find a vulnerability, they strike the vulnerability and exploit it,” Meegasmulla stated.
Also, in the event of a cyber attack, SL CERT advises the victims to first lodge a complaint in the Criminal Investigations Department (CID). We were further informed that there is a computer crime unit that handles such crimes.
Furthermore, for technical support and further advice, SL CERT assured its availability to aid any victim and invited further curious questions. In addition, it was also mentioned that there are many private sector companies that offer technical assistance as well.
“If you close these gaps and make sure you safeguard the website while spreading awareness about cyber security, you have a good chance of protecting your website and other websites from these hackers,” Meegasmulla stated.
Information Technology Society of Sri Lanka (ITSSL) Chairman Rajeev Y.M. Kuruwitage[/caption]
The annual 18 May cyber attacks
A person who weaponises computers in order to gain unauthorised access to data and damage, alter, or destroy a network or system is known as a hacker, and such an attack as a cyber attack. Thereby, The Morning Business caught up with the Information Technology Society of Sri Lanka (ITSSL) Chairman Rajeev Y.M. Kuruwitage to get to the bottom of these attacks.
“These Cyber Attacks occur annually on the same date (18 May), and we have predicted these attacks by warning and releasing statements regarding this for about three years,” Kuruwitage commented.
He further stated that there is one particular group that is suspected to be orchestrating these attacks. As the hacking of websites is a different field of study, research, and practice, Kuruwitage explained that when a hacker succeeds in a cyber attack, due to all the effort and energy involved, the cyber attack is claimed, or a clue, sign, or hint of the hacker is intentionally left over.
He also stated that this can be due to the fact that a hacker would not undergo long processes, such as the ones mentioned above, if it was not for a particular reason, and usually the hacker would want to illustrate the reason.
“If there was a physical attack such as a bombing, the terrorist would reveal the organisation that is behind such an attack. Similarly to this, there are forums where hackers reveal the details and claim the cyber attack,” Kuruwitage commented.
Accordingly, these hackers would go so far as to reveal the technology and methods that were used to succeed in these attacks.
However, the hacker group that is suspected to be behind these attacks involved distorting the original website to publish content and messages related to the civil war.
Who is the hacker group?
Kuruwitage stated that instances of these messages include graphic videos relating to the war such as Sri Lankan soldiers committing war crimes, and a song that was recited to represent the other side of the race in the civil war.
“We can clearly see who these hackers are from the messages they leave behind. Another fact that supports this includes the same hacker group claiming these attackers in the hacker forum as well,” Kuruwitage stated.
Accordingly, ITSSL has kept tabs on the hacker group ever since 2018 while issuing statements along with SLCERT such as the statement published five days back that predicted the recent 2021 cyber attack and warned about the recent international cyber attacks as well.
The statement also advised state websites to initiate updates in order to safeguard the critical infrastructure of state websites such as the Ceylon Electricity Board, the Energy Ministry, and the Health Ministry.
Can anyone become a hacker?
One particular point that arose during the interview involved ITSSL informing that it is the same websites that have been under attack annually.
“Websites have certain vulnerabilities such as in the plug-ins. The updates that are critical to safeguard these attacks. Some state websites have not updated themselves for years and are more vulnerable, thereby, the websites get attacked,” Kuruwitage stated.
Accordingly, there are conspiracies that suggest that the cyber attacks may be conducted from the inside as the same websites have been attacked for a number of years.
He further stated that a website can simply be understood as a file and when surfing the internet and clicking on a website downloads data in the file of the website. Therefore, Kuruwitage illustrated hacking as distorting the original data in the website file and adding data that the hacker wants to add.
Is this a threat to National Security in the country?
“Although most people may feel indifferent about these attacks, suppose we go about our lives ignoring these threats and one day, these hackers develop their skills enough to attack the Colombo Stock Exchange (CSE)?” Kuruwitage asked.
Accordingly, a cyber attack on CSE would lead to a financial crisis in the country, and he further stated that an attack on the CSE would then be recognised as a threat to national security. Therefore, if it is so, why aren't cyber attacks on state websites still not considered a national threat to security?
