At the start of the Covid-19 pandemic, digital adoption increased at a rate never seen before. With lockdowns and physical distancing measures in place, pharma companies rapidly moved towards remote working and cloud-based systems.
At the same time, their race to develop a vaccine commanded headlines. Pharma companies were effectively entrusted with ending the pandemic, making them an attractive target for hackers who wanted to steal trade secrets.
This created a perfect storm for cybercrime, giving hackers both the means and the motivation to step up their criminal activities. It was just the latest iteration of a problem that has been intensifying over the last ten years. And it highlighted the critical importance of cybersecurity, particularly where public health is at stake.
2014: Dragonfly attack on pharma suppliers
In September 2014, it emerged that a cyber-espionage campaign had turned its focus to the pharma industry. The campaign, known as Dragonfly or Energetic Bear, was initially thought to be targeting critical infrastructure in the energy industry. However, when researchers explored the threat in greater depth they found that the probable target was actually pharma.
Cyber expert Joel Langill concluded that the attackers were motivated by intellectual property theft, as opposed to simply causing disruption or downtime.
“The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities,” he remarked in a report for Belden.
First, the group used spear-phishing to collect data about companies that supply the sector. Next, they ‘trojanised’ these companies’ software, allowing them to download specific industrial control system (ICS) components. This in turn enabled them to steal intellectual property, most likely for the purpose of counterfeiting.
Notably, the companies targeted were small, with fewer than 50 employees, and their website CMS used open-source software. From an attacker’s perspective, their servers were easier to compromise.
Dragonfly was thought to be related to another industrial espionage campaign, Epic Turla. Relatively speaking, the damage wreaked wasn’t too significant. However, these were some of the first high-profile cyber-attacks against the industry and a wake-up call to the pharma supply chain.
2017: NotPetya attack on Merck
One of the most devastating cyberattacks in history, the NotPetya attack was first and foremost a Russian attack against Ukraine. However, it affected hundreds of companies as a form of ‘collateral damage’.
Among them was pharmaceutical giant Merck, which was running an infected tax software application in its Ukraine office. From there, the malware spread across the organisation, taking down around 30,000 computers across sales, manufacturing and research units. After that, there was “nothing to be done” at the drugmaker for two weeks, according to Bloomberg.
Initial estimates suggested the malware caused $870m worth of damage. It disrupted production of Gardasil 9, the HPV vaccine, to the point that Merck had to borrow the US Government’s entire emergency supply. It also lost potential sales of $410m – and insurers wouldn’t pay out as they didn’t cover against ‘acts of war’. The company retaliated by suing its insurers for $1.3bn.
In its 2018 annual report, Merck said it has “implemented a variety of measures to further enhance and modernize its systems to guard against similar attacks in the future”. It said the objective was “not only to protect against future cyberattacks but also to improve the speed of the Company’s recovery from such attacks and enable continued business operations”.
2018-19: Winnti attacks on Bayer and Roche
The Winnti attacks, thought to be linked to a state-backed hacking group from China, targeted Bayer in 2018.
Active since 2010, the Winnti group has targeted multiple sectors in multiple geographies and is best known for mounting attacks against the online video games industry. Evidence that it might be eyeing pharma companies emerged as early as 2015.
Bayer noticed the Winnti infections at the start of 2018. Rather than removing the virus, the drugmaker decided to isolate and monitor the malware with a view to tracing its source.
Although Bayer said there was no evidence of data theft, the purpose of the campaign seemed to be industrial espionage. Winnti uses stolen certificates to sign the malware, and once the malicious script is installed, the hackers gain remote access to the victim’s computer.
A year later, it emerged that Roche had also been targeted; however, similar to Bayer, the company claimed that it hadn’t been seriously compromised by the attack.
A company spokesperson said: “Roche has been targeted by various attackers in the past, including the group known as Winnti. These attacks were detected and remediated. Roche hasn’t lost any sensitive personal data of our employees, patients, customers or business partners.”
2020: Data breach at Dr Reddy’s Laboratories
During the pandemic, cyberattacks against organisations skyrocketed, and the healthcare sector was no exception. The UK’s National Cyber Security Centre (NCSC) reported on over 200 attacks specifically related to the pandemic, including an attack on vaccine research ‘almost certainly’ from Russian intelligence services.
Meanwhile, technology company IBM detected a number of cyberattacks against the vaccine cold chain, specifically the companies and government agencies involved in distribution. Whether the perpetrators were looking to steal the IP or sabotage the rollout wasn’t clear.
In October 2020, Indian drugmaker Dr Reddy’s Laboratories was forced to shut several production facilities in the wake of a cyber attack. As well as isolating all data centres, it closed plants in the US, UK, Brazil, India and Russia.
The incident came just as Dr Reddy’s was gearing up for final stage trials on Russia’s Sputnik V vaccine. The servers targeted contained clinical trial data – an invaluable piece of intellectual property at this point in the pandemic.
CIO Mukesh Rathi said: “We are anticipating all services to be up within 24 hours and we do not foresee any major impact on our operations due to this incident.
2020: Attacks on Pfizer/BioNTech and AstraZeneca
Dr Reddy’s data breach wasn’t the only attack on a vaccine maker. In December 2020, the European Medicines Agency (EMA) announced that it had been subject to a cyber attack. During the breach, some documents relating to the Pfizer/BioNTech vaccine had been unlawfully accessed.
The malicious actors (whose identity remains unknown or undisclosed) accessed word documents, pdfs, email screenshots, PowerPoint presentations and EMA peer review comments, all relating to the regulatory submission of the vaccine. This data was leaked a month later, albeit in an edited format.
“Not all of the documents were published in their integral, original form and may have been taken out of context… Additional titles were added by the perpetrators in a way which could undermine trust in vaccines,” said the EMA.
Around the same time, it was reported that North Korean hackers had used a spear-phishing campaign to target AstraZeneca. Posing as job recruiters on LinkedIn and WhatsApp, the hackers approached AstraZeneca staff (including those working on the Covid-19 vaccine) with fake job offers. The idea was to gain access to victims’ computers.
According to the Wall Street Journal, North Korean actors also tried to steal vaccine information from Johnson & Johnson and Novovax, as well as three South Korean drugmakers.
With the industry in the spotlight, pharma is coming under renewed pressure to step up its cybersecurity measures. A 2020 report by IBN and the Ponemon Institute found that the average cost of a breach exceeds $5m, while threats take an average of 257 days to be detected and contained.
The report recommended that pharma companies should “take a comprehensive approach to hybrid and multi-cloud permissions management”. This might mean using advanced analytics to keep track of the identities on their network, while enforcing ‘least privilege policies’. And since cybercrime remains a moving target, flexibility and responsiveness are surely key.