The AIIMS cyberattack and its China links: What we know so far

As the probe into the AIIMS cyberattack reveals China links, we explain what the investigation has uncovered so far, the authorities’ response and some lessons that this case leaves us with.

The cyberattack is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities (Stock Photo).

Listen to this article

00:00

1x 1.5x 1.8x

The probe into the cyberattack on some servers at AIIMS in the national capital has found that the IP addresses of two emails, which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China’s Henan province, sources told The Indian Express.

Preparing for UPSC? Use CRACKUPSC20 code here to get an extra 20% discount on Indian Express subscription.

Multiple agencies, including the Indian Computer Emergency Response Team (CERT-In), are investigating the cyberattack that is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities. According to sources, all backup data directly linked to the patient details has been repopulated to the main system. “All previous patient records are back on the system,” they said.

The Indian Express takes a closer look at the unfolding investigation and its outcomes so far.

Also Read | The new India-China Tawang crisis: Where, why, and what now

What has the probe uncovered so far?

Sources said the senders used the email service Protonmail. CERT-In, the country’s premier cybersecurity agency, has found that the hackers had two Protonmail addresses – “dog2398” and “mouse63209”.

The sources said that during the probe, the encrypted files were sent to these two Protonmail IDs through CERT-In and Interpol. “After investigation, they found that ‘dog2398’ and ‘mouse63209’ were generated in the first week of November in Hong Kong. They also found that another encrypted file was sent from China’s Henan. But as of now, they have been able to establish the first layer and are trying to find out about further layers,” sources said.

Sources also said that the targeted servers were infected with three ransomware: Wammacry, Mimikatz and Trojan. “CERT-In and DRDO (CIRA) found five servers of NIC infected with ransomware and seven servers of the computer facility in AIIMS infected with these three ransomware,” they said.

Story continues below this ad

The Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi Police has registered an FIR under IPC section 385 (putting a person in fear of injury in order to commit extortion), and sections 66 and 66-F of the IT Act after receiving a complaint from AIIMS.

What did the cyberattack do?

The cyber attack derailed many day-to-day activities at AIIMS, with OPD registrations and blood sample reports being halted at the premier institute. While AIIMS was able to restart some of these services, records were being kept manually causing delays and inconvenience to medical personnel and patients alike.

Patients told The Indian Express that their treatment was impacted due to this cyber attack. 20-year-old Raja said, “My mother got the blood tests done on November 16 and was asked to come on November 30 to consult a doctor, but we have not gotten the reports yet and the treatment has gone awry.”

A CERT-In team found that the encryption of data was triggered by one of the Windows servers attached to the same network, but “files of this server were not encrypted”, sources said.

Story continues below this ad

Explained | Even as border chill deepens, record surge in imports from China

The investigation also revealed that the main server and applications responsible for OPD services were down as all the system files in the home directory were encrypted by changing their extension to .bak9 – a new file that encrypted the extension files of the system.

“The breach in security has particularly affected the e-hospital application, which was provided and managed by NIC since 2011-12, stopping the online functioning of OPD, emergency, and other patient care services on the AIIMS premises,” sources said. There are 52 physical servers: 37 of the computer facility in AIIMS, 15 of NIC – and 148 virtual servers installed at the institute’s computer facility.

Things that are still unclear

Probe agencies have still not located the person, organisation and exact physical location linked to the cyberattack.

“They have tracked a server address in China. It does not mean that they have located a person or an organisation or the exact physical location. What they have located is an IP address, which is from China. It could be a Chinese physical server or a virtual server. This we will find eventually in the next few days,” top Government sources told The Indian Express.

Story continues below this ad

Furthermore, sources said investigations are still underway to find if any other critical data of the institute has been compromised. “…if part of the data from the main system is gone, but not from the backup server, there is a far more time-consuming and prolonged process to find out which part has gone. This is presently underway,” sources said.

Lessons to be learnt

Sources said that two glaring loopholes have been uncovered due to the cyber attack at AIIMS.

First, sources said, a large institution like AIIMS should have had a “hierarchical digital structure” rather than a “flat digital structure”. “So that if an attack happens, it adversely affects only one level of that hierarchy…At present, there is only one backup server at a remote location. In a hierarchical structure, you would have a backup built-in redundancy for each level,” sources said.

Second, sources said, was “they only had a troubleshooting cell, who did not have the expertise to prevent a cyber attack”. Now, the process has been initiated at AIIMS to start a dedicated cyber security cell, they said.

Story continues below this ad

“The new Cyber security cell will ensure that there is an SoP for the use of both intranet and internet. There would be certain prohibited sites, which the system will not permit you to download from because those sites are the most popular means of infecting your computers and through your computer network,” sources said.

Mahender Singh Manral

Mahender Singh Manral is an Assistant Editor with the national bureau of The Indian Express. He is known for his impactful and breaking stories. He covers the Ministry of Home Affairs, Investigative Agencies, National Investigative Agency, Central Bureau of Investigation, Law Enforcement Agencies, Paramilitary Forces, and internal security. Prior to this, Manral had extensively reported on city-based crime stories along with that he also covered the anti-corruption branch of the Delhi government for a decade. He is known for his knack for News and a detailed understanding of stories. He also worked with Mail Today as a senior correspondent for eleven months. He has also worked with The Pioneer for two years where he was exclusively covering crime beat. During his initial days of the career he also worked with The Statesman newspaper in the national capital, where he was entrusted with beats like crime, education, and the Delhi Jal Board. A graduate in Mass Communication, Manral is always in search of stories that impact lives. ... Read More

Kaunain Sheriff M

As City Editor ( Delhi) at the Indian Express, Kaunain Sheriff leads city reporting with a sharp focus on accountability journalism, data-driven stories, and ground-level impact. As the National Health Editor he leads the newsroom’s in-depth coverage of pressing health issues. He is the author of Johnson & Johnson Files: The Indian Secrets of a Global Giant, a definitive investigation into the accountability of one of the world’s most powerful pharmaceutical corporations. Areas of Expertise Investigative Reporting: Has deep expertise in investigative reporting spanning public health, regulatory affairs, drug safety, and the criminal justice system. His work sits at the intersection of governance, law, and accountability, with a particular focus on how regulatory failures, institutional lapses, and policy decisions affect citizens’ rights and safety. Data Journalism: Has extensively on big data–driven investigations, including analyses of flagship government schemes and large datasets on criminal trials, uncovering systemic gaps. Global Collaborations Kaunain is a key contributor to major international journalistic projects: The Implant Files: Collaborated with the International Consortium of Investigative Journalists (ICIJ) to expose global malpractices in the medical device industry. Chinese Big-Data Investigation: Uncovered how a foreign data firm monitored thousands of prominent Indian institutions and individuals in real-time. Awards & Recognition His commitment to "Journalism of Courage" has been recognized with the industry's highest honors: Ramnath Goenka Award for Excellence in Journalism SOPA Award (Society of Publishers in Asia) Red Ink Award (Mumbai Press Club) Indian Express Excellence Awards (Triple recipient for investigations into the NSA abuse in UP, Vyapam scam, and the anti-Sikh riots). Education: Studied Mechanical Engineering at Visvesvaraya Technological University (VTU), Bangalore, before moving to Delhi to pursue his passion for journalism. His engineering training informs his analytical approach, enabling him to decode technical, legal, and data-heavy systems with precision. Social media LinkedIn: linkedin.com/in/kaunain-sheriff-3a00ab99 X ( fromerly Twitter): @kaunain_s ... Read More