Anonymous #OpSriLanka - Hackers & Gatecrashers

If you invite strangers to a party, you have to deal with the consequences. In this piece we try to establish a timeline of events for Sri Lanka’s most recent outing with Anonymous. We assess the impact, and give you some insights into the movement’s modus operandi.

@June 8, 2022

Read this article in English | සිංහල | தமிழ்

Featured Image -
Featured Image - Anonymous9000/Flickr
Story & Analysis by Nadim Majeed Research & Data Visualisations by Ishan Marikar Edited by Aisha Nazim & Tineeka De Silva Translated by Mohammed Fairooz & Nishadi Gunatilake

The Anonymous invitee

Resentment against the Sri Lankan Government and the Rajapaksa’s snowballed in late March. As protests intensified, calls began emanating online, imploring the hacktivist group Anonymous to expose offshore wealth of the Rajapaksa family and their associates. The first inkling that these messages reached the infamous group came from @YourAnonNews, one of the largest social media accounts associated with the movement. They quote tweeted a post from an Indian publication regarding the State of Emergency and curfew in Sri Lanka, on 03 April.

The next post from an account claiming affiliation with Anonymous, related to a now viral Facebook post. The post questioned the air lifting of 102 metric tonnes of ‘printed material’ to Entebbe International Airport in Uganda by SriLankan Airlines.

The Sunday Times reported that the cargo in question contained Ugandan currency notes and the order had been placed by “a global security printer who operates several factories worldwide, including one in Sri Lanka, exporting to global markets”.

Twitter handle @GhostClanOfcl, aka The Ghost or The Ghost Squad - another account claiming affiliation with Anonymous - stuck by the allegation that it was US dollars being shipped, despite reports to the contrary.

The account published a video alleging US dollars had been airlifted, and submitted a list of demands - including the resignation of President Gotabaya Rajapaksa within 12 days.

On 20 April, #OpSriLanka (Operation Sri Lanka) was declared by @LatestAnonPress. Their stated goal according to the accompanying image was to take down gov.lk websites.

This was the first mention of #OpSriLanka, as it pertains to the current situation, and coincided with a number of DDos (Distributed Denial of Service) attacks on several websites.

💡

In a nutshell, a DDos attack is when an attacker or a hacker overloads website servers, and makes it difficult for regular visitors to access these sites. (There’s a bit more to it than this but we’ve avoided getting too technical). [1]

The reader will note our frequent use of phrases like ‘claiming affiliation’ and our general hesitancy with directly attributing posts or other activity to Anonymous. This is because the decentralised nature of the movement also ensures that whenever they are invited to the party, there will always be a few gatecrashers accompanying them.

💡

Side note - This is not the first use of #OpSriLanka. Back in 2014, ‘hacktivists’ claiming to be affiliated with Anonymous, including AnonGhost, The Afghan Cyber Army, and Indian Haxors, attacked 129 websites and promoted their work using #OpSriLanka.

#OpSriLanka - the party kicks off

Thus far the movement appeared to have been relatively fractured, but the hashtag #AnonymousSaveSriLanka soon gained widespread use, peaking on 21 April.

Many of these posts also carried the specified demand #GiveOurMoneyBack. This indicates that their expectation was that Anonymous would expose the whereabouts of stolen assets. How this could be accomplished by taking down gov.lk websites is anyone’s guess.

Image: Screenshots of Sri Lankan Twitter users requesting Anonymous’ help to ‘save Sri Lanka’.
Image: Screenshots of Sri Lankan Twitter users requesting Anonymous’ help to ‘save Sri Lanka’.

What were the results of these pleas? On 20 April, the same day as the ‘declaration’ of #OpSriLanka, Twitter user @LulzSecSL was among the first to join the party. Claiming affiliation to Ghost Clan and by extension Anonymous, they published data from the Sri Lanka Bureau of Foreign Employment (SLBFE).

This information included emails, usernames, passwords, and details of agents registered with the SLBFE. This was a potential invasion of the privacy of low-level government employees, and Sri Lankan nationals working overseas.

💡

We’re not publishing leaked data here or embedding the original tweet for obvious privacy reasons.

The SLBFE leak was widely reported in the media, and Watchdog was able to identify thirty further attacks. The targets of these attacks ranged from state and private media perceived to be aligned with the Rajapaksa’s, to government websites, and even an e-commerce company.

