Chinese threat actor ChamelGang behind AIIMS ransomware attack, claims new report

AIIMS was subjected to a massive ransomware attack in 2022

The 2022 AIIMS ransomware attack brought all digital services in the critical hospital in the national capital to a standstill. While an investigation into the attack revealed that there may have been foreign hand in the attack, there was no clarity on who perpetrated it -- until now.

A new report by the US-based cybersecurity research company SentinelOne claims that the attack was perpetrated by the Chinese threat actor ChamelGang and that the group used the ransomware known as CatB to cripple the hospital's systems.

Moneycontrol has reviewed the report shared by SentinelOne's SentinelLabs.

SentintelOne came to the conclusion based on analysis of forensic artifacts and samples uploaded to malware sharing platforms.

The report, shared exclusively with Moneycontrol, also claims that ChamelGang targeted an aviation organization in India in 2023.

"We have suspected for some time the involvement of a Chinese threat group in the attack against AIIMS. Suspected Chinese APT groups are active in the Indian subcontinent and are likely driven by China's strategic interests in the region for several reasons, including regional rivalries, geopolitical tensions...," Aleksandar Milenkoski, senior threat researcher at SentintelLabs told Moneycontrol.

"Due to the lack of publicly released technical details on the attack against AIIMS, we focused on investigating artifacts uploaded to malware sharing platforms in search of indicators that would allow us to attribute the attack," he said.

"During our research, we discovered files encrypted by the CatB ransomware, which has been associated with the ChamelGang APT group by TeamT5. These files contain indicators that point to AIIMS, leading us to associate ChamelGang with the attack," Milenkoski added.

However, Milenkoski notes that malwares are extensively shared in the Chinese APT ecosystem (among different threat actors). "Therefore, we do not rule out the possibility of other threat groups within this ecosystem also using this malware," he added.

SentinelOne declined to comment when asked whether these findings were shared with Indian authorities and regarding the aviation organisation from India that was targeted by ChamelGang.

Moneycontrol has reached out to AIIMS, the Indian Computer Emergency Response Team and the Ministry of Civil Aviation for comments on the matter and the article will be updated when a response is received.

The analysis behind the conclusion

The report said that SentintelOne observed multiple files encrypted by CatB ransomware and uploaded to a malware sharing platform in November 2022 from India.

They found that the ransom note is placed at the beginning of each of these files and features email addresses, that are similar to what certain Indian news outlets reported as to being the source of the ransomware.

Amid the host of encrypted files on the malware-sharing site, SentintelOne found one non-encrypted file which was uploaded in conjunction with a Cat-B infected file. "Our analysis of (the file) revealed strong indicators pointing to AIIMS," the report said.

The US-based company also found a file which indicated that the file was being used in Indian time zones; and it also comprised of private IP address that included the URL path of eHospitalLIS -- which the company sees as a connection to AIIMS' eHospital platform that was affected in the incident.

What it means

"The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyberespionage, providing adversaries with advantages from both strategic and operational perspectives," the report said.

"The operational methods of APT clusters, such as ChamelGang, the APT41 umbrella, and the recently discovered Moonstone Sleet, highlight that ransomware intrusions are not exclusively conducted by financially-motivated threat actors," it added.