As massive protests against Sri Lankan president Gotabaya Rajapaksa entered their eighth week, last month the hacktivist collective Anonymous stepped up to show support — in ways that have left cybersecurity experts and the general public alarmed and wondering whether the organization was doing more harm than good.

On April 20, Anonymous, the decentralized collective of internet activists, hit the websites of the Ceylon Electricity Board, the Sri Lanka Police, and the Department of Immigration and Emigration using distributed denial-of-service (DDoS) attacks. Twitter handles affiliated with Anonymous said the group had started the #OpSriLanka hashtag in support of the people and was “declaring cyberwar against the government.” 

Many Sri Lankans had been calling for the group to step in, using the hashtag #AnonymousSaveSriLanka on social media. But as part of the attack, Anonymous hackers publicly shared thousands of usernames, passwords, and email addresses from the database of Sri Lanka Scholar, a private portal that connects students to various higher education institutions and uses the official “.lk” domain. The hackers released similar information about the agents registered with the Sri Lanka Bureau of Foreign Employment (SLBFE).

“What’s the use of hacking SLBFE? This website include[s] details of innocent Sri Lankan employees who work abroad. [Rajapaksas] won’t hide their secrets in SLBFE,” a Twitter user asked.

In addition to violating the privacy of regular Sri Lankans, the leaks also put them at risk of cybercrimes and phishing attacks, technology law specialist Ashwini Natesan told Rest of World.

These people continue to be at risk because “unless fixed, another hacker can access the same database and collect the employees’ passport details and other personally-identifiable information, which can be sold on the dark web for about $50,” cybersecurity specialist Asela Waidyalankara told Rest of World. “These details can then be used for a number of cybercrimes, like impersonation.”

In addition to the data leak, a Twitter handle affiliated with the Ghost Squad, a politically-motivated hacktivist team that’s part of Anonymous, shared strategies for attacking the state-owned National Savings Bank, semi-government mobile service provider Mobitel, and the digital platform provided by Sri Lanka Telecom for locals to get appointments with doctors. Waidyalankara said that luckily, these systems were not breached. “Had this taken place, it would have revealed sensitive medical data about individuals.”

Experts say Anonymous’ attack has highlighted the shortcomings of Sri Lanka’s cybersecurity infrastructure at a time when the country is dealing with the worst economic crisis since its independence in 1948.

Sri Lanka is in economic shambles because foreign remittances have slowed, tourism revenue has suffered from the pandemic, high global oil and gas prices make daily life expensive, and the government faces difficulty borrowing from international lenders due to a massive outstanding external debt. The costs of essential goods have skyrocketed in the island nation, along with daily power cuts, resulting in ongoing anti-government protests around the country.

Given these circumstances, the government may not have the means to prioritize cybersecurity, which may leave its citizens vulnerable to future threats, experts said. In March, the Sri Lankan parliament passed data protection legislation, which has yet to come into force. “The Data Protection Act provides for protecting personal data from misuse and abuse and has necessary notification processes in place. However, it has still not come into force and the Data Protection Authority has not yet been established under the Act,” Natesan said.

The Sri Lankan Ministry of Technology “is continuously taking a lot of precautions against cyberattacks, and these will be further strengthened,” secretary Jayantha de Silva told Rest of World.

If the government does prioritize cybersecurity, it will be using taxpayer money for damage control, “so, I do not see how this attack contributes to the general cause of the protests,” Waidyalankara said. The true impact of this cyberattack will be understood much later, Waidyalankara added. “If the country’s threat profile for cyberattacks was low to medium before this, now it would be somewhere between medium to high.”

Meanwhile, Anonymous’ attack is being used by some to spread misinformation. On April 22, a Facebook page called Lanka E News published a post in which they claimed to disclose the “hidden wealth” of the ruling Rajapaksa family. Lanka E News said this information had been leaked by Anonymous during the cyberattack.

The post, which did not have hyperlinks to any data dumps or documents, claimed that media houses and popular media personalities who have reported on the economic crisis and the protests are involved in the underhanded dealings of the Rajapaksa family.

Social media analyst Sanjana Hattotuwa, who has studied the post, flagged it for “narrative corruption.” Hattotuwa found that the post was being published by different accounts at the same time, one of the “signals of inauthentic propagation.” This is an instance of a pro-government spread of misinformation, seeking to derail the movement against President Rajapaksa, Hattotuwa said, adding that “the dominant public belief that the Rajapaksas are corrupt is being instrumentalized [by the creator].”The post has been shared on a number of Facebook groups supporting the anti-government protests, including “GoHomeGota2022,” which has over 300,000 followers.