AIIMS cyber attack has origin in China, say investigators

0
92

[google-translator]

Forensic analysis on the hacked AIIMS servers led investigators to a trail of IP addresses and email accounts that end in China and China-controlled Hong Kong, people aware of the matter told HT, offering the clearest signs yet of where the attack could have originated.

At least four IP addresses were traced, and previously unknown email addresses and phone numbers were found, which too linked back to entities or locations based in Chinese territories. The identity or affiliation of attackers, as is invariably the case with such cyberattacks, could not be determined, the people said.

“The file that triggered the encryption was found to have been communicating with two IP addresses, A and B. When we obtained details of the two email addresses the hackers provided for negotiations, these two matched with IP address A, which our experts traced and found to have been allotted to a company based in Hong Kong,” said a senior investigation officer aware of the analysis, asking not to be named.

“It is not immediately known if the hacking was done by any individual or a group of private persons or by any government agency in China,” the officer added.

HT is using code A to D for the four IP addresses since these are part of the investigation.

The All India Institute of Medical Sciences (AIIMS) was hacked on the morning of November 23, a ransomware encrypting all files and forcing the hospital to go offline as it pulled the plug on its network to stop the malware contagion.

All patient records that were part of the end-to-end hospital management system at AIIMS has since been inaccessible since the cyberattack compromised the main as well as a backup database. The hackers, in an email to HT, said they wanted 30 bitcoins, or roughly 4.2 crore, in ransom to allow AIIMS to unlock the data, but officials said the authorities were not in favour of negotiating with cyber criminals.

Sleuths and technical experts from multiple government agencies pored over the AIIMS network, including those from Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO), the Indian computer emergency response team (Cert-IN) and the National Informatics Centre (NIC)

Their analysis found the trail of the hackers from the file that triggered the ransomware – this file communicated with IP addresses A and B, with first acting as a source server (possibly from where hackers issued commands) and the latter being a destination server, to which hackers may have sent data.

Address A was easily linked to Hong Kong, with internet protocol allocation records showing it to have been registered by a company called Global Network Transit Limited with an address at Hoi Yuen Road in Hong Kong.

Tracing the second address involved more layers as the hackers appeared to have routed through an American company called Profuse Solutions, which had then appeared to have leased the server to a company called Mingpu Keji, which is headquartered in Zhengzhou, China.

“As per the details, the registered user of the IP address was identified as Lisa Zhao…” said a second official, who asked not to be named. The mobile number registered began with a China country code.

In evidence that strengthened the theory that the attackers may be based in China, India’s cyber experts also found that the user managing the first server– with IP address A – was also managing two others, which were linked to companies in Hong Kong.

Part of the clues were gleaned from request for information that some of the email providers and the providers of the company that leased out the source server (with IP address A). This information showed the person who leased it used a Gmail account and a mobile number with a +852 country code, which is for Hong Kong.

“The investigating team also sent a request to Google for sharing details of the user of the email ID. The details showed that the email belonged to a user named “Bee Big” belonging to Hong Kong, who declared their birthday to be on December 29, 2000. Apart from the registered mobile number, Google’s details showed that the last login from that Gmail account was on December 1, 2022,” the third officer said.

December 5, the hackers had told HT earlier that day, was the last date for negotiations.

Official at AIIMS said earlier this week that they had restored the eHospital module, the end-to-end management software, and have in phases begun shifting work online. But medical records that were stored till the time of the cyberattack are yet to be retrieved.


Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here