News
Hackers bust defences of non-vigilant state institutions
View(s):By Tharushi Weerasinghe
A lack of regular cybersecurity audits has emerged as a recurring weakness among government institutions hit by the recent wave of cyberattacks targeting state-run information systems.
In 2025 alone, the Computer Emergency Readiness Team (CERT) has recorded three government websites which were compromised, one ransomware incident, and a data breach incident.
The latest involved the National Water Supply and Drainage Board, whose customers received threatening messages from “hackers” last Sunday (1) claiming to have accessed their accounts.
Text messages—appearing to come from the same short code used for billing and service updates—warned users that their accounts had been hacked by a group calling itself “Alpha Team”. The messages demanded 1.5 Bitcoin to recover the alleged stolen data and included a cryptocurrency wallet address.
Social media users shared screenshots showing legitimate NWSDB updates followed by the ransom note.
According to official sources, 8,000 customers had been targeted in the attack.
An unknown party exploited a vulnerability in a third-party application connected to the messaging gateway, using it to send unauthorised messages. The attack involved random targeting and was carried out through the SMS gateway, which typically has limited access points. The attackers were able to bypass these restrictions and insert records into the database.
While internal systems remain unaffected and no sensitive data was compromised, a dataset containing phone numbers was accessed. A security assessment of the connected applications had not been done before the breach, despite the need for regular evaluations. The NSWDB has been instructed to begin periodic security audits as a key preventive measure.
The attack followed a ransomware attack on the Pensions Department systems the week before, which resulted in 600 GB of pensioners’ data being compromised and published on the dark web.
While the CERT call centre has been placed on alert, no complaints have been received so far from affected pensioners.
“Given the nature of the leaked information, any scammers are likely to be local,” noted Charuka Damunupola, senior information security engineer, CERT. “However, since the targeted group consists mostly of pensioners, who are less likely to use smartphones or access online platforms regularly, we believe the impact has been limited.”
The Pensions Department has also been added to a list of 40 state institutions that run critical information systems and fall within a more advanced cybersecurity framework. The system, implemented via circular in 2023, requires select government institutions to appoint a team led by an information security officer to ensure cyber hygiene and maintain standards of information systems and databases. The NWSDB is already on this list.
Mr. Damunupola noted that 30 of the 40 directed institutions have complied so far and that the relevant ISOs have regular training workshops. Apart from the ISOs, all staff of other government entities, like the Immigration Department, also receive training on preventing cybersecurity violations.
Nonetheless, both the NWSDB and the Pensions Department have been directed to have periodic cybersecurity checks, which Mr. Damunupola notes had not been happening.
While cybersecurity in Sri Lanka is overseen by CERT and guided by circulars and a National Information and Cybersecurity Strategy, there is no standard compliance for government institutions.
“Every staff member represents a potential vulnerability, which is why awareness and training are key to improving overall cyber hygiene,” he noted.
As part of a broader national cybersecurity policy, guidelines have been issued for securing information systems and websites. These include both general protocols and technical guidance for developers.
Website development across government agencies varies. Some institutions, like the Department of Pensions, have in-house developers, while others outsource the work. However, few agencies have full-scale development teams, with many relying on a small number of IT officers to either build, manage, or coordinate outsourced services.
He said that institutional systems need a structured development lifecycle, including testing and quality assurance, which is expensive and, in some cases, unnecessary due to the scope of work within the department mandate.
A 24/7 National Security Operations Centre for cyberattack prevention and monitoring is being set up. Recruitment is underway. CERT is currently handling official functions, with the onboarding of additional units in progress.
“We have previously issued two cabinet directives by circular, apart from the national policy, to government entities to adopt international quality standards for cybersecurity within state institutions,” he added.
The circular from 2022 mandates the adoption of secure coding practices, protection of the hosting environment, and regular security assessments such as vulnerability testing. It also recommends implementing strict access control measures, maintaining an incident response plan, and ensuring continuous monitoring and compliance with security standards.
The 2023 circular mandates that all government institutions implement the National Cyber Security Policy. This directive applies to ministries, departments, statutory bodies, and other public sector entities, with a phased rollout beginning with organisations listed in Annexe 3. The policy aims to standardise cybersecurity practices across the public sector.
Sri Lanka CERT is designated to provide technical support and guidance during implementation.
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!