The curious case of the cyber-attack on AIIMS by unknown hackers has links to one of India’s neighbouring countries as agencies have found an IP address originating from there, though officials claim it may be incorrect.
Sources said there were several lapses that facilitated the easy entry of hackers into the AIIMS system. A senior-level officer supervising the matter told News18 that it is suspected the Ransomware entered by clicking a link sent on a website a few months ago. Investigators have also not ruled out the role of insiders.
“It is suspected that the Ransomware landed into the system a few months ago and collected the data. Later, the hackers ran codes to encrypt the main interface and a back-up server too. These servers had data of all the patients that AIIMS collects for various purposes. It is also suspected that the hackers entered through a link which was sent on a gaming or similar site and someone from the staff clicked on it,” a senior official told News18.
According to sources, hackers encrypted the servers and demanded ransom to decrypt them. Delhi Police and AIIMS have not denied the development and the premier hospital, from Day One, has been terming it ‘Ransomware’.
“Data restoration and server cleaning is in progress and is taking some time due to the volume of data and a large number of servers for the hospital. Measures are being taken for cyber security. All hospital services, including outpatient, in-patient, laboratories, etc. continue to run in manual mode,” AIIMS had said. On Tuesday, AIIMS said the hospital data had been restored on servers and the network was being sanitised.
The officials said the reason experts took time was because the hackers had infected not only the main servers but also systems of other AIIMS centres in Delhi.
When asked how the hackers got in, an official said: “It was like entering an open field. Anyone can enter from anywhere (any system). The hackers entered from the primary servers and further moved into back-up servers and encrypted them so that no one except them could access the data. This is why services were closed as all those servers contained data.”
The official also said the primary IP address accessed by the Indian agency belongs to a neighbouring country but that may be to fool the agencies.
“The IP address accessed by Indian agencies is bounced off by Virtual Private Network (VPN). It seems that a secure VPN was used and bounced to change the IP addresses so that agencies couldn’t reach the actual server immediately,” the official told News18.
Multi-agency probe
According to sources, apart from Delhi Police, officials of the Home Ministry, External Affairs Ministry and Ministry of Electronics and Information Technology have already been roped in. The National Investigation Agency (NIA), Central Bureau of Investigation (CBI), and Intelligence Bureau have also been roped in to probe the cyber-attack on India’s premier medical institute.
A meeting will also be called to discuss the incident in which all investigative and intelligence agencies will participate. Sources added that other institutions have similar lapses and have been asked to take action to prevent such attacks.