The LK Domain Registry maintains the Top-Level country code domains .LK, .ලංකා and .இலங்கை. In addition to the servers which run the domain name system - DNS, the Registry maintains a registration system through which customers may register new domains, renew domains, change details of their domains, etc.
In the early morning of Sat 6th February, we received an alert of unauthorised changes to some domain names in .lk. This was immediately investigated by our team, who determined that around 10 domain names had been modified to point to a new IP address. Access to the LK domain registration systems were temporarily restricted to prevent further damage. Once the changes were identified, our team immediately reverted the changes to their previous settings. This was completed within 90 minutes.
This issue was immediately reported to our security partner, TechCERT, who immediately started the investigation together with the LK technical and the operations teams. It was identified that the changes were done remotely by accessing the Domain Registration system. TechCERT was able to identify that the incident was done by:
1. compromising of the credentials of one system user account and
2. bypassing of the restrictions which normally prevent the admin interface from being accessed from the Internet.
There is no evidence of any other unauthorised access to our systems. We have also not found any evidence of changes to any .LK websites, or of any information being stolen from any other .LK websites. We have not found any substantial evidence that any malware had been distributed via the website pointed to by the attackers. However investigations are on-going.
The DNS system continued running uninterrupted. Our telephone lines were manned from 8.00 a.m. on Saturday, and answered a large number of calls from customers, resellers, media, etc. Urgent changes are being performed manually.
Together with TechCERT, we have identified shortcomings in our security mechanisms, and have updated our systems to mitigate these vulnerabilities. A number of other security improvements have also been identified, and are being implemented. We will bring our domain registration systems back on-line shortly, as soon as these improvements are completed. However, in the meantime, please send any urgent requests to firstname.lastname@example.org . If you need any further information or assistance, please call us on 0114-216-061 or contact us on the above e-mail. For media related queries please call on 0114-216-062.
When you first log-in to the system after it is back on-line, we recommend you reset your password.
We are continuing our investigations, and will issue further updates as needed. We thank you for your patience and support during this incident, and assure you of our continued commitment to provide reliable domain registry services.
LK Domain Registry