What we currently know about the AIIMS cyberattack and its links to China.
As the investigation into the AIIMS cyberattack reveals China ties, we explain what has been discovered thus far, the authorities’ response, and some lessons we can learn from this case.
The investigation into the cyberattack on various servers at AIIMS in the national capital revealed that the IP addresses of two emails identified by the hackers from the headers of encrypted files originated in Hong Kong and China’s Henan province, according to sources.
Several agencies are investigating the cyberattack, which is suspected of compromising the records of nearly 3-4 crore patients, including the Indian Computer Emergency Response Team (CERT-In). All patient-related data, according to sources, has been repopulated in the main system. “All prior patient records have been restored to the system,” the company stated.
What has the investigation revealed thus far?
According to sources, the senders used the email service Protonmail. According to CERT-In, the country’s premier cybersecurity agency, the hackers used two Protonmail addresses: “dog2398” and “mouse63209.
According to sources, the encrypted files were also sent to these two Protonmail IDs during the investigation via CERT-In and Interpol. “During the first week of November, they discovered that ‘dog2398′ and’mouse63209’ were generated in Hong Kong. Another encrypted file was discovered, this time from Henan, China. According to sources, they have established the first layer and are attempting to learn about additional layers.
According to sources, the targeted servers were also infected with three types of ransomware: Wammacry, Mimikatz, and Trojan. “CERT-In and DRDO (CIRA) discovered five NIC servers infected with ransomware, as well as seven AIIMS computer facility servers infected with these three ransomware,” the researchers wrote.
The Delhi Police Intelligence Fusion and Strategic Operations (IFSO) unit filed a FIR after receiving a complaint from AIIMS under IPC section 385 (inducing fear of bodily harm in mainly order to commit extortion) and IT Act sections 66 and 66-F.
What was the intention of the cyberattack?
Many daily activities at AIIMS were halted as a result of the cyber attack, including OPD registrations and blood sample reports. While AIIMS was able to mainly restart some of these services, records were kept manually, causing delays and inconvenient situations for medical personnel and patients alike.
Patients claim that the cyber attack has hampered their treatment. “My mother had blood tests done on November 16 and was told to come back on November 30 to see a doctor,” Raja, 20, explained. “However, we have yet to receive the reports, and the treatment was unsuccessful.”
Data encryption was triggered on one of the Windows servers connected to the same network, but “files on this server were not encrypted,” according to sources.
The investigation also revealed that the current main server and applications in charge of OPD services were unavailable due to the encryption of all system files in the home directory by changing their extension to.
bak9 – a new file that encrypts the extension files in the system. The institute’s computer facility has 52 physical servers: 37 at AIIMS, 15 at NIC, and 148 virtual servers.
“They discovered a server address in China. It does not imply that they have tracked down a specific individual or organisation. They have discovered a Chinese IP address. It could be a physical or virtual Chinese server. This will be discovered in the coming days “The Indian Express cites senior government officials.
According to sources, investigations into whether the institute’s other critical data has been compromised are still ongoing. “…determining which portion of the data from the primary system is missing but not from the backup server is a much more time-consuming and labor-intensive process. According to sources, this is currently taking place.
The AIIMS cyber attack, according to sources, exposed two major flaws.
As a result, an attack will only affect one level of that hierarchy… Currently, there is only one backup server in a remote location. A hierarchical structure, according to sources, would have backup built-in redundancy for each level.
Second, “they only had a troubleshooting cell that lacked the expertise to prevent a cyber attack,” sources claim. The AIIMS has begun the process of establishing a dedicated cyber security cell, according to the report.
)
You will be unable to download from certain prohibited sites because they are the most common means of infecting your computers and computer network “According to reliable sources.
The investigation into the cyberattack on some servers at AIIMS in the national capital revealed that the IP addresses of two emails identified by the hackers from the headers of encrypted files originated in Hong Kong and China’s Henan province, according to sources.
The senders used the email service Protonmail, according to sources, and investigators have yet to identify the person, organisation, and exact physical location associated with the cyberattack.
“They discovered a server address in China. It does not imply that they have tracked down a specific individual or organisation. They have discovered a Chinese IP address. It could be a physical or virtual Chinese server. This will be discovered in the coming days “The Indian Express cites senior government officials.
Several agencies are investigating the cyberattack, which is suspected of compromising the records of nearly 3-4 crore patients, including the Indian Computer Emergency Response Team (CERT-In).
All backup data directly related to patient information, according to sources, has been repopulated into the main system. “All prior patient records have been restored to the system,” the company stated.
Sources say that investigations into whether the institute’s other critical data has been compromised continue. “…determining which portion of the data from the main system is missing but not from the backup server is a much more time-consuming and lengthy process. According to sources, this is currently taking place.
