On a quiet post-independence Saturday morning, while sipping a warm cup of morning coffee to get my morning bearings, I received an urgent message. It was from renowned researcher and academic Sanjana Hattotuwa. Although it sounded cryptic at first due to a lack of caffeine, the sheer gravity of what had happened soon dawned. What followed next was a hectic few hours trying to decode and understand one of the most unprecedented security breaches in Sri Lankan cybersecurity history.
Understanding the critical role of the LK Domain Registry
Before we dive in, let’s gain a quick understanding of the LK Domain Registry. The LK Domain Registry is what is considered as the country’s code top-level domain registry for .lk domains, which is Sri Lanka’s recognized country code top-level domain. Other countries top-level domains include .eu for The European Union, .au for Australia etc. a full list of country code top-level domain can be viewed here. Conceptualized by Internet Hall of Famer, Prof. Gihan Dias, the LK Domain Registry is an independent non-profit organization operating since 1990 based at University of Moratuwa.
In their own words, they have for decades enabled Sri Lankan Enterprises and Business display their Sri Lankan heritage online with pride:
“…individuals, businesses, religious bodies and non-profit organizations have adopted .lk web addresses to make their mark on the internet. .LK enables both companies registered in Sri Lanka as well as the international firms, who do not have a local presence, to register their domains in .lk. For companies with operations in Sri Lanka, a .lk address inspires consumer confidence and encourages people to “buy Sri Lankan.” The LK Domain Registry offers excellent opportunities for businesses to get the addresses they need.”
Thus the LK Domain Registry is a bedrock for Sri Lankan Enterprises, Banks, Telco’s, SME’s and most importantly Government (including the latest Digital Contact Tracing App: Stay Safe.) Therefore, even a minor breach at this level would throw serious doubt into the integrity of Sri Lanka’s Digital Infrastructure.
What happened to the .lk domains?
Innocent as it seems for the uninitiated, on the morning of 6th February all Traffic leading to Google.lk was redirected to a “propaganda” page. One inspired by Hacktivists bringing attention to their cause. This type of occurrence is known as a Malicious Redirect. Very soon the Sri Lankan Twitter-sphere activated and altered every one of this anomaly.
Soon after official notices came from the TRCSL, SLCERT, the .LK Domain Registry:
Around 8:30 AM the initial Google.lk redirect was corrected however the official position was that other LK domains were being investigated to breaches.
Subsequent investigations I conducted within the cybersecurity fraternity revealed that the initial breach was detected earlier. Some government sites had been affected, which alerted authorities that something was amiss. This incident was separate from the publicly known Google Malicious Redirect.
Given the vacuum of information by official sources, cybersecurity professionals on Twitter like @dumindaxsb got to work trying to understand the severity of the breach. What he found startled him:
The type of breach that had happened was done via an attack vector is called DNS poisoning. In case you’re lost, imagine someone standing in front of your gate and then stealing a package that was supposed to be delivered to your home. You now have a basic understanding of what transpired. Legitimate traffic that was supposed to go to Google.lk was sent to another page that displayed a message. Some were enamoured with the content of the redirected message. Meanwhile, cybersecurity professionals were sounding the alarm over the potential ramifications of this breach.
What happened next?
Key custodian of the LK Domain Registry, Prof. Gihan Dias has called for an investigation into the breach and legal action taken against those involved. However, their own internal investigation found that no other domains were affected by this breach. While national reporting was ongoing, another potential faux pas was developing. Inadvertently, these reports showed LK Domain Registry staff exposing their backend administrator usernames and length of their passwords on national television.
The anatomy of the attack
A deeper investigation has revealed further startling evidence. Although initially framed as a breach that occurred on 6th February, it can be exclusively shared that Admin Usernames and Passwords were available on the Criminal Dark Web as far back as 2012 and potentially even earlier. It’s likely the attackers purchased these credentials from cybercriminals and proceeded to conduct the target on Independence Day. Hence, it presents enormous and grave national security implications from Sri Lanka’s digital infrastructure, This is independently verified by CSW a US Department of Homeland Security Sponsored Common Vulnerability Exposure (CVE) Certified Numbering Authority (CNA).
What are the ramifications of this breach?
As I discussed previously, Sri Lanka’s cybersecurity setup leaves much to be desired. It’s evident that some of these shortcomings were exposed by LK Domain Registry breach.
An overseas expert I had the pleasure of interacting gave a brilliant answer to the lukewarm response that at times cybersecurity investments get from national governments; “It’s simple, at the end of the day, you can’t put cybersecurity in a parade and show it to people.” In a crisis, you must overcommunicate. In a cybersecurity crisis of this nature, this assumes great significance given the national digital infrastructure involved. As we strive towards building a more Digital Sri Lanka, how safe are our Digital Keys?