Sri Lanka Threat Landscape in 2023

In today's interconnected world, where technology drives innovation and connectivity, the threat of cybercrime is greater than ever before. Organizational attack surfaces have grown more dynamic, continually shifting and evolving in response to technological improvements. This ever-changing world poses a formidable challenge to business and governmental entities.

The growing number of threat actors has reached new heights, posing a severe threat to countries globally. These malicious entities operate with impunity, motivated by a variety of reasons ranging from political espionage to financial gain.

At the heart of this rising conflict is cybercriminals' extraordinary adaptability. They have the ability to quickly establish and modify their plans, leveraging vulnerabilities in our digital infrastructure with incredible efficiency. This constant pursuit of technological exploitation poses a substantial risk to enterprises of all sizes, crossing industry and regional barriers.

Cyber threat actors meticulously choose targets with important assets, as much effort is put into carefully organizing their attacks. In the case of state-sponsored operations, these attacks are preceded by significant financial resources and strategic planning, with the goal of maximizing their impact and efficacy. The expectation of getting ideal results highlights the rigorous planning and execution of such cyberattacks.

The graph from Crowdistrike's on intrusion frequency by geographic region indicates that threat actors frequently target global superpowers.

However, there are small nations on the world's map that have been victims of cybercrime but have not received global attention. One of them is Sri Lanka, and in this article, I will explain the malicious conducts that Sri Lanka experienced in the year 2023.

Being a developing nation, Sri Lanka has not thought of digitization as a path ahead. The capital city will be the only place where digitalization even somewhat exists. Sophisticated threat actors understand that infiltrating public and private institutions will not result in financial gain, especially in the case of a ransomware attack. Therefore, there hadn't been many attacks, but rather a small number of cases where organizations have fallen victim to ransomware, which will be documented and serve as a useful guide for other local organizations. In addition, Sri Lanka has witnessed the activities of the most known APT groups from India and China, both of which are Sri Lankan partners and have healthy diplomatic relations. Finally, online scam campaigns were carried out with no claiming parties. These scam activities were directed at civilians; there are no data on how many people were affected, but there were numerous reports of illicit emails and messages.

1. Phishing Activities in Sri Lanka

As the country descended into economic turmoil, threat actors saw an opportunity to exploit people's emotions. Since there is an increase demand in job searching, phishing emails and texts were crafted to target job candidates, among other scenarios.

The images below demonstrate massive phishing attempts conducted via text messages that reached out to recipients right away. People who are unaware of phishing may become victims. After analyzing the content of the malicious text messages, it was discovered that these campaigns were carried out with the intention of collecting sensitive information and conducting financial crimes.

Clicking on the link in the message leads to the perpetrator's Whatsapp contact page as shown below.

Scam emails and text messages relating to shipping or deliveries have been more prevalent since the COVID pandemic began. These text messages can arrive in a variety of formats, such as a missing address, a parcel in transit but with an unpaid shipping fee, or a delivery package returned due to an incorrect address. The text messages contain a link to a fake website with impersonated branding, where users are expected to enter personal and banking details.

Clicking the URL in the previously mentioned SMS message may take you to a false website, as seen below, with branding from the Sri Lanka Post.

Malicious domain : slpostgovlk[.]men

Legitimate domain : slpost[.]gov[.].lk

The number of phishing emails is expected to continue to rise in the future, therefore civilians should be vigilant about the emails and text messages they receive. The government should conduct initiatives in some manner to raise public awareness about phishing threats.

2. Stolen data on hacker forums, threatening organizations in Sri Lanka

Data breaches have become a major issue for both businesses and individuals since they can cause problems such as reputational harm, financial loss, operational disruptions, legal repercussions, and intellectual property loss.

Above image shows that sensitive information from Sri Lanka police is being offered on a Dark Web forum. The leaked data includes a WordPress full backup for the main domain Police[.]lk and slp[.]police[.]lk, as well as small databases. The data leak occurred in 2023, while the data itself dates back to 2022.

