NewsThe official website of AIIMS Delhi is infected with adware

The official website of AIIMS Delhi is infected with adware

The biggest cyber attack, allegedly by Chinese hackers, targeted one of the most prominent and reputed hospitals and medical institutions in the world, AIIMS Delhi.

As per the reports, one of the systems got infected with the ransomware after one of the AIIMS employees opened a suspicious email attachment, which further spread across all the systems, including the AIIMS core servers.

Ransomware encrypted the data stored in the various computers, including the main server room systems, and demanded 200 crore rupees to decrypt the data. After the cyber attack, all online services, including offline ones, were halted for several days.

The government agencies, C-DAC, CBI, NIA, and CERT-In (Indian Computer Emergency Response Team), managed to recover some of the data in order to resume the OPD services, but that had to be managed manually. Until the cyber team restored the data, sanitised the entire AIIMS system, and removed the ransomware, all services were operated manually.

It took several days before the cyber team scanned all of the systems, installed strong anti-virus software, and set up new servers to protect against future attacks.

Although the cyber team restored all the halted services, it didn’t comment on the data breach. Since the cyber team didn’t pay the amount demanded by the attacker, it’s possible that the hackers may put the data up for sale on the dark web.

Furthermore, the data may contain personal and sensitive information about AIIMS officials, employees, and patients.

On December 25th, 2022, the founder of Isrg KB, Isrg Rajan, found that the official website of AIIMS was infected with adware. He wrote a letter to the AIIMS’s director and informed him about the risks, like the insertion of malicious code. He also provided the source of the breach and a solution to remove it.

The official website of AIIMS, aiims.edu was using third-party hits counter from websiteout.net. Most of the third-party hits counter usually generates image URL to show the status, but in case of websiteout.net the counter was using PHP which was redirecting to ‘https://counter.websiteout.net/compte.php?S=www.aiims.edu&C=30&D=10&N=22368976&M=0’ also it was loading a malicious JavaScript file from ‘https://counter.websiteout.net/close-firstchild.js’  (archived here) containing the following malicious code which can add and load any type of the content on the targeted website:

Js Code
Source code of counter.websiteout.net/close-firstchild.js
Aiims Ad
Ad injected by websiteout.net

The ads included Google AdSense Publisher ID “pub-5486891678306037,” which can be found at https://websiteout.net/ads.txt (archived here). In 2021, Google and other advertising agencies made “ads.txt” mandatory for all publishers. Although aiims.edu does not have any ads.txt files, the website owner, websiteout.net, may or may not be generating any revenue from the ads.

However, it’s really a serious concern that websiteout.net may inject other malicious code whereas, it is already showing advertisements and that’s relevant to the health which may mislead the people. Also, it can take the patients to different website on following the advertisement.

After investigation, it was found that websiteout.net redirect to websiteout.ca, and WHOIS records of the both the domains shows that websiteout.net owns websiteout.ca (WHOIS records archived at archive.org of websiteout.ca and websiteout.net)

The AIIMS team acted and removed the malicious script.

Isrg KB Web Team
Isrg KB Web Team
Isrg Team editorial account handled by Isrg Team, management, guests, volunteers, and other private individual contributors

Latest Updates