- Leaked data by the hacker collective has put regular Sri Lankans at severe risk of cybercrime
By Dimuthu Attanayake
restofworld.org: As massive protests against Sri Lankan President Gotabaya Rajapaksa entered their eighth week, last month the hacktivist collective Anonymous stepped up to show support — in ways that have left cybersecurity experts and the general public alarmed and wondering whether the organisation was doing more harm than good.
On 20 April, Anonymous the decentralised collective of internet activists, hit the websites of the Ceylon Electricity Board, the Sri Lanka Police and the Department of Immigration and Emigration using distributed denial-of-service (DDoS) attacks. Twitter handles affiliated with Anonymous said the group had started the #OpSriLanka hashtag in support of the people and was “declaring cyberwar against the government.”
Many Sri Lankans had been calling for the group to step in, using the hashtag #AnonymousSaveSriLanka on social media. But as part of the attack, Anonymous hackers publicly shared thousands of usernames, passwords and email addresses from the database of Sri Lanka Scholar, a private portal that connects students to various higher education institutions and uses the official “.lk” domain. The hackers released similar information about the agents registered with the Sri Lanka Bureau of Foreign Employment (SLBFE).
“What’s the use of hacking SLBFE? This website includes[s] details of innocent Sri Lankan employees who work abroad. [Rajapaksa’s] won’t hide their secrets in SLBFE,” a Twitter user asked.
In addition to violating the privacy of regular Sri Lankans, the leaks also put them at risk of cybercrimes and phishing attacks, technology law specialist Ashwini Natesan told Rest of World.
These people continue to be at risk because “unless fixed, another hacker can access the same database and collect the employees’ passport details and other personally-identifiable information, which can be sold on the dark web for about $ 50,” cybersecurity specialist Asela Waidyalankara told Rest of World. “These details can then be used for a number of cybercrimes, like impersonation.”
In addition to the data leak, a Twitter handle affiliated with the Ghost Squad, a politically motivated hacktivist team that is a part of Anonymous, shared strategies for attacking the state-owned National Savings Bank, semi-government mobile service provider Mobitel and the digital platform provided by Sri Lanka Telecom for locals to get appointments with doctors. Waidyalankara said that luckily, these systems were not breached. “Had this taken place, it would have revealed sensitive medical data about individuals.”
Experts say Anonymous’ attack has highlighted the shortcomings of Sri Lanka’s cybersecurity infrastructure at a time when the country is dealing with the worst economic crisis since its independence in 1948.
Sri Lanka is in economic shambles because foreign remittances have slowed, tourism revenue has suffered from the pandemic, high global oil and gas prices make daily life expensive and the government faces difficulty borrowing from international lenders due to a massive outstanding external debt. The costs of essential goods have skyrocketed in the island nation, along with daily power cuts, resulting in ongoing anti-government protests around the country.
Given these circumstances, the government may not have the means to prioritise cybersecurity, which may leave its citizens vulnerable to future threats, experts said. In March, the Sri Lankan parliament passed data protection legislation, which has yet to come into force. “The Data Protection Act provides for protecting personal data from misuse and abuse and has necessary notification processes in place. However, it has still not come into force and the Data Protection Authority has not yet been established under the Act,” Natesan said.
The Sri Lankan Ministry of Technology “is continuously taking a lot of precautions against cyberattacks, and these will be further strengthened,” Secretary Jayantha de Silva told Rest of World.
If the government does prioritise cybersecurity, it will be using taxpayer money for damage control, “so, I do not see how this attack contributes to the general cause of the protests,” Waidyalankara said. The true impact of this cyberattack will be understood much later, Waidyalankara added. “If the country’s threat profile for cyberattacks was low to medium before this, now it would be somewhere between medium to high.”
Meanwhile, Anonymous’ attack is being used by some to spread misinformation. On 22 April, a Facebook page called Lanka E News published a post in which they claimed to disclose the “hidden wealth” of the ruling Rajapaksa family. Lanka E News said this information had been leaked by Anonymous during the cyberattack.
The post, which did not have hyperlinks to any data dumps or documents, claimed that media houses and popular media personalities who have reported on the economic crisis and the protests are involved in the underhanded dealings of the Rajapaksa family.
Social media analyst Sanjana Hattotuwa, who has studied the post, flagged it for “narrative corruption.” Hattotuwa found that the post was being published by different accounts at the same time, one of the “signals of inauthentic propagation.” This is an instance of a pro-government spread of misinformation, seeking to derail the movement against President Rajapaksa, Hattotuwa said, adding that “the dominant public belief that the Rajapaksa’s are corrupt is being instrumentalised [by the creator].” The post has been shared on a number of Facebook groups supporting the anti-government protests, including “GoHomeGota2022” which has over 300,000 followers.
Dimuthu Attanayake is an independent journalist and a researcher from Sri Lanka.