The cyber attack on the All India Institute of Medical Sciences (AIIMS) was one of the worst on government critical infrastructure, but it will not be the last.
Ongoing threat actor campaigns continue to target government infrastructure, with a recent study by the cybersecurity firm Secureonix finding that threat actors were targeting the government's email system, Kavach.
Although the Securonix Threat Research team was unable to confirm the identity of the attacker, they stated that this attack was similar to methods used by SideCopy, a threat actor attributed to Pakistan.
Kavach is a 2-factor authentication (2FA) system that the National Informatics Centre implemented last year to strengthen the government's email infrastructure. It has been made mandatory, and all government officials must use 2FA from Kavach to access their accounts.
A breach of this 2FA system would put key government officials' email accounts at risk.
Moneycontrol has reached out to the National Informatics Centre and the Indian Computer Emergency Response Team for more information on how the government is dealing with the situation and whether data has been compromised as a result of the attacks. The article will be updated once a response is received.
How does it work?
According to Secureonix, the first stage of the process included a phishing campaign. When a government official clicks a link in one of the phishing emails, .LNK files (attached to those emails) would execute code, resulting in the execution of a remote access trojan (a type of virus).
"Like with many attacks we see today, the initial infection begins with a phishing email containing a compressed file attachment (11222022.zip). When opened by the user, the file contains a single shortcut file designed to trick the user into opening it," Securonix researchers said in a blog.
The email's shortcut file appears to be a harmless image file from websites such as Income Tax Delhi. "The purpose of the shortcut file is to appear simply as "scanimg.png" to the user, thus luring them into thinking they are opening a harmless image file," Securonix said.
Not the first time
This is not the first time Kavach has been targeted with the intent to circumvent 2FA capabilities. Talos Intelligence discovered that SideCopy/Transparent Tribe targeted Kavach by deceiving government officials into installing malware that posed as an installer or updater for Kavach.
"This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic," Talos Intelligence said.
Last year, between July 7 and 14, according to a report by The Ken, hackers took down Kavach three times. The attack compromised the email account of former MeitY secretary Ajay Prakash Sawhney, according to the report.