The targets and the potential harm caused

Handle
DDOS
Compromised
Data Dump
SRIHUBDEV
15
0
0
ANOVNI1
5
0
0
YourAnonSpider
0
1
1
@mrdark3366
1
0
0
@Anon_242424
1
0
0
@_barbby
2
0
0
@Anonymous_Link
1
0
0
@YourAnonNewsE
1
0
0

As you can see above, the majority of the attacks tracked by Watchdog were DDos attacks. Fifteen of these were claimed by Twitter user @SRIHUBDEV, another account claiming affiliation with the Ghost Clan. Target websites included namalrajapaksa.com, police.lk, president.gov.lk, swarnavahini.lk, hiru.lk, lanwacement.com, visittamileelam.com, and an Ugandan bank.

Five DDos attacks were claimed by the handle @ANOVNI1, targeting rupavahini.lk, itn.lk, derana.lk, hirutv.lk, and parliament.lk.

The handle @YourAnonSpider claimed to be behind compromising the Sabaragamuwa Province administration’s website. It published a data dump from the Public Utilities Commission of Sri Lanka (PUCSL).

💡

We are unable to verify if the handles claiming responsibility for the attacks are indeed the attackers. The time-frame in which the attacks occurred coincide with the declaration of #OpSriLanka but this could be coincidental.

The chart below shows the types of websites which were targeted, not all of which belonged to the government.

Six of the attacks Watchdog tracked were on private businesses. Notwithstanding purported affiliations with the Rajapaksa’s, this poses a grave security risk for the customers of these companies.

💡

A single scammer can wreak havoc in your life by simply having access to your name, date of birth, and identification documents. This information can easily be used for identity theft and fraud, and it is very likely that customers of any company that suffers a data breach will be affected by phishing attacks for years.

We cannot verify if the attackers are indeed affiliated with Anonymous. This raises the possibility that persons seeking to delegitimise the movement could be perpetrating the attacks.

Assessing the impact of these attacks and data leaks is difficult. What we do know is that when it comes to data leaks, this can lead to scams that are personalised around your data. Data dumps are constantly being sold on the dark web, sometimes resulting in financial scams where money is extorted from victims.

Which brings us to the gatecrashers.

Spiking the punch

Whilst the attacks continued and protests intensified, it appeared that further mischief was afoot. A message began making the rounds on WhatsApp and social media. The post, which appeared on the facebook page Lanka E News, claimed to be an exposé of Rajapaksa wealth and identified several individuals as being Rajapaksa proxies.

What is interesting here is that the accounts from which the posts emanated claimed no affiliation with Anonymous, but quoted the movement in the posts.

The ‘leak’ made claims regarding diamond mines in Tanzania, islands in the Maldives, investments in some of the biggest blue chip companies in Sri Lanka, and even claims of ownership of pornographic film companies in the US.

What is interesting is that amongst the high profile individuals ‘outed’ as Rajapaksa proxies, were persons who have in fact been outspoken critics of the Rajapaksa administration.

Despite the outlandish nature of the claims being made, the lack of any evidence to back up the claims or veracity of the source, the message went viral. It quickly achieved the distinction of being ‘Forwarded many times’ on WhatsApp and became the subject of a number of memes.

Again, we cannot independently verify that this ‘leak’ did not originate from the hacktivist group Anonymous. However, the fact that the message is not linked to any data dump, would suggest that it is an attempt at disinformation, preying on the confirmation biases [2] of its target audience.

In other words - behold, the gatecrashers!

The hangover

Did the #OpSriLanka saga expose any concrete information regarding wealth stashed in offshore secrecy jurisdictions? No.

DDos attacks and data dumps from the Foreign Employment Bureau and PUCSL are not going to expose offshore wealth, which was the appeal from those seeking Anonymous’ intervention.

So what was finally accomplished? With the SLBFE data dump we saw the exposure of private information.

On the other hand, attacks like these makes life so much harder for the state’s cyber security teams.

The Sri Lankan state’s IT infrastructure is weak and has been breached many times before. As recently as February last year the .lk domain registry was hacked with information being exposed on the dark web.

