At the beginning of the Covid-19 pandemic, digital acceptance increased to an unprecedented extent. With lockdowns and physical distancing measures, pharmaceutical companies have quickly migrated to remote working and cloud-based systems.
At the same time, their race to develop a vaccine made headlines. Pharmaceutical companies were de facto entrusted with ending the pandemic, making them an attractive target for hackers trying to steal trade secrets.
This created a perfect storm for cybercrime and gave hackers both the means and the motivation to step up their criminal activities. It was just the latest iteration of a problem that has worsened over the past decade. And it highlighted the vital importance of cybersecurity, especially where public health is at stake.
2014: Dragonfly attack on pharmaceutical suppliers
In September 2014, it emerged that a cyber espionage campaign had focused on the pharmaceutical industry. The campaign, known as Dragonfly or Energetic Bear, was originally intended to target critical infrastructures in the energy industry. However, when the researchers took a closer look at the threat, they found that the likely target was actually the pharmaceutical industry.
Cyber expert Joel Langill concluded that the attackers were motivated by the intellectual property theft, not just causing disruption or downtime.
“The potential harm could include theft of proprietary recipes and production batch sequence steps, as well as network and device information that shows production quantities and capacities,” he noted in a report for Belden.
First, the group used spear phishing to gather data on companies supplying the sector. Next, they trojanized these companies’ software so that they could download specific components of industrial control systems (ICS). This, in turn, allowed them to steal intellectual property, most likely for the purpose of forgery.
Specifically, the target companies were small businesses with fewer than 50 employees and their website CMS used open source software. From an attacker’s point of view, their servers were easier to compromise.
Dragonfly is believed to be related to another industrial espionage campaign, Epic Turla. In relative terms, the damage done wasn’t too great. However, these were some of the earliest high-profile cyberattacks against the industry and a wake-up call for the pharmaceutical supply chain.
2017: NotPetya attack on Merck
One of the most devastating cyberattacks in history, the NotPetya attack was primarily a Russian attack on Ukraine. However, it affected hundreds of companies as a form of “collateral damage”.
Including the pharmaceutical giant Merck, which was running infected tax software in its Ukrainian office. From there, the malware spread throughout the company, destroying around 30,000 computers in sales, manufacturing, and research departments. After that, according to Bloomberg, there was “nothing to do” with the drug manufacturer for two weeks.
According to initial estimates, the malware caused damage of 870 million US dollars. The production of Gardasil 9, the HPV vaccine, was so severely interrupted that Merck had to borrow all emergency supplies from the US government. In addition, potential sales of $ 410 million were lost – and insurers did not pay because they did not insure against “acts of war”. The company retaliated by suing its insurers for $ 1.3 billion.
In its 2018 annual report, Merck said that it has “implemented a variety of measures to further improve and modernize its systems in order to protect itself against similar attacks in the future”. The aim is “not only to protect against future cyber attacks, but also to improve the speed at which the company can recover from such attacks and to enable continued business operations”.
2018-19: Winnti attacks on Bayer and Roche
The attacks by Winnti, believed to be linked to a state-backed hacking group from China, targeted Bayer in 2018.
Operating since 2010, the Winnti Group has targeted multiple sectors in multiple regions and is best known for the increasing attacks on the online video game industry. Evidence that drug companies might have an eye on it surfaced back in 2015.
Bayer noticed the Winnti infections in early 2018. Instead of removing the virus, the drug maker decided to isolate and monitor the malware to determine its source.
Although Bayer said there was no evidence of data theft, the campaign appeared to be aimed at industrial espionage. Winnti uses stolen certificates to sign the malware, and once the malicious script is installed, the hackers get remote access to the victim’s computer.
A year later it turned out that Roche had also been targeted; However, similar to Bayer, the company claimed that it was not seriously compromised by the attack.
A company spokesperson said: “Roche has been targeted by various attackers in the past, including the group known as Winnti. These attacks have been identified and corrected. Roche has not lost any of the sensitive personal data of our employees, patients, customers or business partners. ”
2020: Data breach at Dr. Reddy’s Laboratories
Cyber attacks against businesses exploded during the pandemic, and the healthcare sector was no exception. The UK’s National Cyber Security Center (NCSC) reported over 200 attacks specifically related to the pandemic, including an attack on vaccine research “almost certainly” by Russian intelligence agencies.
Meanwhile, tech company IBM discovered a number of cyberattacks targeting the cold chain of vaccines, particularly those involved in distribution and government agencies. It was not clear whether the perpetrators wanted to steal the IP or sabotage the rollout.
In October 2020, the Indian drug manufacturer Dr. Reddy’s Laboratories shut down manufacturing facilities after cyber attack. In addition to isolating all data centers, plants in the USA, Great Britain, Brazil, India and Russia were closed.
The incident happened just as Dr. Reddy’s prepared for the final phase of trials with the Russian Sputnik-V vaccine. The targeted servers contained clinical trial data – invaluable intellectual property at this point in the pandemic.
CIO Mukesh Rathi said, “We expect all services to be available within 24 hours and we do not see any major impact on our operations as a result of this incident.
2020: Attacks on Pfizer / BioNTech and AstraZeneca
Dr. Reddy’s data breach wasn’t the only attack on a vaccine manufacturer. In December 2020, the European Medicines Agency (EMA) announced that it had been exposed to a cyber attack. Some documents related to the Pfizer / BioNTech vaccine were illegally accessed during the violation.
The malicious actors (whose identities remain unknown or unknown) accessed Word documents, PDFs, email screenshots, PowerPoint presentations, and EMA peer-reviewed comments, all of which related to the regulatory filing of the vaccine. This data was leaked a month later, albeit in an edited format.
“Not all documents were published in their integral, original form and may have been taken out of context … Additional titles were added by perpetrators to undermine confidence in vaccines,” the EMA said.
Around the same time, North Korean hackers were reported to have used a spear phishing campaign to target AstraZeneca. The hackers posed as job brokers on LinkedIn and WhatsApp and turned to AstraZeneca employees (including those working on the Covid-19 vaccine) with fake job offers. The idea was to gain access to the victims’ computers.
North Korean actors also tried to steal vaccine information from Johnson & Johnson and Novovax, as well as three South Korean drug companies, according to the Wall Street Journal.
With the industry in the spotlight, the pharmaceutical industry is again under pressure to step up its cybersecurity measures. A 2020 report by IBN and the Ponemon Institute found that the average cost of a security breach was $ 5 million.
The report recommended that pharmaceutical companies “take a comprehensive approach to hybrid and multi-cloud authorization management”. This can mean using advanced analytics to track the identities on their network while enforcing “least privilege” policies. And with cybercrime remaining a moving target, flexibility and responsiveness are certainly vital.