Hackers have stolen $3.7 million from the Sri Lankan government – money that was meant to be sent as a debt repayment to Australia.
The breach was revealed last week, with the Sri Lankan government initially claiming that malicious cyber attackers had infiltrated its finance ministry’s computer system and email servers.
Hackers successfully breached the email mechanism used to send communications and payment instructions between Sri Lanka and the Australian government, a Sri Lankan minister said on Friday.
This allowed the hackers to divert part of a $22.5 million payment meant to go to Export Finance Australia, a government agency.
According to government officials, the breach was only discovered when Australian officials followed up about the payment not being received.
‘Irregularities’ discovered
Matthew Duckworth, Australia’s High Commissioner in Sri Lanka, confirmed there had been “irregularities” in payments owed to the Australian government.
“Sri Lankan authorities are investigating the matter and are coordinating with Australian officials, who are assisting the investigation,” Duckworth posted on X.
The Department of Foreign Affairs and Trade (DFAT) told Information Age, “Australian officials are assisting Sri Lankan authorities with their investigation into the matter.
“Australia remains committed to supporting Sri Lanka’s return to debt sustainability.”
Sri Lanka is recovering from a major economic crisis in 2022, which led to the country defaulting on $46 billion in external debt.
It received an International Monetary Fund-backed $US2.9 billion bail-out loan in early 2023, and is now paying this off.
Questions raised over breach
There is conjecture in Sri Lanka over the nature and method of the breach, and whether its Ministry of Finance had actually been infiltrated by the malicious actors.
A statement from the Sri Lankan Ministry of Finance, Planning, and Economic Development last week said the matter had been referred to law enforcement.
The ministry statement said that the hackers had “breached the computer system” of the ministry’s external resources department and diverted the “foreign currency payment” in January this year.
Deputy Minister of Digital Economy, Eranga Weeratne, said there was no evidence yet that the Ministry of Finance’s internal systems had been breached.
“Based on the investigations conducted thus far, no evidence of a system breach has been identified,” Weeratne said.
“There has been no indication of email hacking or similar intrusion.
“However, investigations are ongoing to determine how a foreign party may have impersonated a legitimate entity and facilitated this transaction.”
Sri Lanka’s committee on public finance of parliament is set to meet today, and its chair MP Dr Harsha de Silva said it was unbelievable that the computer network had been hacked.
“The main issue was whether there was technical negligence,” de Silva said, as reported by Sri Lanka news site Ada Derana.
“I do not believe at all that hackers have hacked the Ministry of Finance’s computer network.
“I am 99 per cent sure that this did not happen. This is something else.”
The Sri Lankan government recently established a 24/7 National Cyber Security Operations Centre.
“This facility is mandated to carry out real-time monitoring using AI-enabled tools to detect potential threats in advance,” Weeratne said.
“Integrating critical IT infrastructure across institutions with this system remains a key priority.”
There have been several recent high-profile cybersecurity breaches more directly involving Australian government agencies.
Last year an external software developer engaged by a government agency accidentally made private documents publicly available on two separate occasions.
Earlier last year at least 9,000 sensitive NSW court documents were downloaded in a “major data breach”.
In 2020, the personal information of nearly 200,000 NSW residents was exposed in a data breach that saw about 3.8 million documents stolen by cybercriminals.
There are also concerns that federal government entities are not reporting all cyber incidents, with a report earlier this year finding that just 35 per cent of entities said they had reported at least half of all cybersecurity incidents in 2024-25.
The report also revealed most government entities had not put in place basic cyber protections.
