The news of the All India Institute of Medical Sciences (AIIMS) servers being breached is making headlines across India. While the full extent of the data that was compromised and the actors who are behind it are still unknown, we do have some clues on what this attack entails for the healthcare segment in India and beyond.
Our threat research team has drawn the following inferences after studying the attack on AIIMS and its aftermath.
- Personal email ids and passwords belonging to key AIIMS personnel were already exposed in previous breaches and were openly available on the Dark Web. Almost all the personal email addresses linked to key personnel mentioned on the AIIMS website are appearing on multiple breach DBs. Some of the personal password link to procurement websites which indicate the use of these accounts for official procurement transactions. It is therefore possible that some of these passwords were reused for accessing official email accounts. These compromised credentials could have provided the hackers more avenues to study network usage and associated vulnerabilities and vulnerable apps to hack into.
- Using the stolen credentials from data dumps, hackers could have gained access to the files and data stored on the cloud or on machines belonging to employees (including folders where crucial information and sometimes even passwords could have been saved by employees.
- Based on the above information, it is possible that the hackers were shadowing the institute including its 40 physical servers and 100 virtual servers for some time, stealing data or accessing parts of its networks for some time.
- The stolen data could potentially include health data belonging to VVIPs which could provide state-backed hackers and their sponsors access to important information on the health profile of key decision-makers.
- The hackers seem to be using the ransom as a façade to deceive investigators. It is possible that the hackers were after the health records of key people and are using the ransom as a pretext to hide their true motives.
- No sample data (stolen or exfiltrated) has been released after a breach. Hackers often release sample data and use pressure-building tactics to put added pressure on the victim. We have not seen this happening so far.
- The ransom demand works out to about INR 200 or 2.45 USD per affected record which seems to be quite less. Lazarus which was behind the Wannacry attack in 2017 could have potentially netted USD 60000000 from the attack [at the rate of USD 300 per machine affected based on the initial ransom demand]
- Data encryption could also help mask the tracks of the hacker, especially if they are an APT group to prevent attribution.
- The Healthcare sector in India uses legacy systems quite liberally and because these systems are no longer updated, they cannot support the installation of anti-malware measures. Such systems are sitting ducks when it comes to cyberattacks. In some instances they may be running key functions in others they house patient or asset information
- The accessed databases contain PII information
Disclaimer: these inferences are based on the data and the information we have gathered from published sources on the surface and dark web as of December 5th. Some inferences are subject to change based on new data made available. Since the breach is under investigation from CERT-in, the inferences drawn may be subject to change after the investigation report is made public.