AIIMS Cyber attack : Do we need to wait for the next incident to again connect the dots?

All India Institute of Medical Sciences (AIIMS) Delhi, faced a heavy cyber attack that derailed routine health services and affected thousands of patients.?The cyberattack has frozen everyday work at AIIMS, including appointments and registration, billing, laboratory report generation, etc. According to the institute, a ransomware attack has corrupted all the files stored on the main and backup servers of the hospital. It is suspected that the data of around 3-4 crore patients are feared to have been compromised due to the cyber-attack on November 23.

AIIMS has around 40 physical and 100 virtual servers and of these, five have been infected with the ransomware, reports in the media said. These servers are being scanned and new servers with updated configurations are being purchased. AIIMS has taken up the restoration process of the data and due to the vast volume of data and a large number of servers, the hospital is taking its time. There are some reports that say the hackers have demanded Rs. 200 Cr in lieu of releasing a private key to decrypt the data.

While there is no official confirmation from any government official or investigating agencies stating whether this is an act of ransomware attack or exploitation of some vulnerabilities in the IT infrastructure of AIIMS, the fact is that the institution is impacted heavily and eventually lots of issues are faced by the patients.

So, what next? Will learn something from this incident or are you still under the wrong perception that such cyberattacks can happen only to financial institutions and nothing to worry about for others? Maybe some hue and cry for a while and wait for the next incident to again connect the dots??

Why do we need to worry now?

It is an undoubted fact that Indian cyberspace as a domain now appears to be fully weaponised. It is generally accepted that in the cyber domain, the skill to cause damage to the infrastructure is easier to recruit, but the will to do damage is the key missing point. In the fast-changing economics and geo-political scenario, that is no longer the case.?

The ransomware attack on AIIMS calls for a review of the recent cyber attacks to answer questions from a slightly long-term perspective. The institutional establishment should be able to understand and answer the following questions:-?

(a) Who are the attackers??

(b) Are the attacks part of a larger design of things??

(c) What is the response from the Indian State??

(d) How do the threat actors see the response from the Indian State??

(e) What is working in favour of the Indian State??

?Recent Cyber Attacks in India?

Cyber-attacks commonly seen in the recent past fall under two known categories – stealing of sensitive information (commercial and personal) and downright destruction of computer assets (devices/data). It is necessary to state that the list below indicates only the tip of the iceberg. It is still a widely held belief that reporting the cyber incident to law enforcement agencies leads to further scrutiny and reputational risk than any meaningful assistance to the company.?

The scope of stealing sensitive information can be gauged through the news of various breaches scooped through the sources in the Dark Web. A review of the recent breaches over the last two years indicates a wide coverage of victims. Most of the victims that have garnered public attention include many top players from the critical sectors, including Banking, Transport, Telecom, Health, and Power. It is tough to verify if the breach is genuine or not due to the nature of the digital data – it is easy to copy but difficult to verify or track the source. However, when seen as a larger trend, it undoubtedly points to many more leaks that have neither been reported nor noticed by the respective companies.?

A more dangerous trend is the use of ransomware by various organized crime groups in the country. While there are many cyber groups, the recent spate of attacks is attributed to more extensive campaigns by various dangerous groups such as REvil (Ransomware Evil). Their ransomware attacks have disrupted and affected the operations of multiple entities. A study of the ransomware attack sample seen recently indicates the increased sophistication and its ability to evade detection by most of the commonly seen anti-malware solutions. This sophistication can be possibly seen as a result of two trends.?

(a) Ransomware operators are running their operations as professional business ventures and hiring high-grade talent.?

(b) State actors are funding and sharing the knowledge of their operations with the ransomware operators

From an Indian viewpoint, there has been a sudden surge in cyber-attacks in last 2-3 years, with a wide variety of breaches, and a spike in ransomware attacks against entities based out of India. It is also not a pure coincidence that the attackers have been going over the most critical infrastructure and entities like AIIMS that collect massive amounts of personal data. This indicates that there could be a method in the madness, and /or this could be a concerted effort by a motivated threat/state actor.?

Framework for Analysis of Security Cyberspace?

Digital transformation requires multiple items to come together.?People, Processes & Technology?as a model for understanding the current system and proposing suitable interventions to bring desirable change.?

People:?Assembling the right group of people in three domains — technology, process, and people in leadership roles with organizational change capacity — may be the single most important step that is needed to secure a successful transformation.?

Processes:?Transformation requires an end-to-end mindset, a rethinking of ways to meet the requirements of the various stakeholders, seamless connection of work activities, and the ability to manage across various stakeholders when in the future. Process orientation is a natural fit for these needs. Process design faces a big challenge in overcoming the hierarchical reporting structures mandatory in the Government infrastructure. This makes the process design a critical task that takes advantage of technological innovations.?

Technology:?In the technology domain, organizations need to make choices that support and develop the potential of the existing people and processes. People with technological depth and breadth and the ability to bring their?insights into relevant areas of work/mandate of the organizations. Leaders of the technology domain must be able to communicate clearly with the big picture in mind.?

Most modern information infrastructure utilizes a higher level of automation that further enhances the attack surfaces. Each of the scenarios may result in very high, high, and moderate impact depending on the infra-architecture and grid systems and may disrupt services over a wider area and longer times. The introduction of fraudulent activities, as a result of the cyber-attack, can trigger different actions (either by accident or on purpose) and even cause instability of the entire infrastructure resulting in heavy losses. There are discussions of the special cyber vulnerabilities found in industrial control systems that operate critical infrastructure facilities. These special vulnerabilities like zero-day vulnerabilities help make important critical infrastructure look like easy targets for possible cyber-terrorist attacks.?

