Russian hacktivist group Phoenix targeted Indian health management system, leading to compromised access

CloudSEK researchers disclosed that a Russian threat actor group Phoenix has targeted the Indian health ministry’s health management system. The group described the attack as a result of the G-20’s sanctions against Russia and Ukraine and India’s commitment to a price cap on oil. 

Following the Phoenix attack, access to HMIS portal, hospital, employee, and physicians’ data has been impacted, CloudSEK revealed in a blog post. “Plausibility of further cyber attacks by such hacktivist groups under the pretext of India’s geopolitical stances. Selling exfiltrated license documents and PII on cybercrime forums. Conducting document fraud using PII and license documents,” it added.

“On 15 March 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group claiming to have targeted an Indian government website,” the post disclosed. An analysis of the samples shared concluded that the affected entity is the Health Management Information system belonging to the Indian Ministry of Health. Additionally, the threat actor group mentioned in the post claims to have access to all the hospitals in India, and employees and chief physicians.

As per information from the channel, the CloudSEK post identified that the motive behind this target was the sanctions imposed against the Russian Federation where Indian authorities decided not to violate the sanctions as well as comply with the price ceiling for Russian oil approved by G7 countries. “This decision resulted in multiple polls on the telegram channel of the Russian Hacktivist Phoenix asking the followers for their votes,” it added.

Operating since last January, the hacktivist group Phoenix was observed using social engineering techniques to lure the victims in a phishing scam thereafter stealing the passwords and gaining access to its victims’ bank or e-payment accounts. It has also conducted a series of DDoS attacks against multiple entities in the past. 

The researchers also detailed that Phoenix has previously targeted hospitals based in Japan and the U.K.; U.S. based healthcare organization serving the US military; DDoS attacks against LGBTQ dating websites and community forums based in Russia; the Ministry of Health, the Federal Public Procurement Regulatory Authority, the Ministry of Food Control, the Supreme Court, the Ministry of Home Affairs, and a number of other departments of Pakistan; and DDoS attack on the website of the Spanish Foreign Ministry. 

The latest is not the first time India’s healthcare system is being attacked by hackers. In December, the Union government confirmed that five servers of the All India Institute of Medical Sciences (AIIMS) were affected by the recent cyberattack, and an estimated 1.3 terabytes of data was encrypted. 

Rajeev Chandrasekhar, minister of electronics and information technology, wrote in a written submission to the nation’s Upper House that there was a ‘cyber security incident’ at AIIMS, which manages its own information and computer systems.

He added that the Indian Computer Emergency Response Team (CERT-In) evaluated the incident. “As per preliminary analysis, servers were compromised in the information technology network of AIIMS by unknown threat actors due to improper network segmentation, which caused operational disruption due to non-functionality of critical applications,” he said.

In February, ThreatMon researchers disclosed that SideCopy, a Pakistani threat group, had targeted Indian government entities using a spear-phishing email containing a macro-enabled Word document. The malware used is a new version of ReverseRAT, which has enhanced obfuscation and sleep calls to avoid detection.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.