The digitisation of the All-India Institute of Medical Sciences (AIIMS) “represents a sustainable and replicable model for hundreds of India’s hospitals”, argued an AIIMS official when it completely digitised operations in 2016. But as the recent developments surrounding the AIIMS cyberattack have shown, the digitisation project has been anything but “sustainable” or “replicable”.
On November 23, 2022, the e-Hospital application used by AIIMS Delhi to manage appointments and consultations stopped working after the servers on which this application and its database were hosted became the target of a cyberattack. AIIMS shifted all its operations from digital to manual mode, resulting in confusion, long lines, and discomfort to patients. Even as the digital services were gradually restored in December, three sets of serious questions about the cyberattack remain unanswered.
The first set of questions is about the modus operandi of the attack. Media reports mention that the targeted servers were infected with Wammacry, Mimikatz and Trojan. The term ‘Wammacry’ appears to have been misspelt, as the famous crypto-ransomware is called ‘Wannacry’. Wannacry unleashed havoc globally in 2017 in systems running on Microsoft Windows. Mimikatz is a post-exploitation tool that is used to steal credentials. The term ‘Trojan’ just indicates that Trojan malware was used. But there are many different types of Trojans out there and which one was used is not clear.
On December 16, Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, informed the Rajya Sabha: “As per preliminary analysis, servers were compromised in the information technology network of AIIMS by unknown threat actors due to improper network segmentation, which caused operational disruption due to non-functionality of critical applications”. Chandrasekhar’s statement only throws light on one of the most glaring system-wide vulnerabilities in the AIIMS digital ecosystem: poor network segmentation. A day earlier, his senior minister Ashwani Vaishnav had informed parliament that a hierarchical system is now being put in place in AIIMS.
However, neither statements by government functionaries nor media reports have clearly laid out the following details: Which exact vulnerabilities were exploited by the hackers? Have these vulnerabilities been patched? Were zero-day exploits used by the attackers or were known (but un-patched) vulnerabilities used? For how many days and months were the attackers inside the AIIMS systems before launching their attack?
The next set of questions is about potential actors and motives. Two Protonmail addresses belonging to the attackers have been mentioned in media reports: “dog2398” and “mouse63209”. Two IP addresses have been traced to Hong Kong and Henan province in China. But this limited information is not sufficient to make a reliable attribution. Attackers often route their attacks through different countries. And even if the attackers are based in China, it has to be seen whether they can be linked to the Chinese State or not. Therefore, in terms of attribution, months of careful technical analysis will be needed before anything can be claimed with a reasonable level of certainty.
In terms of motives, the story gets very interesting. The ransom amount has been reported variously to be Rs 4.2 crore and Rs 200 crore. Irrespective of which figure is accurate, it is very low for a ransomware attack of this magnitude. Was it really a ransomware attack? Or was the real motive to steal the sensitive health data of millions of Indians and sell it or use it for nefarious purposes, including demographic intelligence? Or was it to get hands on the health data of certain VVIPs who get treated at AIIMS?
The final set of questions is about patient data. The government has maintained that everything is under control, that services are being restored, and that patient data is being repopulated into the system. But what about the patient data that was encrypted and potentially exfiltrated by the hackers? There is no word about what happened to the compromised data. Has it already made its way to the dark web? Or is it being analysed by a malicious State or non-State actor? Does the government’s obfuscation regarding the fate of the data indicate that it knows the amount of damage this data leak has caused and wants to suppress information from the general public?
While it may be too early to answer some of the questions posed above, it is only timely to raise and discuss them. Otherwise, the same questions will be asked when a cyberattack of an even bigger magnitude crashes or compromises the entire digital health infrastructure which the current government is ambitiously creating under the Ayushman Bharat Digital Mission.
(The writer is a PhD candidate at the National Institute of Advanced Studies, Bengaluru)
Read More: news.google.com
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
Hyperliquid 
Sui 
Wrapped stETH 
Chainlink 
Avalanche 
Stellar 
Shiba Inu 
Bitcoin Cash 
LEO Token 
Hedera 
Monero 
Toncoin 
Litecoin 
WETH 
Polkadot 
USDS 
Bitget Token 
Wrapped eETH 
Binance Bridged USDT (BNB Smart Chain) 
Pi Network 
Pepe 
Ethena USDe 
WhiteBIT Coin 
Coinbase Wrapped BTC 
Aave 
Dai 
Bittensor 
Uniswap 
NEAR Protocol 
Aptos 
Jito Staked SOL 
OKB 
BlackRock USD Institutional Digital Liquidity Fund 
Ondo 
Cronos 
Ethereum Classic 
Internet Computer 
Kaspa