Five servers in the information technology network of All India Institute of Medical Sciences (AIIMS) were compromised by unknown threat actors “due to improper network segmentation”, minister of state for electronics and technology Rajeev Chandrasekhar told the Lok Sabha, citing a preliminary analysis.
Chandrasekhar, who was responding to an unstarred question by a large number of MPs on Wednesday, said the attack caused “operational disruption due to non-functionality of critical applications.
AIIMS, widely regarded as India’s foremost government hospital, was hit by a ransomware attack on November 23, when staff was first unable to access the mainstay hospital management tool, eHospital. Subsequently, the hospital shifted its processes offline, and gradually started restoring its online services in a phased manner from starting December 6.
The hackers, in an email to news agency, said they wanted 30 bitcoins, or roughly ₹4.2 crore, in ransom to allow AIIMS to unlock the data, but officials said the authorities were not in favour of negotiating with cyber criminals.
The minister said AIIMS filed a first information report (FIR) under section 385 of the Indian Penal Code (extortion) and sections 66 and 66F (cyber terrorism) of the Information Technology Act, 2000, with the Special Cell of Delhi Police. The affected physical servers were seized by the Special Cell for investigation.
Chandrasekhar told the Lok Sabha that a special advisory on security practices was communicated by Computer Emergency Response Team (CERT-In) to enhance resilience of health sector entities for sensitising health sector entities regarding latest cyber security threats.
It has also been suggested that they may carry out special audit through CERT-In-empanelled auditors on priority basis, comply with the findings of such audit and ensure implementation of security best practices.
“Ransomware incidents have grown over time with attacks across multiple sectors, including commercial and critical infrastructure. Threat actors have modernised their attack methodologies, evolved sophisticated tactics and adopted a wide range of attack campaigns. Ransomware actors exploit known vulnerabilities, compromised credentials of remote access services and phishing campaigns for gaining access into the infrastructure of organisations,” he added.