The Covid-19 pandemic negatively affected Sri Lanka’s economy, education and almost every other sector. The education of the country’s children was also heavily impacted resulting in lengthy delays in all examinations held.
Accordingly the Advanced Level Examination set to be held in August 2021 was eventually postponed for February - March 2022. The results of this examination for which 272 680 students sat for were finally released on August 28. These results were first released online on www.doenets.lk and www.results.exams.gov.lk, - the websites belonging to the Department of Examinations.
The websites allow students to check their results through their computers as well as their mobile phones by entering one’s index number or the national identity card number. In order to protect the security and privacy of students, the website does not allow the search of results by merely entering a name or other information. In addition to this, Principals of schools were provided with a username and password to obtain results of the students of only that particular school.
Information
However, just two days after the results were revealed, information about a particular website that allows anyone to search for results by merely entering a student’s name began to make the rounds. The unofficial website reachable by its address http://rezoth.ml allowed almost anyone to search for a student’s results by even entering just part of the person’s name in violation of the security and confidentiality of the candidates.
The news of this unauthorised website soon travelled to L.M.D Dharmasena, the Commissioner General of Examinations. The IT officers of the Department found out that the Department’s website was being surreptitiously hacked and data mined for details of the 2021 A’Level results.
Dharmasena then lodged a complaint with the Criminal Investigations Department on September 5. Receiving the complaint head of the CID, DIG Prasad Ranasinghe directed the highly trained Cyber Crimes Division led by SSP Lucky Randeniya to investigate the matter.
Randeniya in turn hands over the key investigation to the Social Media Crime Investigation Unit and its head ASP Jayanetti. The OIC of the unit is IP Ishara Gayasri who was involved in nabbing the hacker of the President’s official website during the tenure of President Maithripala Sirisena.
The only clue the team led by IP Gayasri had was http://rezoth.ml the website link submitted in the complaint. The team first identifies the website is functioning through an oracle domain operating from abroad allowing its creator to use it without payment.
Realising the difficulty in obtaining any information along these lines the investigators instead took to the internet to carry out further investigations which in turn revealed a Telegram messaging platform group linked to the website in question.
CID
The next task of the CID sleuths was to enter the Telegram group. But this was no easy task as it did not accept unknown strangers to its fold. But unknown to its users and creators the investigators were able to enter the group secretly and observe the happenings within the group.
It was observed that the group had almost 5,000 users and a majority were school students. Almost all were IT students. The investigators also watched as group participants exchanged information on hacking websites including methods to crack security codes in order to enter secured websites.
Though investigators had chanced upon many scrupulous activities, their aim was to only nab the person responsible for the unauthorised website that featured examination results of students. But no discussion appeared to be taking place on the matter.
Therefore, the police team launched their own attack on the website in an attempt to initiate a conversation regarding the matter on the Telegram group.
Not long after, a group participant had informed the group about the attack and requested help from others to recover the website. Though the police quickly picked up on the individual, finding information about him was no easy task as he had hidden his identity.
The police then turned to nabbing an administrator of the group and were able to do so faster than they had expected. The person brought in for questioning was identified as a school student from Dehiwala.
He said that the group was set up to exchange information on IT among school students, especially on topics not covered by teachers despite them being included in the syllabus. The sleuths were able to recover the password for the Telegram group from the students to access it and identify its participants.
The police are able to obtain his mobile number. Details revealed the connection was bought in 2020 but no calls had been placed using it since.
Instead it had been solely used to access the internet. Concerned if the registered user of the SIM was in fact the suspect they were in search of, the police decided to nab the suspect by finding his live location instead.
However, this was no easy task as no calls had been placed using the SIM and the live location was not displayed through the telegram app. CID sleuths then used a tactic and added him to a Whatsapp group to trace his live location.
The live location indicated he was a resident in Wakwella, Galle. A team led by IP Gayasri headed to Galle on September 8, to locate the suspect. The team was able to arrest the suspect by afternoon that day at his residence where it was revealed the hacker was a school student, attending a prestigious all-boys school in Galle and was studying for his Advanced Level examinations in the ICT stream.
Breach
The student had stolen the information by breaching the Department of Examination website without understanding the severity of his offence.
During questioning the student had also confessed to doing the same last year. However, till this revelation even Examination Department officials had been unaware of a previous breach of its website.
Despite entering the site, the suspect student had not attempted to change the results displayed on the site.
He said he was able to identify the weaknesses of the Department website and used a ‘Brute Force’ attack to enter the site two days after the results were released. According to him, he had mined the data and featured it on his site to practise the knowledge he had acquired through the further ICT studies he carried out.
He also said it took him a mere 5-6 hours to download all the data from the Government website. Investigators also found the student had pursued further knowledge about ICT through the internet going beyond what was taught in school but did not understand the legal issues surrounding his actions.
However the police had booked him under the provisions of the Computer Crime Act No. 24 of 2007. He is currently under the custody of the CID.
It is evident the student was able to use his knowledge to enter a website considered as one of the most secure in the country giving rise to questions about its security given the fact a mere school student could hack it. It is also concerning that officials only came to know of the hacking through information published on social media and were unable to detect a hacking on their own website.
If the information did not appear on social media it is unlikely the suspect could have been found. He could have even altered the results had he wished to do so unknown to all those responsible.