Cyber Incident Victim: All India Institute of Medical Sciences

On June 5, 2023, the All India Institute of Medical Science (AIIMS) in New Delhi reported a fresh cybersecurity incident. According to an official statement from the institution posted on Twitter, its cyber-security systems detected a malware attack at 2:50 PM on the previous day, Tuesday, June 4, 2023. The premier medical institute stated that the attempt was successfully thwarted and the threat was neutralized by the deployed cyber-security systems. It further clarified that its eHospital services remained fully secure and were functioning normally throughout the event. This incident marked the second time AIIMS Delhi had been targeted by a significant cyberattack within a year, following a major breach in November 2022.

The official narrative from AIIMS was almost immediately contradicted by a clarification from the government. Union Minister of State for Entrepreneurship, Skill Development, Electronics and Technology, Rajeev Chandrasekhar, responded to a user on Twitter who had shared a screenshot of a 'virus found' message related to the AIIMS website. The Minister claimed the event was not a cyber incident but an "error message." He provided an alternative explanation, stating that `e-Hospital.aiims.edu` is an internal application not available for internet users. According to his account, someone may have tried accessing this internal portal, which triggered an alert due to the security layer used by AIIMS. The same person then took a screenshot of the generated error message and circulated it. Minister Chandrasekhar concluded that there was no cyber incident or breach and noted that the error messages had been rectified.

This recent event occurred against the backdrop of a far more severe and disruptive cyberattack on the same institution just months prior. On November 23, 2022, AIIMS Delhi faced a major cyberattack that led to a paralysis of its servers for several days. The attack caused significant disruption to many hospital services, particularly those reliant on online processes. In response, the hospital was forced to launch Standard Operation Procedures (SoP) under manual admission and discharge procedures to maintain critical healthcare operations. Internet services at the hospital remained blocked for an extended period as investigators worked to restore systems and determine the scope of the breach.

The investigative response to the November 2022 attack was extensive and involved multiple national agencies. The Delhi Police joined the investigation in coordination with the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC). The National Investigation Agency (NIA) also visited the hospital to assist the investigative agencies. A case of extortion and cyber terrorism was registered by the Intelligence Fusion & Strategic Operations (IFSO) unit of the Delhi Police. The investigation later expanded to include the Delhi cybercrime special cell, the Indian Cybercrime Coordination Centre, the Intelligence Bureau, the Central Bureau of Investigation (CBI), the National Forensic Sciences University, and the National Critical Information Infrastructure Protection Centre.

Findings from the investigation into the November attack revealed that the servers used in the cyberattack may have originated in China and Hong Kong. As a result of these findings, the Delhi Police wrote to the Central Bureau of Investigation (CBI) and asked it to obtain more information from Interpol regarding the suspected international connections. Reports also indicated that AIIMS was not the only target during that period, as attempts were made on the servers of other premier institutions. The website of the Indian Council of Medical Research (ICMR) was reportedly targeted approximately 6,000 times, though these attempts were unsuccessful.

Following the 2022 breach, internal disciplinary actions were taken at AIIMS. The institution suspended two analysts designated to look after the servers' security for the alleged breach of cyber security that led to the November incident. The June 2023 event, described by AIIMS as a detected and neutralized malware attack and by a government minister as an error message, demonstrates the continued focus of malicious actors on critical healthcare infrastructure in India and the heightened state of alert and subsequent scrutiny surrounding any potential security anomalies at the facility. The differing public accounts from a major institution and a government minister also highlight the complex and often sensitive nature of reporting and clarifying cybersecurity events of public interest.