Cyber Incident Victim: Ministry of Health and Family Welfare
Date:
Mar 2023
Location:
India
Summary
A pro-Russian hacker group known as Phoenix, affiliated with Killnet, allegedly breached the Indian Health Ministry's Health Management Information System, claiming to possess sensitive data on hospitals, staff, and patients. The intrusion was identified by CloudSEK's XVigil platform, with threat actors linking the attack to India’s compliance with Western sanctions against Russia and the G7-approved oil price ceiling. The incident followed online discussions within the group criticizing India’s stance on sanctions, mirroring motivations observed in prior disruptions targeting Indian healthcare infrastructure. Official confirmation from the Ministry remained pending at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On March 16, 2023, cybersecurity firm CloudSEK identified a cyberattack targeting India’s Health Management Information System (HMIS), a platform under the Ministry of Health and Family Welfare. Their AI-driven digital risk platform, XVigil, detected the breach and attributed it to Phoenix, a pro-Russian hacker collective operating under the Killnet group. Phoenix publicly claimed responsibility via Telegram, asserting unauthorized access to Ministry of Health systems and possession of sensitive data, including information on hospitals, staff, patients, and chief physicians. The group framed the attack as retaliation against India’s foreign policy stance following a poll within Killnet’s community criticizing India’s refusal to condemn Western sanctions against Russia. This action was explicitly linked by threat intelligence platform Falcon Feedsio to India’s compliance with the G7’s Russian oil price cap, highlighting geopolitical tensions as a motivating factor. The HMIS breach followed a prior cyber incident months earlier at the All India Institute of Medical Sciences (AIIMS), where servers were compromised by foreign actors, forcing the institution to operate manually for an extended period. Authorities had registered an FIR citing cyber terrorism and extortion in the AIIMS case, involving multiple investigative agencies, though full system recovery remained incomplete at the time of the HMIS incident.
The Phoenix group’s intrusion raised immediate concerns over the integrity of medical and administrative data across India’s healthcare infrastructure. While the exact scope of exfiltrated data was unverified, attackers maintained public claims of accessing critical systems, escalating risks of data misuse or extortion. Operational disruptions persisted at AIIMS, which continued manual patient management processes due to unresolved system outages from the earlier attack. Law enforcement initiated investigations into both incidents under cyber terrorism provisions, coordinating across specialized agencies to restore systems and analyze attack vectors. The Ministry of Health did not issue official statements confirming or denying Phoenix’s assertions, leaving the claims unaddressed publicly. Together, these incidents represented an ongoing threat targeting India’s healthcare sector, marking one of the most significant ransomware campaigns against its medical institutions in recent years, with direct implications for national data security and critical service continuity.