RingSafe Threat Intel Update — Storm-XXXX (scenario actor) / Healthcare-IN — 22 May 2026
Pattern observed
Storm-XXXX (scenario actor)’s playbook against Indian healthcare looks like this:
- Internet-scan for Veeam Backup & Replication consoles on port 9401, focused on Indian IP ranges.
- Exploit CVE-2025-23120 deserialization to drop a Cobalt Strike beacon on the backup server.
- Use the backup server’s stored hospital-domain admin credentials to pivot into Active Directory.
- Disable Defender via tampering, exfiltrate the patient PHI dataset over 4-7 days.
- Detonate ransomware on a Friday evening, simultaneously hitting the EMR, billing systems, and backup repositories.
Why the backup server is the weak link
Backup servers historically sit in a “trust” zone — they need broad credentials to back up everything, they are rarely segmented, they often run unpatched because backup downtime is itself an availability incident. For an attacker, owning the backup server simultaneously enables (a) deeper lateral movement, (b) destruction of the recovery option, and (c) credential theft. It is the single highest-value target inside most hospital networks.
RingSafe analysis
The ABDM connectivity factor is what makes this campaign especially dangerous for Indian patients. A compromised hospital that is an ABDM-linked Health Information Provider (HIP) leaks not just its own EHR data, but the patient’s federated health ID linkages — meaning the breach can propagate downstream to every other provider in the patient’s longitudinal record.
NHA’s HIP empanelment process does not currently require an annual security audit, and we expect this to change in the next ABDM amendment cycle following this campaign.
Defender checklist for hospital IT teams
- Patch Veeam Backup & Replication to 12.3.1 or later today.
- Move the Veeam console off the corporate Active Directory and onto a dedicated tier-0 management forest with its own admin accounts.
- Network-segment the backup VLAN: deny inbound from user/clinical VLANs, allow only outbound to specific storage targets.
- Enable immutability on your backup target (Wasabi/S3 Object Lock, Azure immutable blob, or hardened Linux repository).
- Brief the CIO that ABDM HIP membership now carries breach-propagation risk; review your vendor security clauses accordingly.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.