The strange case of cyber attack on AIIMS by unknown hackers is linked to a neighboring country of India as agencies have found an IP address from there, though officials claim it could be false as it was bounced through a VPN.
Sources said there were several loopholes due to which hackers easily entered the AIIMS system. A senior level official monitoring the case said that it is suspected that the ransomware was entered by clicking on a link sent on a website a few months back. Investigators have also not ruled out the role of insiders.
“It is suspected that the ransomware landed in the system a few months back and collected the data. Later, the hackers ran code to encrypt the main interface and back-up servers as well. These servers contained all the patient data that AIIMS collects for various purposes. It is also suspected that the hackers entered through a link that was sent to a gaming or similar site and was clicked by one of the employees,” a senior official told News18.
According to sources, the hackers encrypted the servers and demanded a ransom to decrypt them. Delhi Police and AIIMS have not denied the development and since day one the premier hospital is terming it as ‘ransomware’.
“Data restoration and server cleaning is underway and is taking some time due to the volume of data and the large number of servers for the hospital. Measures are being taken for cyber security. AIIMS had said that all hospital services including outpatient, in-patient, laboratory etc. would continue to run in manual mode. On Tuesday, AIIMS said that the data of the hospital has been restored on the servers and the network is being cleaned.
Officials said the reason the experts took time was that the hackers had infected not only the main server but also the systems of other AIIMS centers in Delhi.
Asked how the hackers got in, an official said: “It was like entering an open field. Anyone can enter (any system) from anywhere. The hackers entered from the primary server and so on. They went into the back-up servers and encrypted them so that no one except them could access the data. That’s why the services were shut down because all those servers had data.”
The official also said that the primary IP address accessed by the Indian agency is from a neighboring country, but it could be to fool the agencies.
“The IP addresses accessed by Indian agencies are bounced by Virtual Private Networks (VPNs). It appears that a secure VPN was used and bounced to change the IP address so that the agencies could not access the real server immediately.’
According to sources, apart from the Delhi Police, officials from Ministry of Home Affairs, Ministry of External Affairs and Ministry of Electronics and Information Technology have already been roped in. The National Investigation Agency (NIA), the Central Bureau of Investigation (CBI) and the Intelligence Bureau have also been appointed to investigate the cyber attack on India’s premier medical institution.
A meeting was called by the Ministry of Home Affairs on Tuesday evening to discuss the incident in which all investigative and intelligence agencies took part. Sources said other institutions also have similar lapses and have been asked to take action to prevent such attacks.