There are numerous recent cyber incidents and attacks on critical information infrastructure. The gas pipeline attacks in the US, Solar Winds, and the cloud infrastructure compromise in the US. The recent high-impact cyber-attacks in India, e.g. cyber-attacks on power systems in Ladakh SDLC and Maharashtra, resulted in severe long-duration power shutdowns, a cyber-attack on the atomic power plant etc. Most of the technology and equipment are imported. The technological understanding of the design of a product, therefore, is a weak point in the critical infrastructure in the country.??

Organised Cyber Groups?

Organised cyber groups are on a global cybercrime spree. They have grown from targeting individual computers to corporate networks; organised cyber groups have evolved over the years. They have evolved from traditional ways of bringing together cyber criminals with the necessary skill-set to work on a stand-alone basis where nobody knows anyone in person and all contact is restricted to virtual contact. This allows the members of such groups to be shielded from detection by law enforcement agencies.

?Ransomware has one designated task - to encrypt all data available on a system. As the connectivity throughout the globe increased, so did the dangers of Ransomware attacks. The groups’ interests are not limited to money anymore. Such groups now aim at stealing data from the network before encrypting it. This serves two purposes:-?

1. The threat of leaking data adds a pressure factor on the company to pay the ransom. The trust of the customers and the reputation of the company in the community should not be compromised at any cost.?
2. It acts as an insurance policy. If an organization refuses to pay up, the black market of leaked data is always an option for them.?

The complexity has grown too. The attacks are not based on a single malicious binary masquerading as a legitimate file anymore; the attacks nowadays are targeted campaigns.? These groups have built their business strategies with an influence from legitimate B2B models. It is a full-fledged market for professionals, recruiting people from their close circles. These groups have a straightforward playbook. They identify, attack, and then extort targets. Moreover, these attacks are not limited to motivated attackers anymore. Ransomware-as-a-Service, or RaaS, is now on the rise. It allows people to buy and/or subscribe to pre-built tools with ready-to-launch ransomware campaigns.?

State Actors?

China has the second-largest budget in the defence sector globally, and they perpetuate a concept called “network warfare” to house their cyber warfare. With more than 20 APTs (Advanced Persistent Threats) groups attributed to China, it is an ever-increasing threat to the nations of the world.State-sponsored (speculation) Chinese cyber groups have (allegedly) targeted various verticals of Indian critical infrastructure numerous times. Even though many of those attacks have been thwarted through the intelligence gathered by the Indian cyber agencies, it is not always possible to gather intelligence, and therefore we must always be on guard.?

Pakistan has not been inactive in the meantime. Government officials have reported the uncovering of various Pakistani groups interested in attacking the State of India. Various reports list website defacement, both government and non-government, by patriotic hackers often publicly claiming responsibility for such operations. These operations are motivated by and can lead to a physical event that causes friction between the two States.?

Pakistani APTs target military and diplomatic personnel to compromise national security as part of espionage. They heavily indulge in spear-phishing attacks to gain access to social media accounts belonging to critical personnel.?

The way forward

Cyberspace of the country is vast and is rapidly growing, and there have been some efforts by the government and the private sector to work together in monitoring the threats to the cyber security of the specific sectors in particular andthe country in general.??In the digital transformation journey, India is progressing at pace with the digital presence of economic and national critical infrastructure. Every IT Infrastructure is dependent on and has incorporated cyber-enabled technologies for its management, control, and operations. Despite existing cyber security infrastructure in place, critical systems are under different types of cyber attacks. Thus, the following measures recommendedto strengthen the existing resilience of India’s cyber infrastructure. These recommendations propose a mechanism to encourage cooperation among government, industry, and academia, in the cyber security milieu.?

• The National Cyber Security Policy 2013 needs an urgent revision in parallel with the advancement of technological innovations, emerging technologies, cyber threats, and unmanaged networks.?
• There is an urgent need for an incorporated national response covering human resources and technical challenges to strengthen India’s cyberspace resiliency.?
• An uniform Central Cyber Commend or a single agency, comprising the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC), may be formed.?
• A HUB and SPOKE model can be used to establish coordination among various sectoral regulators and the national agency for cyber security on policy-making and its adherence.?
• The CERT-In and NCIIPC, under a single agency, need further empowerment through legislation to enforce cyber policies to prevent cyber-attacks/ incidents. However, cyber incidents are to be the sole responsibility of CERT-In.?
• Certain platforms, such as National Resilience Centre for Cyber, Centralised Malware Analysis Platform, Centralised Dark Web Monitoring Platform, and Centralised Standards Body, must be strengthened to ensure India’s technological prowess to withstand cyberwarfare scenarios.?
• In line with the legal responsibility and accountability of the organisation, a cyber security law must be framed on a priority basis. The law will outline the implementation of policies to secure and ensure the resiliency of India’s cyber infrastructure.?

?

About the Author:

Bharat Panchal?is currently working as Chief Industry Relations & Regulatory officer- India, Discover Financial Services. He is the former Chief Risk Officer- of APAC, Middle East, and Africa at FIS Global & Chief of Risk @ NPCI. Bharat is well-known as an architect of digital risk management & cyber security of India’s entire retail payment ecosystem as he has built a world-class digital risk management and cyber security environment for all products like RuPay, IMPS, FasTag and the most prestigious UPI at NPCI.

He regularly writes about best practices in digital risk management, Cyber Securitry, Cyber fraud, and risk governance. He can be contacted at [email protected]. Views expressed in this article are purely personal.??

This article is an excerpt of the detailed report on " PROTECTION OF NATIONAL CRITICAL INFORMATION INFRASTRUCTURE" published by Vivekanand International Foundation which was jointly written by R Srivathsa Ramanathan, Saikrishna BVS and Bharat Panchal.