Security agencies have approached consultancy firm Ernst and Young (E&Y) regarding the November 23 cyber-attack at the All India Institute of Medical Sciences (AIIMS) in Delhi. The attack has crippled the servers and e-hospital services at the country’s premier public healthcare facility, causing major inconvenience to patients.
A government source told The Hindu that AIIMS had engaged E&Y, a third party, to conduct an audit of its cyber-systems in the middle of this year. One law enforcement agency had called E&Y executives last week, to assist in the probe and to examine if the auditors had found any vulnerabilities in the system.
The source said that the investigators suspect that the attack on the AIIMS’ servers was initiated about two months ago at the behest of State-sponsored actors from a neighbouring country.
Known software vulnerabilities
“AIIMS servers were running on a software called Zimbra that specialises in email services. The vulnerabilities in Zimbra were known as early as February this year. It is to be seen what prudent steps were taken by AIIMS to check the loopholes,” the source said. Zimbra is owned by the U.S.-based Synacor, a software and services company.
AIIMS director M. Srinivas did not respond to text messages or calls from The Hindu. An E&Y executive also did not respond to a question from The Hindu on the examination of its executives by a government agency.
On November 23, the AIIMS said in a statement that the National Informatics Centre (NIC) had informed it that its servers were down, and that this may have been due to a ransomware attack.
Following the incident, Delhi Police registered a First Information Report under Section 385 of the Indian Penal Code (which refers to putting a person in fear of injury in order to commit extortion) and Section 66/66F of the Information Technology Act, pertaining to cyber terrorism and computer-related offences against unknown persons.
On December 2, Minister of State for Electronics and IT Rajeev Chandrasekhar said that the attack on the servers of AIIMS Delhi was a conspiracy and was planned by forces that are significant.
Though it was Delhi Police that registered the case, a host of government bodies such as the Computer Emergency Response System (CERT-IN), NIC, the National Investigation Agency (NIA), and the National Security Council Secretariat (NSCS) are also investigating the incident. On November 29, the Ministry of Home Affairs (MHA) convened a meeting with all agencies, including the AIIMS director regarding the cyber attack.
Earlier, a Delhi Police official had said that the AIIMS server was prone to hacking because of the lack of safety features.