5 AIIMS Servers Hacked, 1.3 TB Data Encrypted in Recent Cyberattack, Govt Tells RS

Media reports citing investigators had earlier revealed that records of nearly 3-4 crore patients, including high-profile politicians, were compromised.

New Delhi: The Union government on Thursday, December 16, informed the Rajya Sabha that five servers of the All India Institute of Medical Sciences (AIIMS) were affected by the recent cyberattack and an estimated 1.3 terabytes of data was encrypted.

The government was responding to a question by Communist Party of India (Marxist) MP John Brittas. He had asked the government if AIIMS servers had been hacked by ransomware, the quantum of data that was compromised, and the steps taken to prevent such incidents.

In response to his question, the minister of electronics and information technology, Rajeev Chandrasekhar, said in a written reply in the Upper House that there was a “cyber security incident” at AIIMS, which manages its own information and computer systems.

He added that the Indian Computer Emergency Response Team (CERT-In) evaluated the incident. “As per preliminary analysis, servers were compromised in the information technology network of AIIMS by unknown threat actors due to improper network segmentation, which caused operational disruption due to non-functionality of critical applications,” he said.

He added that “CERT-In and other stakeholder entities have advised necessary remedial measures.”

On the quantum of data that was impacted, the minister said “five servers of AIIMS were affected and approximately 1.3 terabytes of data was encrypted.”

In the Lok Sabha, responding to questions from several MPs, the minister of state for health and family welfare Bharati Pravin Pawar said that no specific amount of ransom was demanded by the hackers “though a message was discovered on the server suggesting that it was a cyberattack”.

“All the data for e- Hospital has been retrieved from a backup server which was unaffected and restored on new servers. Most of the functions of e-Hospital application like patient registration, appointment, admission, discharge etc. have been restored after two weeks of the cyber-attack,” she said.

‘CERT-In has counter plan for attacks’

Chandrasekhar told the Rajya Sabha that a Cyber Crisis Management Plan for countering cyberattacks and cyberterrorism had been formulated by CERT-In for implementation by all ministries and departments of the Union and state governments and their organisations and critical sectors.

He added that CERT-In has been mandated to track and monitor cyber security incidents and a “special advisory on security practices to enhance resilience of health sector entities has been communicated by CERT-In to the Ministry of Health and Family Welfare, for sensitising health sector entities regarding latest cybersecurity threats.”

He said the ministry has been requested to disseminate the advisory among all authorised medical care entities/service providers in the country. “It has also been suggested that they may carry out special audit through CERT-In-empanelled auditors on a priority basis, comply with the findings of such audit and ensure implementation of security best practices,” he added.

In his written reply, the minister said CERT-In has been issuing alerts and advisories regarding the latest cyber threats/vulnerabilities and countermeasures to protect computers and networks, on an ongoing basis. It said the team also published “India Ransomware Report H1 – 2022” in August 2022, covering the latest tactics and techniques of ransomware attackers and ransomware-specific incident response and mitigation measures.

Earlier, investigations into the cyberattack, which had crippled the functioning of the premier health institution in New Delhi, had revealed that “the IP addresses of two emails, which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China’s Henan province”.

A recent news report stated that the cyberattack is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities. The investigations by CERT-In, it said, revealed that the hackers had two Protonmail addresses – “dog2398” and “mouse63209”. The encrypted files were sent to these two Protonmail IDs through CERT-In and Interpol.

The report said these two addresses, ‘dog2398’ and ‘mouse63209’, were generated in the first week of November in Hong Kong. Another encrypted file was sent from Henan in China.

Investigations also revealed that the targeted servers were infected with three ransomware: Wammacry, Mimikatz and Trojan. “CERT-In and DRDO (CIRA) found five servers of NIC infected with ransomware and seven servers of the computer facility in AIIMS infected with these three ransomware,” the IE report quoted sources as saying.