The probe into the cyberattack on some servers at AIIMS in the national capital has found that the IP addresses of two emails, which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China’s Henan province, sources told The Indian Express. Sources said the senders used the email service Protonmail, adding that probe agencies have still not located the person, organisation and exact physical location linked to the cyberattack. “They have tracked a server address in China. It does not mean that they have located a person or an organisation or the exact physical location. What they have located is an IP address, which is from China. It could be a Chinese physical server or a virtual server. This we will find eventually in the next few days,” top Government sources told The Indian Express. Multiple agencies, including the Indian Computer Emergency Response Team (CERT-In), are investigating the cyberattack that is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities. According to sources, all back-up data directly linked to the patient details has been repopulated to the main system. “All previous patient records are back on the system,” they said. However, sources said investigations are still underway to find if any other critical data of the institute has been compromised. “.if part of the data from the main system is gone, but not from the backup server, there is a far more time-consuming and prolonged process to find out which part has gone. This is presently underway,” sources said. CERT-In, the country’s premier cybersecurity agency, had found that the hackers had two Protonmail addresses - “dog2398” and “mouse63209”. Sources said the targeted servers were infected with three ransomware: Wammacry, Mimikatz and Trojan. “CERT-In and DRDO (CIRA) found five servers of NIC infected with ransomware and seven servers of the computer facility in AIIMS infected with these three ransomware,” they said. The sources also said that during the probe, the encrypted files were sent to these two Protonmail IDs through CERT-In and Interpol. “After investigation, they found that 'dog2398' and 'mouse63209' were generated in the first week of November in Hong Kong. They also found that another encrypted file was sent from China’s Henan. But as of now, they have been able to establish the first layer and are trying to find out about further layers,” sources said. The Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi Police has registered an FIR under IPC section 385 (putting a person in fear of injury in order to commit extortion), and sections 66 and 66-F of the IT Act after receiving a complaint from AIIMS. A CERT-In team found that the encryption of data was triggered by one of the Windows servers attached in the same network, but “files of this server were not encrypted”, sources said. The investigation also revealed that the main server and applications responsible for OPD services were down as all the system files in the home directory were encrypted by changing their extension to .bak9 - a new file that encrypted the extension files of the system. “The breach in security has particularly affected the e-hospital application, which was provided and managed by NIC since 2011-12, stopping the online functioning of OPD, emergency, and other patient care services on the AIIMS premises,” sources said. There are 52 physical servers: 37 of the computer facility in AIIMS, 15 of NIC - and 148 virtual servers installed at the institute's computer facility. Sources said that two glaring loopholes have been found behind the cyber attack at AIIMS. First, sources said, a large institution like AIIMS should have had a “hierarchical digital structure” rather than a “flat digital structure”. “So that if an attack happens, it adversely affects only one level of that hierarchy.At present, there is only one back-up server at a remote location. In a hierarchical structure, you would have a backup built-in redundancy for each level,” sources said. Second, sources said, was “they only had a troubleshooting cell, who did not have the expertise to prevent a cyber attack”. Now, the process has been initiated at AIIMS to start a dedicated cyber security cell, they said. “The new Cyber security cell will ensure that there is an SoP for the use of both intranet and internet. There would be certain prohibited sites, which the system will not permit you to download from because those sites are the most popular means of infecting your computers and through your computer network,” sources said.