The data of PickMe, a popular transport & food delivery service in Sri Lanka, is being sold on a hacker forum. The data includes personal information of approximately 4 million users, including names, email addresses, phone numbers, and hashed passwords. The data is being sold for $800, with an option to purchase it without passwords for $400. The seller claims to have obtained the data from a PickMe employee who had access to the company's database.

The dark web news pertains to the alleged sale of sensitive documents belonging to the Sri Lanka Navy on a hacker forum. The documents reportedly span until 2022 and amount to approximately 20 gigabytes, with a price tag.

3. Ransomware attacks targeting entities in Sri Lanka

Ransomware has been the most serious cyberthreat to organizations worldwide. For years, threat actors have been developing and refining the ransomware-as-a-service model which has reduced the barrier to entry for threat actors with limited capabilities while increasing attack sophistication by allowing adversaries to specialize in various stages of an attack.

RaaS model shows three different types of criminal organizations coordinating a single attack. The first group specializes in obtaining a foothold inside the company. This criminal group, known as the initial access broker (IAB), employs a variety of methods to gain entry into organizations. IABs then sell access to ransomware affiliates, who conduct ransomware attacks. Affiliates prefer to purchase ransomware rather than write it. They buy the ransomware from Ransomware-as-a-service (RaaS) vendors, such as LockBit, ALPHAV, and Play.

RaaS providers provide an extensive plan for carrying out a ransomware attack. Encrypting ransomware itself, gaining access to a dark web leak site, retaining stolen data, and negotiating with the victim.

Top 5 ransomware groups according to Malwarebytes.

Sri Lanka has also had a few ransomware cases in 2023. Ransomware groups such as 8BASE and PLAY were identified as targeting Sri Lankan entities.

3.1 A closer look into the two ransomware groups that targeted Sri Lanka

8BASE Ransomware Group

8Base Ransomware is a relatively new actor with a large number of victims and is classified among the top five most active ransomware groups. Despite its recent emergence, the gang has quickly garnered prominence for its aggressive tactics. 8Base ransomware contains certain similarities with other ransomware and extortion families such as Phobos, Ransomhouse, and Hive, but no formal linkages or relationships have been determined.

The 8Base Ransomware organization is known for gaining an initial foothold in target environments using phishing emails or through initial access brokers. Their major strategy is to utilize double extortion ransomware, which encrypts and steals data. 8Base's malware employs a variety of techniques to evade detection, increase persistence, and defend against data recovery.

Once data encryption and exfiltration have been completed, the malware will deliver a ransom demand to the owner of the infected device.

If the company refuses to pay the ransom, the 8Base Ransomware group will threaten to disclose sensitive data. The data breach can cause considerable reputational damage to the organization and may result in regulatory penalties for failing to adequately protect customer data.

8Base is known for targeting small and medium-sized businesses (SMBs) in a variety of industries, including services, finance, manufacturing, and IT. This could be due to their ability to pay large ransoms, or it could be because their data is more sensitive and valuable.

It has been reported that one business entity named Varna Packaging, a Sri Lankan flexible packaging company, has reportedly become a victim of the 8Base ransomware group who claims to have downloaded various sensitive data from Varna Packaging's servers, including invoices, accounting documents, personal data, certificates, employment contracts, and other confidential information.

PLAY Ransomware Group

Play ransomware group, referred to as PlayCrypt, is an evolving threat that first emerged in 2022. The ransomware group has gained notoriety for its widespread impacts, using a double-extortion strategy in which it first encrypts systems before stealing confidential information. The gang has become an important player in the ransomware landscape by constantly improving its tactics, techniques, and procedures (TTPs).

It is well known that the Play Ransomware group obtains initial access to an organization's network by using open RDP servers, valid accounts, and vulnerabilities in exposed devices

Researchers have discovered that the PLAY ransomware group exploited vulnerabilities in Fortinet FortiOS to obtain early access. Furthermore, they have been observed employing LOLBINS as part of their attack after getting initial access.

PLAY Ransomware employs double extortion as a strategy against its victims.

