Cyber-Attack on AIIMS targeting india's critical infrastructure

The cyber-attack on the All India Institute of Medical Sciences (AIIMS) in November 2022 marked a significant incident in India's cybersecurity landscape, particularly affecting the healthcare sector. This attack not only disrupted vital health services but also raised serious concerns about data security and national security.

Overview of the Cyber-Attack

On November 23, 2022, AIIMS Delhi experienced a severe ransomware attack that crippled its digital operations for over two weeks. The attackers encrypted approximately 1.3 terabytes of sensitive data, including medical records of around 40 million patients, which included high-profile individuals such as ministers and judges. The attack led to the suspension of online services, forcing staff to revert to manual operations during this period.

AIIMS was targeted again on June 6, 2023, approximately six months after the significant ransomware attack in November 2022. This subsequent incident involved a malware attack, which was detected and successfully thwarted within a day due to enhanced cybersecurity measures implemented after the previous breach.

Key Details of the June 2023 Attack

The malware attack was identified by AIIMS's cybersecurity team at around 2:50 PM. Thanks to an advanced firewall security system that had been put in place following the earlier attack, the malware was neutralized quickly. The new firewall rules were instrumental in preventing unauthorized access and stopping the spread of any potential virus.

Impact on Operations: Although the malware was contained swiftly, it did result in a temporary server downtime of about four hours. During this period, doctors were unable to access patient reports, highlighting the ongoing challenges posed by cyber threats even with improved defences.

Structural Changes: Following the November incident, AIIMS made significant structural changes to its cybersecurity protocols. The cyber cell is now under the control of the Defence Research and Development Organisation (DRDO), and collaboration with agencies like CERT-IN has been strengthened to enhance overall security measures.

This second incident underscores the persistent threat of cyber-attacks on healthcare institutions and emphasizes the importance of robust cybersecurity frameworks to protect sensitive data and maintain operational integrity.

Who Was Behind the Attack?

Investigations suggested that the attack might have originated from China, although the Indian government has been cautious in confirming these claims. The nature of the attack was described as sophisticated and indicative of a well-planned conspiracy by significant threat actors, raising alarms about the potential involvement of state-sponsored groups. Despite these allegations, official confirmations regarding the attackers' identities remain ambiguous.

Attackers hid their identities with the following accounts "‘dog2398’ and ‘mouse63209’ and are linked to China and HongKong

They used well known ransomware and exploits like Wannacry, Mimikatz and Trojan

Impact of the Attack

The ramifications of the AIIMS cyber-attack were profound:

1. Healthcare Service Disruption: The attack severely impacted patient care, leading to delays and cancellations of surgeries and appointments. This disruption posed risks to patient health and safety due to interrupted treatment processes.

   
   

2. Data Breach Concerns: With sensitive patient data compromised, there are fears that this information could be sold on dark web marketplaces, further endangering patient privacy and confidentiality.

   
   

3. National Security Implications: Given the sensitive nature of the data involved, including information on high-profile individuals, the attack raised alarms about national security and the potential for such breaches to be exploited by hostile entities.

   
   

4. Policy Repercussions: In response to this incident, India’s government initiated discussions on creating a National Cybersecurity Response Framework (NCRF) aimed at protecting critical infrastructure sectors like healthcare from future attacks[6]. This framework is expected to establish better protocols for incident response and data protection.

Conclusion

The AIIMS cyber-attack serves as a critical reminder of the vulnerabilities inherent in digital transformations within essential services like healthcare. It underscores the urgent need for improved cybersecurity measures, comprehensive training for personnel, and a robust national framework to safeguard sensitive data against increasingly sophisticated cyber threats. As healthcare organizations continue to digitize their operations, prioritizing cybersecurity will be essential in maintaining patient trust and ensuring uninterrupted service delivery.

Speaking from a cyber-security perspective, it is clear that infrastructure must be revamped with significant budgetary allocation towards improving security measures for critical infrastructure systems and also maximizing capacity for bodies such as CERT-In. India would benefit from having a central cyber command comprising of the CERT-In and National Critical Information Infrastructure Centre (NCIIPC) along with support from platforms such as the National Resilience Centre for Cyber, Centralised Malware Analysis Platform, and Centralised Dark Web Monitoring Platform. Next, in the event such an attack does take place in the future, India can adopt a 3-2-1 approach wherein 3 copies of data are stored at all times, 2 online and 1 offline to ensure the functioning of the system does not come to a standstill. Lastly, awareness towards better cyber security protocols and crisis management drills must be undertaken to better understand and be aware of the sophisticated nature of threats and attacks.