In the latest edition of our threat landscape report, Sectrio’s threat researchers had done a comprehensive analysis of the Indian cyber threat landscape, the actors, tactics, malware, and enablers. This report also highlighted the alarming levels of sophistication and maturity demonstrated by state-backed hackers that are targeting Indian critical infrastructure, businesses, and financial services infrastructure. The findings of the report do paint a realistic picture of how fast things are changing in cyberspace vis-à-vis threats, breach tactics, and targets
Table of Contents
In this piece, we will look at how and why some of the institutions in India are being repeatedly stalked and targeted in cyberspace. We recommend that this article be read in conjunction with the threat report for you to gain a complete understanding and context of the data presented here.
As per the data trail left by hackers, Indian cyberspace has been extensively targeted since 2011. In that year, there were a couple of significant events recorded here that were unprecedented in magnitude and portended the scale of events to come. Since 2011, threat actors have expanded their presence in the country while scaling up their operations to cover more sectors and profiles of persons of interest. In addition to critical infrastructure, several of the procurement and production cycles of many vendors connected with defense supply chains, high-end manufacturing, and government agencies are also being targeted
The AIIMS attack is certainly not an isolated one.
Here are a few significant cyber incidents that occurred in the last few years.
- In 2020, March, hackers went after several financial services targets. The primary actor involved was the Lazarus group from North Korea. The hackers ran several scans for 37 days. To this day, Lazarus continues to maintain an eye on several Indian entities in cyberspace
- In 2021, during the Covid-19 pandemic, hackers connected to APT 41 from China targeted a large pharma company. They tried to shut down several production units and slow down the manufacture of critical vaccines. For some reason, the target plants chosen for the attack were not connected with vaccine manufacturing (this could have been a mistake from the hacker’s end). But the attack did manage to force the plant to slow down operations for almost 77 hours
- Between the years 2021-22, hackers ran several phishing attacks with Covid themed messages targeting several key government ministries and the judiciary. Samples of these emails intercepted by us have been published by Sectrio in our threat report for last year.
- In 2021, a large start-up was targeted and hackers succeeded in exfiltrating TBs of data including diligence findings, internal valuation discussion notes (involving a very large conglomerate that went to acquire the start-up in the same month), and customer information down to addresses and phone numbers updated up till 2019. This data then made its way into the portfolios of several data brokers and is now being sold openly.
- At another level scammers linked to Chinese firms located in Guangzhou, China are targeting people via online scams as well. While these scammers are not backed by the state, they still represent a segment that could be co-opted to participate in the Chinese conveyer belt that Sectrio exposed earlier this year. Such a move could complicate things at many levels. For instance, the phones of victims could be used as part of a bot farm to target other countries or run mega-scale phishing and DDoS campaigns globally
- Critical infrastructure attacks in India can be categorized into 3 types; viz., scanning, disruption, and long-term persistence. Every single day, Sectrio’s adaptive honeypot logs almost 7 TB of reconnaissance scan data across India. These scans are conducted through programs that are governed by some level of AI intervention. Unfortunately, many businesses do not pay any attention to initial reconnaissance attacks as they do not result in any form of disruption. But hackers however use the data gathered during scans to target those very entities from where they have exfiltrated data to create an actual cyber incident. This is usually the second step. The third step involves long-term surveillance which is what we have witnessed in the case of AIIMS recently.
- We presented a detailed analysis of the first set of attacks on AIIMs back in December. So what has changed since then?
What really happened at AIIMS?
As per media reports on the incident, it has been said that a cyber breach has been ruled out and the incident involved “someone trying to access E-hospital, an internal application” belonging to the premier healthcare institute. It is also said that the application is not accessible from the Internet. In subsequent reports, however, it was claimed that there was an incident involving a weakened server.
The questions that arise are:
- In this report, it is said that the firewall before the weakened server was the one that detected and prevented this cyberattack. How did the malware reach this far assuming that the weakened server is usually located deep within the network?
- What was the sequence of events before the firewall blocked the suspicious traffic?
- If there was an intrusion detection system, why didn’t it detect the malware?
- As per earlier reports, the breach was linked to an unauthorized attempt being made to access a portal connected with E-hospital. If the portal was being accessed by someone within the network of the hospital (since the application is not accessible from outside), what went wrong and how did this specific event trigger an alert? If it is just a case of forgotten login credentials, how was this tagged as an incident?
- How does this malware relate to the unauthorized intrusion attempt mentioned earlier? Was the malware trying to gain access to data connected with E-hospital?
- If so, can we consider the ‘someone’ mentioned in some of the reports as the orchestrator of this malware attack or was that person trying to gain access to E-hospital through brute force or some other means independent of the malware
- If so, then what is the origin of the malware and what was the hacker trying to achieve by using it?
- E-hospital portal is accessible from the outside. Here is the link https://ehospital.gov.in/ehospitalsso/
When one puts the above information available publicly, a clearer picture of the attack emerges.
At a primary level, the latest cyberattack on AIIMS is designed to send a message. “The hackers can strike at will even at targets that have been breached before and have since been hardened”. This attack also seems to have been carried out using data exfiltrated during the last attack and has since been shared possibly with other state-backed threat actors within China. Actors like APT 41 are acting to gain and retain access to critical systems and data that can be used to target institutions and key decision-makers in times of peace or during a geopolitical event. The latest attack could have been an attempt to gain access to some updated records or delete some information residing in the weakened server or it could have been an attempt to exfiltrate data of interest residing on this server. The writing is clearly on the wall. The second attack represents a continued threat actor and adversarial state interest in key Indian institutions