Ransomware attack: Report flags host of security lapses at AIIMS | Latest News Delhi - Hindustan Times

Ransomware attack: Report flags host of security lapses at AIIMS

Dec 07, 2022 05:02 AM IST

AIIMS, widely regarded as India’s foremost government hospital, was hit by a ransomware attack on November 23, when staff was first unable to access the mainstay hospital management tool, eHospital.

A preliminary fact-finding report into the cyberattack that has crippled services at the All India Institute of Medical Sciences (AIIMS) in Delhi found a host of cybersecurity lapses, people who reviewed the assessment told HT, adding that the administration has been told of how these problems led to hackers causing havoc through the network.

AIIMS-Delhi. (HT File Photo)
AIIMS-Delhi. (HT File Photo)

AIIMS, widely regarded as India’s foremost government hospital, was hit by a ransomware attack on November 23, when staff was first unable to access the mainstay hospital management tool, eHospital. Between then and Monday night, the hospital shifted its processes offline, with the first resumptions in any digital processing happening only on Tuesday with a small number of registrations for one of the departments.

Now catch your favourite game on Crickit. Anytime Anywhere. Find out how

The report, according to one of the officials who saw it, found that the firewall deployed to protect the AIIMS network was not configured properly and there were no safeguards at various intermediary points, which are called switches. “In the network, most of the switches were unmanaged,” the person quoted the report as concluding.

The report also mentions several other findings.
The report also mentions several other findings.

An unmanaged switch has no security features, while a managed switch could have potentially stopped the ransomware infection from spreading. Similarly, firewall policies are meant to define what sort of traffic to allow or stop, which could have restricted the hacker’s ability to breach the network.

“The hospital administration was informed that its cyber security was not ‘up-to-the-mark’, which made it easy for hackers to corrupt the servers and also breach backup data,” a senior official from AIIMS, who did not want to be named, said.

The report also mentions several other findings. For instance, the last successful login into eHospital was at 49 seconds past 7.07am, suggesting this was when the last of the servers were infected.

The same day, AIIMS authorities filed a complaint regarding the cyberattack at the cyber police station of south district. A first information report (FIR) under sections 66 (computer related offence) and 66F (punishment for cyber terrorism) of the Information Technology (IT) Act and the Indian Penal Code’s section 385 (extortion) was registered. The case was transferred to the Intelligence Fusion and Strategic Operations (IFSO), the specialised unit of the Delhi Police to deal with cybercrime.

There were also clues that data was sent to an IP address that was located to Hong Kong, the report found. To be sure, hackers often use virtual private networks (VPNs) to route their link over multiple locations to avoid giving away their real location.

Experts from India’s Computer Emergency Response Team (Cert-IN) examined the affected servers and on November 24 and found that that four servers – two application servers, one database server and one back-up server – were infected, leading to multiple databases being encrypted, said an officer associated with the probe, who asked not to be named.

A police officer associated with the case said that all infected servers were disconnected by the National Informatics Centre (NIC) team, which manages the eHospital system, to avoid contamination to other servers. “All files and data in the infected servers displayed a message which included – ‘free decryption as a guarantee. You can send us up to 3 free decrypted files before payment’,” the officer said.

The officer confirmed that the hackers sought a “payment” to unlock the affected files but did not specify the extortion amount.

On Tuesday, HT reported, after contacting the hackers, the demand was for 30 bitcoin (roughly 4.2 crore) and that the deadline for negotiations was Monday. The email address from which the hackers communicated with HT was one of the two addresses that were contained in the malware – which one of the officials cited above confirmed to be mouse62309@protonmail.com. The other was dogA2839@protonmail.com.

“The two email addresses in question have been flagged to ProtonMail through Cert-IN and the Interpol, the nodal agency of which in India is the CBI, for seeking details of the user or users. The logs of the firewalls were also collected for analysis. The imaging of all infected systems and their hashing were done through experts of Delhi’s Forensic Science Laboratory (FSL) to maintain the evidential integrity and chain of custody. The seized image copies of the infected servers, RAM dumps, and logs were deposited at the NFSU, Gujarat on November 28 for analysis and expert opinion,” added a second officer, who asked not to be named.

The computers infected, in which all files were locked by encrypting them into .bak9 extension files, were all running an operating system based on Linux, but the infection itself began from a Windows-based terminal which was unscathed, the analysis also found.

Experts said that that AIIMS was targeted should not be a surprise. “Interpol had been constantly issuing warnings that India would face cyberattacks on their important installations. The important point of debate is not that AIIMS faced the cyberattack, because even the most secured organisations can also be hacked. What is concerning is that AIIMS’ servers were not secured enough or prepared for thwarting such cyberattacks,” said Amit Dubey, a cybersecurity expert who has worked on cyber forensics with law enforcement agencies.

“Whatever the AIIMS and NIC authorities say, their IT-related loopholes have been exposed. It’s better they prepare themselves in three fields – technology, process and people. AIIMS needs to install the best cyber security system, anti-ransomware system, fix their back-up system, and conduct the process for regular audit,” Amit Dubey added.

Get World Cup ready with Crickit! From live scores to match stats, catch all the action here. Explore now!

Stay updated with all top Cities including, Bengaluru, Delhi, Mumbai and more across India. Stay informed on the latest happenings in World News
Share this article
Story Saved
Live Score
Saved Articles
My Reads
Sign out
New Delhi 0C
Friday, June 14, 2024
Start 14 Days Free Trial Subscribe Now
Follow Us On