A 30-year-old IT system that runs the All-India Institute of Medical Sciences was hit by a massive cyber hack last week. The hack suggests cyber signalling by a nation-state – China being the top contender.
News headlines have fixated on the hackers’ ransom demand–Rs 200 crore in cryptocurrency–as the primary motivation, but the scale and tactics used in the hack suggest other aims. While we don’t know the hacker(s) yet, preliminary investigation claims a ‘foreign actor’ was behind the attack. The investigation has named two Chinese ransomware groups–Emperor Dragonfly and Bronze Starlight (DEV-0401). An analysis of Bronze Starlight’s past activity, the group may be engaged in espionage, using ransomware as a smokescreen.
It’s far more likely that a State-backed entity instead of a private group carried out the cyberattack. The critical importance of AIIMS, New Delhi, data can’t be emphasised enough considering it houses medical records of top politicians and government officials.
The AIIMS hack isn’t the only cyber intrusion over the past week. We should consider the possibility of a coordinated cyber-signalling campaign.
There was an attempt to hack Safdarjung Hospital, also in New Delhi, but it was foiled. In Tamil Nadu’s Tiruppur, patient records of Sree Saran Medical Center were targeted and the data sold on the dark web. The exploit (a security code that targets the flaw in a software) was used by hackers on Sree Saran Medical Center’s third-party IT solution provided by Three Cube lab. The hacking attempt was noticed on 22 November.
Using a Protonmail account instead of a more secure medium suggests the AIIMS hack was a messaging tool rather than just a play to seek ransom.
The Belfer Centre’s National Cyber Power Index of 2022 has described China as the second-most comprehensive cyber power, next to the US. The index combines multiple capabilities, including cyber surveillance, collection of defence intelligence, information control, and other measures.
China is a cyber power with the wherewithal to launch either a State-backed or a mercenary-backed attack in a coordinated manner that we are witnessing now.
In 2015, the US blamed China for hacking and collecting data of 4 million federal workers from the United States Office of Personnel Management (OPM). There was no smoking gun which could link the hack to Chinese State actors, but the evidence pointed towards China – which is now widely accepted among security professionals. The OPM hack gave Beijing access to federal workers’ personal data, including those with the highest security clearance level.
The well-known hack of Juniper Networks, a corporate virtual private network (VPN), was traced to a backdoor installed by the US National Security Agency in the dual elliptic curve algorithm. The backdoor was NSA’s collection effort for data being transferred via Juniper’s VPN service, but Chinese hackers used the same backdoor to hack Juniper Network.
The State’s own cyber capability can be used against it in a hack exploiting the same vulnerabilities used for passive espionage activity. The People’s Liberation Army Strategic Support Force operates on the ‘three warfare’ model combining psychological, public opinion, and legal.
Targeting critical infrastructure
The AIIMS hack and the ransom demand have created a perception that the data of most elite medical institutions are vulnerable.
We are looking at a distributed network of State-backed, State-sponsored, and State-protected cyber operators, which provide China’s intelligence agencies resources far beyond their officially hired staff.
“Even within the MSS there are subordinate units in every region and major city of China that often take the lead on foreign operations. Put together, these local counterparts likely have well over 100,000 employees – perhaps ten times more than the MSS’s headquarters,” wrote Alex Joske in his book Spies and Lies: How China’s Greatest Covert Operations Fooled the World.
In the context of Chinese advanced persistent threats (APT) activity, Taiwan’s Team T5 has observed the rise of the “APT+InfoOp model”, which combines information operations with hacking and leaking of confidential data. The aim is to send a message to the other party about the cyber capability to cause disruptive damage and influence public opinion.
In the cyber domain, the use of cyberattacks is part of signalling when the nation state wants to keep the escalation below a certain threshold.
Gone are the days when China’s cyber espionage and hacking campaigns were targeted at Tibetans in Dharamsala. We are living in a new world in which APTs target India’s critical infrastructure. The intrusion of malware into the Mumbai electric grid last year was a wake-up call that India ignored. It was the type of cyber signalling that States can now use to send the message of resolve to adversaries during a conflict.
India’s lax response to the attack on critical infrastructure such as AIIMS results from a clear lack of guidelines on which entity should respond in such a scenario: Indian Army or government agencies?
Cyber hacks aren’t always a result of successful invasion of networks but lax cybersecurity practices that allow APT to intrude. Humans in-charge of protecting the network from making mistakes are the ultimate vulnerability that APT seeks to exploit.
The hacking attempts in recent years have seen private cyber operators posting the data online, which is then up for purchase in the open market. The hackers haven’t leaked a sample of the data, unlike in the case of breach into the Shanghai police database. The data was left unprotected for more than a year, and later a hacker posted the samples to elicit a ransom. The breach resulted from poorly maintained IT systems and revealed how the Chinese government data management isn’t always secure.
A new mindset of centralised cyber incident monitoring will be required to respond to an almost daily barrage of cyberattacks.
Taiwan has been at the forefront of fighting cyberattacks and may have a playbook to offer.
The AIIMS hack wasn’t very sophisticated and could have been stopped by upgrading the IT systems and patching the vulnerability regularly.
The Chinese APT groups – or even State-backed institutions – may be behind the AIIMS hack, but that doesn’t change the fact that India’s network systems are old and need critical upgrades. The new mantra of cyber hygiene is akin to constant training and upgradation of IT systems to fend off hacking attempts.
In the cyber domain, the moral dimension of international relations appears rather fickle. The new cybersecurity strategy must be comprehensive enough to protect critical infrastructures such as AIIMS and power grids.
The author is a columnist and a freelance journalist. He was previously a China media journalist at the BBC World Service. He tweets @aadilbrar. Views are personal.