By MSB
Sri Lanka faces a new crisis, this time in the realm of cybersecurity. Days after the theft of $2.5 million from its Ministry of Finance was confirmed, the government revealed a second incident: another payment, this time of approximately $625,000, also vanished before reaching its destination.
What initially seemed like an isolated case is starting to take shape as a pattern of sophisticated attacks against the state's financial infrastructure.
A silent but highly effective attackThe new incident was detected when U.S. authorities reported that a payment sent by Sri Lanka was never received. Simultaneously, an attempt to divert another payment destined for India was identified, which raised alarms within the government.
These events point to a well-known technique in the cybersecurity world: Business Email Compromise (BEC). This type of attack does not require exploiting complex technical vulnerabilities; instead, it relies on compromising email accounts or financial systems to manipulate payment instructions.
In simple terms, the attacker infiltrates the communication and redirects the money to accounts controlled by them.
Beyond hacking: social engineering at a state scaleUnlike traditional cyberattacks, BEC relies on trust. Attackers study internal processes, identify critical transactions, and act at the precise moment to modify bank details without raising suspicion.
In Sri Lanka's case, hackers managed to divert funds intended for international payments, including commitments with foreign governments. In the previous attack, the $2.5 million was intended for debt repayment to Australia, but ended up in fraudulent accounts.
This reveals a critical vulnerability: it is not necessary to compromise the entire infrastructure; merely intervening in the flow of financial communication is enough.
A bigger problem than it seemsAuthorities have not yet confirmed if both incidents are directly related, but indications suggest they could be part of the same campaign.
Furthermore, reports indicate that other countries, such as Australia, have also detected payment irregularities related to Sri Lanka, which expands the potential scope of the attack.
These types of incidents not only have immediate economic impact but also erode international confidence in the country's ability to manage its financial obligations.
Context: a vulnerable economy, an attractive targetSri Lanka is still recovering from a deep economic crisis that culminated in a debt default in 2022. In this context, the state's financial systems become an especially attractive target for cybercriminals.
The combination of economic pressure, complex international payment processes, and possible weaknesses in internal controls creates an ideal environment for these types of attacks.
Key cybersecurity lessonsThis case provides relevant lessons for governments and organizations:
- Email remains the weakest link in critical systems.
- Payment validation must be multi-factor, especially in international transactions.
- Real-time visibility into transactions is essential to detect anomalies quickly.
- Low-profile attacks can have a high economic impact, without needing sophisticated malware.
What happened in Sri Lanka shows that financial cybersecurity does not depend solely on firewalls or advanced systems, but on processes, controls, and constant verification.
In a global environment where millions can be diverted with a simple change in a payment instruction, the threat is no longer just digital: it is structural.
The remaining open question is not if these attacks will continue, but how many organizations—public or private—are truly prepared to detect them before it is too late.