Journalism of Courage
Advertisement
Premium

The AIIMS cyberattack and its China links: What we know so far

As the probe into the AIIMS cyberattack reveals China links, we explain what the investigation has uncovered so far, the authorities’ response and some lessons that this case leaves us with.

The cyberattack is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities (Stock Photo).
Listen to this article Your browser does not support the audio element.

The probe into the cyberattack on some servers at AIIMS in the national capital has found that the IP addresses of two emails, which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China’s Henan province, sources told The Indian Express.

Preparing for UPSC? Use CRACKUPSC20 code here to get an extra 20% discount on Indian Express subscription.

Multiple agencies, including the Indian Computer Emergency Response Team (CERT-In), are investigating the cyberattack that is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities. According to sources, all backup data directly linked to the patient details has been repopulated to the main system. “All previous patient records are back on the system,” they said.

The Indian Express takes a closer look at the unfolding investigation and its outcomes so far.

Also Read | The new India-China Tawang crisis: Where, why, and what now

What has the probe uncovered so far?

Sources said the senders used the email service Protonmail. CERT-In, the country’s premier cybersecurity agency, has found that the hackers had two Protonmail addresses “dog2398” and “mouse63209”.

The sources said that during the probe, the encrypted files were sent to these two Protonmail IDs through CERT-In and Interpol. “After investigation, they found that ‘dog2398’ and ‘mouse63209’ were generated in the first week of November in Hong Kong. They also found that another encrypted file was sent from China’s Henan. But as of now, they have been able to establish the first layer and are trying to find out about further layers,” sources said.

Sources also said that the targeted servers were infected with three ransomware: Wammacry, Mimikatz and Trojan. “CERT-In and DRDO (CIRA) found five servers of NIC infected with ransomware and seven servers of the computer facility in AIIMS infected with these three ransomware,” they said.

Story continues below this ad

The Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi Police has registered an FIR under IPC section 385 (putting a person in fear of injury in order to commit extortion), and sections 66 and 66-F of the IT Act after receiving a complaint from AIIMS.

What did the cyberattack do?

The cyber attack derailed many day-to-day activities at AIIMS,  with OPD registrations and blood sample reports being halted at the premier institute. While AIIMS was able to restart some of these services, records were being kept manually causing delays and inconvenience to medical personnel and patients alike.

Patients told The Indian Express that their treatment was impacted due to this cyber attack. 20-year-old Raja said, “My mother got the blood tests done on November 16 and was asked to come on November 30 to consult a doctor, but we have not gotten the reports yet and the treatment has gone awry.”

A CERT-In team found that the encryption of data was triggered by one of the Windows servers attached to the same network, but “files of this server were not encrypted”, sources said.

Story continues below this ad
Explained | Even as border chill deepens, record surge in imports from China

The investigation also revealed that the main server and applications responsible for OPD services were down as all the system files in the home directory were encrypted by changing their extension to .bak9 a new file that encrypted the extension files of the system.

“The breach in security has particularly affected the e-hospital application, which was provided and managed by NIC since 2011-12, stopping the online functioning of OPD, emergency, and other patient care services on the AIIMS premises,” sources said. There are 52 physical servers: 37 of the computer facility in AIIMS, 15 of NIC and 148 virtual servers installed at the institute’s computer facility.

Things that are still unclear

Probe agencies have still not located the person, organisation and exact physical location linked to the cyberattack.

“They have tracked a server address in China. It does not mean that they have located a person or an organisation or the exact physical location. What they have located is an IP address, which is from China. It could be a Chinese physical server or a virtual server. This we will find eventually in the next few days,” top Government sources told The Indian Express.

Story continues below this ad

Furthermore, sources said investigations are still underway to find if any other critical data of the institute has been compromised. “…if part of the data from the main system is gone, but not from the backup server, there is a far more time-consuming and prolonged process to find out which part has gone. This is presently underway,” sources said.

Lessons to be learnt

Sources said that two glaring loopholes have been uncovered due to the cyber attack at AIIMS.

First, sources said, a large institution like AIIMS should have had a “hierarchical digital structure” rather than a “flat digital structure”. “So that if an attack happens, it adversely affects only one level of that hierarchy…At present, there is only one backup server at a remote location. In a hierarchical structure, you would have a backup built-in redundancy for each level,” sources said.

Second, sources said, was “they only had a troubleshooting cell, who did not have the expertise to prevent a cyber attack”. Now, the process has been initiated at AIIMS to start a dedicated cyber security cell, they said.

Story continues below this ad

“The new Cyber security cell will ensure that there is an SoP for the use of both intranet and internet. There would be certain prohibited sites, which the system will not permit you to download from because those sites are the most popular means of infecting your computers and through your computer network,” sources said.
Mahender Singh Manral

Mahender Singh Manral is an Assistant Editor with the national bureau of The Indian Express. He is known for his impactful and breaking stories. He covers the Ministry of Home Affairs, Investigative Agencies, National Investigative Agency, Central Bureau of Investigation, Law Enforcement Agencies, Paramilitary Forces, and internal security. Prior to this, Manral had extensively reported on city-based crime stories along with that he also covered the anti-corruption branch of the Delhi government for a decade. He is known for his knack for News and a detailed understanding of stories. He also worked with Mail Today as a senior correspondent for eleven months. He has also worked with The Pioneer for two years where he was exclusively covering crime beat. During his initial days of the career he also worked with The Statesman newspaper in the national capital, where he was entrusted with beats like crime, education, and the Delhi Jal Board. A graduate in Mass Communication, Manral is always in search of stories that impact lives. ... Read More

Kaunain Sheriff M

Kaunain Sheriff M is an award-winning investigative journalist and the National Health Editor at The Indian Express. He is the author of Johnson & Johnson Files: The Indian Secrets of a Global Giant, an investigation into one of the world’s most powerful pharmaceutical companies. With over a decade of experience, Kaunain brings deep expertise in three areas of investigative journalism: law, health, and data. He currently leads The Indian Express newsroom’s in-depth coverage of health. His work has earned some of the most prestigious honours in journalism, including the Ramnath Goenka Award for Excellence in Journalism, the Society of Publishers in Asia (SOPA) Award, and the Mumbai Press Club’s Red Ink Award. Kaunain has also collaborated on major global investigations. He was part of the Implant Files project with the International Consortium of Investigative Journalists (ICIJ), which exposed malpractices in the medical device industry across the world. He also contributed to an international investigation that uncovered how a Chinese big-data firm was monitoring thousands of prominent Indian individuals and institutions in real time. Over the years, he has reported on several high-profile criminal trials, including the Hashimpura massacre, the 2G spectrum scam, and the coal block allocation case. Within The Indian Express, he has been honoured three times with the Indian Express Excellence Award for his investigations—on the anti-Sikh riots, the Vyapam exam scam, and the abuse of the National Security Act in Uttar Pradesh. ... Read More

Tags:
  • AIIMS Chinese cyber attacks Express Explained
Read in App
UPSC
Explained
Edition
search
Install the Express App for
a better experience
Featured
Today's E-paper
Oct 12, 2025
Trending Topics
News
Multimedia
Follow Us
Smoke & MirrorsThere’s a new 'M' factor in Bihar elections: Mahila, will it counter Nitish fatigue?
X