According to CERT-In, the country’s premier cybersecurity agency, the hackers used two Protonmail addresses: “dog2398” and “mouse63209. The targeted servers were infected with three types of ransomware, according to sources: Wammacry, Mimikatz, and Trojan. “CERT-In and DRDO (CIRA) discovered five NIC servers infected with ransomware, as well as seven AIIMS computer facility servers infected with these three ransomware,” the researchers wrote.
According to sources, the encrypted files were also sent to these two Protonmail IDs during the investigation via CERT-In and Interpol. “They discovered that ‘dog2398′ and’mouse63209’ were generated in Hong Kong during the first week of November. Another encrypted file was discovered, this time from Henan, China. According to sources, they have established the first layer and are attempting to learn about additional layers.
The Delhi Police Intelligence Fusion and Strategic Operations (IFSO) unit filed a FIR after receiving a complaint from AIIMS under IPC section 385 (inducing fear of bodily harm in mainly order to commit extortion) and IT Act sections 66 and 66-F.
Data encryption was triggered on one of the Windows servers connected to the same network, but “files on this server were not encrypted,” according to sources.
The investigation also revealed that the current main server and applications in charge of OPD services were unavailable due to the encryption of all system files in the home directory by changing their extension to.
bak9 is a new file extension that encrypts system files. “The security breach has particularly affected the e-hospital application, which was provided and managed by NIC since 2011-12, stopping the online functioning of OPD, emergency, and other patient care services on the AIIMS premises,” sources said. The institute’s computer facility has 52 physical servers: 37 at AIIMS, 15 at NIC, and 148 virtual servers.
According to sources, two obvious flaws were discovered behind the AIIMS cyber attack. According to sources, a large institution such as AIIMS should have had a “hierarchical digital structure,” as opposed to a “flat digital structure.””
As a result, if an attack occurs, it affects only one level of that hierarchy… Currently, there is only one backup server in a remote location. A hierarchical structure, according to sources, would have backup built-in redundancy for each level.
Second, “they only had a troubleshooting cell that lacked the expertise to prevent a cyber attack,” sources claim. The AIIMS has begun the process of establishing a dedicated cyber security cell, according to the report.
You will be unable to download from certain prohibited sites because they are the most common means of infecting your computers and computer network “According to reliable sources.
Majority of its servers, as well as the eHospital network of the National Informatics Centre, were unavailable (NIC). Manual management was required for all functions, including out-patient, in-patient, and emergency. This has been ongoing for over a week as a large number of servers throughout the institute have been sanitised and restored after the impacted servers were identified.
While the Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) unit registered an extortion and cyber terrorism case on November 25, it denied that AIIMS had reported a demand for Rs 200 crores in cryptocurrency, as is typical of a ransomware attack. Understanding the motivation behind the attack and conducting a review of cyber security preparedness across organisations and systems become even more critical as a result.
Cyber attacks on medical institutions are becoming more common, and also the pandemic has served as a tipping point as hackers and criminal syndicates realised these institutions’ reliance on digital systems to manage medical functions optimally as well as store and also handle large volumes of patient data, including reports. This situation raises concerns about both security and privacy. As a result, the majority of countries classify the health and medical sectors as critical information infrastructure (CII).
While health is not specifically mentioned as a CI in India, an organisation like AIIMS New Delhi could be considered a “strategic and also public enterprise” because it treats millions of patients each year, including the country’s top leadership.
It also handles and stores highly confidential medical research data. Because the information available here is worth more than oil, it is an obvious target for cyber criminals and ransom seekers.
The relevant question is whether the system’s thousands of servers and devices were handled in accordance with the highest cyber security standards, as well as whether solutions and disaster recovery plans were in place. Also, did CERTIn-mandated cyber network audits reveal that everything was in order? Is AIIMS following a cyber hygiene ecosystem similar to the one it expects its patients to follow in the real world?
Typically, ransomware-seeking entities carry out such attacks to prevent networks from functioning after encrypting data, and organisations are sent demands, which are frequently negotiated and paid without informing law enforcement.
In this case, both AIIMS and NIC made the outage public on the first day. Since then, multiple agencies, including the Delhi Police, have been investigating and identifying the perpetrators, as well as recovering and restoring the networks.
The Delhi Police’s use of section 66 (F) of the recent Information Technology Amendment Act 2008 in classifying this incident as a case of cyber terrorism is significant, indicating a much broader scope than a typical ransomware case. Because cyber attacks on critical infrastructure have national security implications, it is critical not to overlook the fact that AIIMS servers held critical health data for several individuals at the helm of the country’s government, and the attack could have been motivated by something other than extortion
edited and proofread by nikita sharma
