Sri Lanka Finance Ministry: $3.7M Stolen in Payment Diversion Attack

The Sri Lankan government has confirmed that a cyberattack against its Ministry of Finance resulted in the theft of more than $3.7 million in funds earmarked for debt repayments to Australia. Authorities describe the incident as the largest confirmed cyber theft from a Sri Lankan state institution to date, with the Criminal Investigation Department and the Central Bank's Financial Intelligence Unit now leading the investigation alongside Australian officials.

What Happened

Threat actors breached the Ministry of Finance's email servers and connected computer systems, gaining sufficient access to manipulate outgoing payment instructions. Funds that had been allocated as part of Sri Lanka's bilateral debt repayment obligations to Australia were redirected to attacker-controlled accounts after payment details were altered in transit. The intrusion was identified after Australian and Sri Lankan officials noticed irregularities in expected inbound payments, prompting the Ministry to confirm that the money earmarked for Australia had vanished. Finance Ministry Secretary Harshana Suriyapperuma confirmed the email server breach and said authorities are coordinating with Australian investigators.

What Was Taken

Over $3.7 million in sovereign debt repayment funds were diverted from their intended recipient. While no bulk data exfiltration has been publicly disclosed, the attackers necessarily had enough access to the Ministry's email and financial workflow to read, manipulate, or spoof payment instructions, meaning any correspondence, banking credentials, counterparty details, and internal approvals handled through those systems should be treated as compromised. The Australian High Commission confirmed the irregularities publicly through High Commissioner Matthew Duckworth.

Why It Matters

This incident marks a significant escalation in financially motivated attacks against sovereign financial institutions in South Asia and demonstrates the continued viability of business email compromise (BEC) and payment diversion tradecraft against government ministries. Sri Lanka is still in the middle of a politically sensitive sovereign debt restructuring process, and the attack directly undermines trust in the machinery responsible for executing those repayments. For defenders, it reinforces that email server compromise is not just a data-theft problem: once an attacker can sit inside a finance workflow, they can weaponise legitimate payment processes to extract funds at scale. Allied governments that transact with compromised ministries also inherit downstream risk.

The Attack Technique

Sri Lankan officials have not formally attributed the intrusion or disclosed full technical details, but the reported behaviour is consistent with a payment diversion scheme enabled by an email server compromise. Based on public statements, the attackers obtained access to the Ministry's email infrastructure, then altered payment details so that funds destined for the Australian government were rerouted to accounts they controlled. This pattern typically involves credential theft or exploitation of an exposed mail server, followed by mailbox rule manipulation, interception of financial correspondence, and spoofed or modified payment instructions sent to counterparties or internal treasury staff. No named threat actor has been confirmed.

What Organizations Should Do

Enforce phishing-resistant MFA (FIDO2 or hardware tokens) on all email, VPN, and financial system accounts, and disable legacy authentication protocols that bypass MFA.
Implement out-of-band verification for any change to payment instructions, banking details, or counterparty account information, using a channel separate from email.
Audit mailbox rules, forwarding rules, and delegated access across finance and executive accounts to detect attacker persistence; alert on creation of new rules that hide or redirect mail.
Patch and harden internet-facing mail servers (Exchange, Zimbra, and similar), and consider migration to well-monitored cloud mail platforms with robust conditional access.
Segment financial payment workflows from general email and productivity environments, and require dual approval for outbound wire transfers above defined thresholds.
Deploy DMARC, DKIM, and SPF in enforcement mode, and monitor for lookalike domain registrations that mimic the organisation or its key counterparties.

Sources: Sri Lankan government hack sees $3.7m destined for Australia stolen - Cyber Daily