We must also keep in mind that it is the public that must bear the cost of restoring and rebuilding the state’s web infrastructure - a cost that we cannot afford.

Readers could liken this to waking up with a splitting headache following a particularly debaucherous night out - where you’re unsure whom you’ve shared your digits with.

Looking through the haze

The good news for those seeking information on offshore wealth is that there is already a trove of information out there.

In 2015, an exposé by the International Consortium of Investigative Journalists (ICIJ), titled Swissleaks, revealed that 40 Sri Lankan nationals had stashed away about USD 50 million in secret Swiss bank accounts. Subsequently, controversial businessman Nissanka Senadhipathi and his company Avant Garde, were also featured in the Panama Papers.

ICIJ’s 2021 Pandora Papers investigation, revealed that former MP Nirupama Rajapaksa and her husband, Thirukumar Nadesan, used shell companies to buy luxury apartments in London and Sydney.

Whilst there is always the possibility that these funds may have been legitimately earned, the apparent absence of any kind of investigation, is disconcerting.

In our first data project on Corruption in Sri Lanka, Watchdog highlighted a number of major corruption cases that had escaped the radar of law enforcement.

Asset recovery is not a specialty of the Anonymous movement. Transparency International Sri Lanka, a domestic anti-corruption organisation, put together a very useful explainer on asset recovery. It answers the questions many of us are asking - how Sri Lanka can recover stolen assets, who has the power to get it done, and how long it takes.

On that note, always remember, before we invite strangers to ‘help’ with the party, perhaps we should ask ourselves, what is being done with the information and resources we already have?

Footnotes

1. DDos attacks explained:

2. Britt MA, Rouet J-F, Blaum D, Millis K. A Reasoned Approach to Dealing With Fake News. Policy Insights from the Behavioral and Brain Sciences. 2019;6(1):94-101. doi:10.1177/2372732218814855

3. Olson P. We Are Anonymous: Inside the Hacker World of Lulzsec, Anonymous, and the Global Cyber Insurgency. New York: Back Bay Books; 2013.

Data for this piece

Frequency of Attacks by Sector

Sector
Number of Attacks
State
14
State Media
5
Private Media
5
Private Business
6

Anonymous #OpSriLanka Timeline

Date
Time
Handle
Link
Site Affected
Type
4:22 PM
SRIHUBDEV
DDOS/Site-Takedown
@April 30, 2022
5:48 PM
SRIHUBDEV
DDOS/Site-Takedown
@April 29, 2022
9:53 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 28, 2022
9:20 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 25, 2022
10:49 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 23, 2022
9:33 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 23, 2022
2:58 PM
SRIHUBDEV
DDOS/Site-Takedown
@April 21, 2022
9:23 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 17, 2022
9:29 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 13, 2022
9:00 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 7, 2022
9:32 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 7, 2022
9:30 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 7, 2022
9:26 AM
SRIHUBDEV
DDOS/Site-Takedown
@April 5, 2022
1:18 PM
SRIHUBDEV
DDOS/Site-Takedown
@April 4, 2022
7:16 PM
SRIHUBDEV
DDOS/Site-Takedown
@January 5, 2022
6:56 PM
DDOS/Site-Takedown
@January 5, 2022
6:56 PM
DDOS/Site-Takedown
@January 5, 2022
6:56 PM
DDOS/Site-Takedown
@January 5, 2022
6:56 PM
DDOS/Site-Takedown
@April 5, 2022
2:47 PM
DDOS/Site-Takedown
@April 30, 2022
3:34 PM
Compromised
@February 5, 2022
5:41 AM
Data Dump
@January 6, 2022
7:54 PM
AnonymousItalia
@March 4, 2022
8:01 AM
@mrdark3366
DDOS/Site-Takedown
@April 20, 2022
7:55 AM
@Anon_242424
DDOS/Site-Takedown
@April 4, 2022
2:37:00 PM
@_barbby
DDOS/Site-Takedown
@April 20, 2022
11:30:00 PM
@Anonymous_Link
DDOS/Site-Takedown
@May 4, 2022
12:42 AM
DDOS/Site-Takedown
@April 23, 2022
9:33 AM
SRIHUBDEV
DDOS/Site-Takedown
@March 4, 2022
1:57 AM
DDOS/Site-Takedown

Anonymous කතාවස්තුව