Similar to these attacks, ITSSL revealed that www.google.lk – the Sri Lankan Google domain that started in February 2021 – was hijacked, not hacked. Accordingly, the attack involved the accounts in the company managing the website being compromised and the DNS being redirected.
“When this happened, the leaders in the country reported in media reports that although a website was hacked, it does not show itself as a threat to national security of Sri Lanka,” Kuruwitage stated.
Similar to this, he also informed that along with the other incidents that occured yesterday, another group of hackers reporting to originate from Turkey claimed a cyber attack on CEB.
ITSSL further urged the need for laws on Cyber Security as a measure to safeguard not only state websites, but also private websites, due to the risk of these hackers improving their skills to the point where they can attack secured and updated websites as well.
It was also highlighted that the leaders in the country need to realise the importance of cyber security as the global leaders such as the US and Europe hold cyber attacks as a threat to national security.
International Cyber Attacks
ITSSL also mentioned that Sri Lanka is not the only country where hackers have threatened the national security of a country.
“There was an instance where Billionaire Elon Musk’s tweet got hacked. An incident that caught the US President’s attention is also important,” Kuruwitage commented.
According to BBC reports, hackers were responsible for taking a major US fuel pipeline offline last Monday (10).
Similar to the messengers that the hackers in Sri Lanka left over, the hackers responsible for this, DarkSide, left a message on the website as well. International reports also stated that this was a “ransomware cyber-attack”.
The pipeline carried 2.5 million barrels daily, which accounted for 45% of the East Coast's supply of diesel, petrol, and jet fuel. $ 2 million was required for the hackers to provide the decrypter in order for the website to operate normally.
“If the $ 2 million of ransom was not paid immediately, it would be doubled to $ 4 million,” the message the hackers left noted.
Accordingly, the hackers have stolen almost 100 gigabytes of data hostage, threatening to leak it onto the internet. There was also a screenshot of the hacker’s website on the dark web which detailed its success with the data stolen in attacking a large US manufacturer.
It is also believed that the hackers developed a software used to encrypt and steal data from companies.
How can Cyber Security be improved?
Due to the threats and instances mentioned above, The Morning Business also conducted an exclusive interview with SL CERT Information Security Engineer Ravindu Meegasmulla in order to clarify any measures that can be taken to strengthen Cyber Security and safeguard websites from these attacks.
“To avoid these attacks, you should take precautions in order to avoid these attacks. You can have backups and cache these backups so that in the event of a cyber attack, the website can immediately operate normally,” Meegasmulla commented.
Accordingly, information on people who access a particular service and tasks are recorded in logs. For instance, a website server consists of access logs and error logs.
“The first measure that can be taken against cyber attacks is to maintain logs in house and archive them. If something happens, the logs are the key, the awareness about cyber attacks and threats is also very important,” Meegasmulla advised.
Also, prior to launching a website, SL CERT advises to run a security assessment, and if it is a big network, then a network security assessment would be best, they said. Meegasmulla also mentioned that there are companies and experts who run these assessments.
The third measure involves maintaining access to the developers of the website. As websites can be developed by a third party, in the event of a cyber attack, the people who own the website may not have direct access to the third party company.
Thereby, it was strictly advised to maintain direct contact with these third party companies in order to fight against these attacks as well.
“There is nothing called 100% security. If the hackers find a vulnerability, they strike the vulnerability and exploit it,” Meegasmulla stated.
Also, in the event of a cyber attack, SL CERT advises the victims to first lodge a complaint in the Criminal Investigations Department (CID). We were further informed that there is a computer crime unit that handles such crimes.
Furthermore, for technical support and further advice, SL CERT assured its availability to aid any victim and invited further curious questions. In addition, it was also mentioned that there are many private sector companies that offer technical assistance as well.
“If you close these gaps and make sure you safeguard the website while spreading awareness about cyber security, you have a good chance of protecting your website and other websites from these hackers,” Meegasmulla stated.