JOIN USAIIMS cyberattack: Asking the right questions matters
The digitisation of the All-India Institute of Medical Sciences (AIIMS) “represents a sustainable and replicable model for hundreds of India’s hospitals”, argued an AIIMS official when it completely digitised operations in 2016. But as the recent developments surrounding the AIIMS cyberattack have shown, the digitisation project has been anything but “sustainable” or “replicable”.
On November 23, 2022, the e-Hospital application used by AIIMS Delhi to manage appointments and consultations stopped working after the servers on which this application and its database were hosted became the target of a cyberattack. AIIMS shifted all its operations from digital to manual mode, resulting in confusion, long lines, and discomfort to patients. Even as the digital services were gradually restored in December, three sets of serious questions about the cyberattack remain unanswered.
The first set of questions is about the modus operandi of the attack. Media reports mention that the targeted servers were infected with Wammacry, Mimikatz and Trojan. The term ‘Wammacry’ appears to have been misspelt, as the famous crypto-ransomware is called ‘Wannacry’. Wannacry unleashed havoc globally in 2017 in systems running on Microsoft Windows. Mimikatz is a post-exploitation tool that is used to steal credentials. The term ‘Trojan’ just indicates that Trojan malware was used. But there are many different types of Trojans out there and which one was used is not clear.
On December 16, Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, informed the Rajya Sabha: “As per preliminary analysis, servers were compromised in the information technology network of AIIMS by unknown threat actors due to improper network segmentation, which caused operational disruption due to non-functionality of critical applications”. Chandrasekhar’s statement only throws light on one of the most glaring system-wide vulnerabilities in the AIIMS digital ecosystem: poor network segmentation. A day earlier, his senior minister Ashwani Vaishnav had informed parliament that a hierarchical system is now being put in place in AIIMS.
However, neither statements by government functionaries nor media reports have clearly laid out the following details: Which exact vulnerabilities were exploited by the hackers? Have these vulnerabilities been patched? Were zero-day exploits used by the attackers or were known (but un-patched) vulnerabilities used? For how many days and months were the attackers inside the AIIMS systems before launching their attack?
The next set of questions is about potential actors and motives. Two Protonmail addresses belonging to the attackers have been mentioned in media reports: “dog2398” and “mouse63209”. Two IP addresses have been traced to Hong Kong and Henan province in China. But this limited information is not sufficient to make a reliable attribution. Attackers often route their attacks through different countries. And even if the attackers are based in China, it has to be seen whether they can be linked to the Chinese State or not. Therefore, in terms of attribution, months of careful technical analysis will be needed before anything can be claimed with a reasonable level of certainty.
In terms of motives, the story gets very interesting. The ransom amount has been reported variously to be Rs 4.2 crore and Rs 200 crore. Irrespective of which figure is accurate, it is very low for a ransomware attack of this magnitude. Was it really a ransomware attack? Or was the real motive to steal the sensitive health data of millions of Indians and sell it or use it for nefarious purposes, including demographic intelligence? Or was it to get hands on the health data of certain VVIPs who get treated at AIIMS?
The final set of questions is about patient data. The government has maintained that everything is under control, that services are being restored, and that patient data is being repopulated into the system. But what about the patient data that was encrypted and potentially exfiltrated by the hackers? There is no word about what happened to the compromised data. Has it already made its way to the dark web? Or is it being analysed by a malicious State or non-State actor? Does the government’s obfuscation regarding the fate of the data indicate that it knows the amount of damage this data leak has caused and wants to suppress information from the general public?
While it may be too early to answer some of the questions posed above, it is only timely to raise and discuss them. Otherwise, the same questions will be asked when a cyberattack of an even bigger magnitude crashes or compromises the entire digital health infrastructure which the current government is ambitiously creating under the Ayushman Bharat Digital Mission.
(The writer is a PhD candidate at the National Institute of Advanced Studies, Bengaluru)