Cyber warfare group caused AIIMS hack: sources

A cyber warfare group backed by a “neighbouring” nation’s government was involved in the cyberattack on servers of the All India Institute of Medical Sciences (AIIMS), two sources aware of a government probe into the breach said.

According to the sources, the findings of the probe, which has not yet been made public, have revealed that at least five servers of the state-run hospital had been “left unattended” which resulted in cybercriminals getting access to the AIIMS system.

“The group has been involved in cyberattacks and (had been) identified by our probe agencies in the past as well. We are taking measures to thwart attacks from them in future,” a senior government official said.


The probe is being conducted by the National Investigation Agency and the Indian Computer Emergency Team (CERT-in), the country’s nodal cybersecurity agency.

“We found several inconsistencies with cybersecurity practices in AIIMS,” another official said.

The five servers that were compromised have since been sanitised, another official said, adding that the probe would continue to determine “with surety” whether any critical data had been leaked from the system.

The premier hospital, which treats more than three million patients, including senior-most central and state government officials, bureaucrats and judicial officers every year, became the target of a cyberattack which left its systems non-functional for more than a fortnight.

The attack, which was discovered on November 23, ended on Wednesday as most of the systems, including online booking and registration of patients were restored.

State-sponsored cyber incidents have been increasing in India and globally over the last few years.

In 2021, the power grid in Mumbai was believed to have been attacked by one such terror group, causing a blackout in the city. Independent security firms said this was orchestrated by China, even as the Mumbai cyber cell and Maharashtra government did not comment on that aspect.

A recent report by cybersecurity firm Trellix has predicted an increase in cyberattacks driven by geopolitical tensions, especially in Asia.

Global political events and the adoption of new technology will “breed novel threats from more innovative threat actors,” John Fokker, head of threat intelligence at Trellix, said.

According to the Verizon Threat Intelligence Report, the prevalence and severity of mobile-related compromises have grown. From coordinated state-sponsored campaigns to unfocused, opportunistic criminal exploits, the volume of attacks is going up.

Nearly 45% of respondents said that their organization had been subject to a security incident involving a mobile device that led to data loss, downtime, or another negative outcome. And of those respondents, 73% described the attack as major, and over two-fifths (42%) said that the attack had lasting repercussions.