Sri Lanka LK Domain Registry hijack (Google.lk)
Hacktivists hijacked Sri Lanka's national domain registry and redirected around ten high-profile .lk domains — including Google.lk and Oracle.lk — to a political propaganda page, exploiting admin credentials that had been exposed on the dark web since 2012.
- Victim
- LK Domain Registry
On the morning of 6 February 2021, just after Sri Lanka's independence-day weekend, visitors to Google.lk found themselves redirected to a political propaganda page. The hijack did not stop at Google: around ten high-profile .lk domains, including Oracle.lk, were pointed to attacker-controlled content by tampering at the country's national domain registry.
What happened
The LK Domain Registry is the authority that administers Sri Lanka's .lk top-level domain. Attackers altered the DNS records for a cluster of major domains so that traffic resolved to a new IP address serving their message — a registry-level redirection that affected even domains the registry did not directly control, such as Google.lk.
The redirected page surfaced contemporary Sri Lankan political grievances, including the plight of plantation workers and the Tamil community, Tamil political prisoners, and the "forced cremations" of Muslim and minority COVID-19 victims — framing the operation as hacktivism rather than financially-motivated crime.
A subsequent investigation uncovered the likely root cause: administrator credentials for the registry had been circulating on the dark web since 2012 and reportedly remained valid until September 2020, giving the attackers a straightforward path in.
Impact
- Roughly ten major
.lkdomains were redirected, most prominently Google.lk and Oracle.lk. - The registry team detected the unauthorised changes and reverted them, restoring normal resolution within about 90 minutes.
- No data theft was reported; the damage was reputational and symbolic — demonstrating that a single nation's entire TLD could be subverted from one weak set of credentials.
Response and aftermath
The LK Domain Registry rolled back the malicious DNS entries, and Sri Lanka CERT and the Information Technology Society of Sri Lanka (ITSSL) opened investigations. The exposed-credential finding prompted urgent calls to enforce credential hygiene and multi-factor authentication on critical registry infrastructure. A further wave of defacements in May 2021, claimed by a "Tamil Eelam Cyber Force," targeted government ministries and embassy websites, underscoring a sustained hacktivist campaign against Sri Lankan digital assets.
Why it matters
Hijacking a national domain registry is among the highest-leverage attacks possible: control the registry and you control how an entire country's most-visited sites resolve. That this was achieved through decade-old leaked credentials — not a novel exploit — made it a stark lesson in the cost of neglected credential management at the most critical layer of internet infrastructure.
Timeline
On the morning after independence-day weekend, traffic to Google.lk and around ten other .lk domains is redirected to a political propaganda page.
LK Domain Registry detects the unauthorised DNS changes and reverts them, restoring the domains within roughly 90 minutes.
Sri Lanka CERT and the Information Technology Society of Sri Lanka (ITSSL) launch investigations into the hijack.
Investigators find that admin credentials for the registry had been exposed on the dark web since 2012 and remained valid until September 2020 — the likely attack vector.
A second wave of attacks defaces further Sri Lankan government and embassy sites; a group calling itself 'Tamil Eelam Cyber Force' is named.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/2021_cyberattacks_on_Sri_Lanka
- arteculate.asiahttps://arteculate.asia/sri-lanka-lk-domain-registry-breach/
- adaderana.lkhttps://adaderana.lk/news/71342/several-lk-domains-under-cyber-attack
- social.cyware.comhttps://social.cyware.com/news/websites-of-at-least-eleven-institutions-in-sri-lanka-hit-by-cyber-attacks-3d19a71f