It has been reported that the Play ransomware group has allegedly targeted Paragon Software Lanka, a Sri Lankan IT company. The attackers claim to have stolen sensitive data, including client and employee documents, financial information, and taxes

4. Advance Persistence Threat (APT) activities observed in Sri Lanka.

SideWinder

The Indian state-sponsored threat actor group SideWinder (also known as TIGER and Rattlesnake) has been actively involved in a cyberespionage operation against the Sri Lankan government, despite the fact that both countries have a good diplomatic relationship.

China's rising presence in Sri Lanka poses a threat to India's national security, and an unresolved maritime border issue may be the true motive behind the espionage campaign. The goal is to obtain information about China's foreign missions in Sri Lanka or to learn more about the ongoing maritime dispute between India and Sri Lanka.

SideWinder is known to use a variety of phishing tactics to gain an initial foothold. In early 2023, security researchers discovered malicious word documents addressed to the Ministry of Defense and the Sri Lankan Navy.

This document is composed in Sinhala to entice the victim. The document was forwarded as an attachment to the relevant government institute. The image below shows a section of the email header received by the victim.

A deeper examination of the malicious document reveals that the document loads an RTF (Rich Text Format) template from hxxps[://]navy-lk[.]direct888[.]net/report/29476965/file[.]rtf and hxxps[://]president-gov-lk[.]donwloaded[.]net/a4884a53/file[.]rtf which appears to be the next stage of the attack. The RTF file cannot be located for further examination. However, As per security researchers, The following stage payload "file.rtf" is known to use polymorphism, which means that the server responds with a new version of the file each time in order to defeat the defense (AV/EDR). Moreover, RTF file contains an obfuscated JavaScript file that downloads a.NET binary, which is a malicious DLL which contains the payload.

The following image shows the possible attack chain

Malicious document crafted against Sri Lanka navy

The following is the word document that was sent to the victim.

Hash value : 3a6916192106ae3ac7e55bd357bc5eee

The following image shows the suspicious URL can be found under "word/ _rels\document.xml.rels" after unpacking the word document structure.

AnyRun analysis on the malicious file

VT Graph of the malicious file

Malicious document crafted against Ministry of Defense

The following is the word document that was sent to the victim.

Hash Value: 8202209354ece5c53648c52bdbd064f0

The following image shows the suspicious URL can be found under "word/ _rels\document.xml.rels" after unpacking the word document structure.

hybrid-analysis on the malicious file

hybrid-analysis on the malicious file

VT Graph of the malicious file

Conclusion

In conclusion, a worrying trend of growing sophistication and diversity among threat actors is reflected in Sri Lanka's cyber threat landscape in 2023. Even though Sri Lanka is a developing country with little digitalization outside of its capital, it has had its fair share of cybercrime, from attacks involving ransomware and phishing attacks to data breaches and advanced persistent threat (APT) activities.

The phishing schemes targeted individuals and job seekers, taking advantage of the unstable economy and increased demand for employment opportunities These malicious campaigns aimed at collecting sensitive information and conducting financial crimes, posing significant risks to unsuspecting victims.

Data breaches have also created substantial issues, with sensitive information from organizations such as the Sri Lanka police and commercial enterprises like PickMe being sold on dark web forums. These breaches not only compromise individuals' personal information, but they also damage trust in institutions and may result in legal ramifications.

Ransomware attacks, orchestrated  by groups such as 8BASE and PLAY, have targeted enterprises from a variety of industries, employing sophisticated strategies such as double extortion to maximize their impact. These attacks not only disrupt operations, but also threaten to expose sensitive data, further exacerbating the damage inflicted on affected entities.

Furthermore, the emergence of advanced persistent threat groups such as SideWinder emphasizes the geopolitical significance of cyber espionage in the region. Despite diplomatic relations, state-sponsored entities continue to conduct cyber espionage, which could threaten national security and escalating tensions between neighboring countries.

In response to these threats, it is imperative for Sri Lanka to enhance its cybersecurity infrastructure, invest in awareness campaigns to educate the public about cyber risks, and strengthen international cooperation to mitigate the evolving cyber threats effectively. Additionally, organizations must prioritize cybersecurity measures to safeguard their networks and data from malicious actors operating in an increasingly complex threat landscape.