Cyber Attacks in Pharma Industry: State-Sponsored Hackers Target Big Pharmaceuticals

Pharmaceuticals are prime targets for nation-state-sponsored hackers as they own crucial intellectual property on ground-breaking new drugs representing years of research & millions in investment.


Recent Cyber Attacks on Pharmaceutical Companies


Last year, several European pharmaceutical companies, including the Swiss giant Roche, became the victims of attacks that are thought to have been originated by a Chinese state-backed hacking group called Blackfly. The hackers used malware known as “Winnti,” which also targeted other European manufacturers such as BASF and Henkel. Analysis of the code used in all the attacks points to China.

These attacks followed earlier infiltrations of major pharmaceutical companies. In October 2017, pharmaceutical giant Merck reported a NotPetya ransomware attack had cost the company over $300 million in Q3 alone. Last year, German pharmaceuticals giant Bayer AG owned up to having discovered spyware in June that had been sitting on its system since the start of the year. As in the case of the Roche attack, the intrusion was traced to the Chinese state-sponsored hacker group, Blackfly.

Bayer said that there was no evidence that any stolen data had been offered for sale on the Dark Web, which normally would be the case had they been hacked by financially-motivated cybercriminals. This could, however, indicate that Blackfly had an altogether different motivation.



Why Are Pharmaceutical Companies Prime Targets for Cyber Attackers?


Nation-state sponsored attacks are sometimes motivated by financial gain, particularly in the case of hacker groups linked to the North Korean government. But cyber espionage has now been recognized as another major motivation for state-sponsored hackers attempting to gain technological or commercial advantage for their countries’ economies, hence the current debate surrounding the involvement of Chinese telecoms manufacturer Huawei in the rollout of the West’s new 5G mobile communications networks.

Pharmaceutical companies are prime targets for nation state-sponsored hacker groups as they own crucial intellectual property on an array of ground-breaking new drugs and medicines that are frequently the product of years of research and millions of dollars-worth of investment.

As early as 2014, it became apparent that the hacker group known as “Dragonfly” or “Energetic Bear” had shifted its focus from energy and chemicals companies to the pharmaceutical sector. Known for attacking industrial control systems, Dragonfly swiftly changed its modus operandi in order to siphon off intellectual property from pharmaceutical companies.



Targeted Cyber Attacks & Theft of Intellectual Property


Since then, the attacks have become even more highly focused. In 2017, China-backed hacker group, APT10 targeted victims with lures relating to Japanese cancer conferences. In 2018, Chinese biochemist, Yu Xue, pleaded guilty to stealing trade secrets from drug-maker GlaxoSmithKline; in 2019, Swiss authorities agreed to extradite his brother, Gongda Xue, to the United States to face charges of corporate espionage in the pharmaceutical industry. In 2019, Chinese threat actors also targeted a US academic healthcare organization specializing in cancer research, following earlier attacks by China-sponsored hacker group APT41 in late 2018.

Faced by an ageing demographic and rising cancer rates on mainland China, the Chinese communist party is set on bolstering its domestic pharmaceutical industry by 2025. Years of siphoning off intellectual property from Western pharmaceutical companies may now be paying off as mainland Chinese manufacturers are reported to be developing cancer drugs that will dramatically undercut the prices charged by Western companies, who have had to bear the cost of years of innovative and cutting-edge research.



The Growing Awareness & A Proactive Approach of the Pharma Industry


While there is now a growing awareness of the growth in nation state-backed cyber espionage and the US National Institute of Health last year began to scrutinize foreign ties at research facilities, pharmaceutical companies now need themselves to take urgent steps to safeguard their IT and OT systems. As pharmaceutical manufacturers modernize their processes with robotics, AI and IoT technologies, new entry points are created for cyber-attacks. Previously stand-alone systems are now increasingly connected to the internet so that they can be accessed by third-parties such as contractors and equipment providers creating a threat to cyber security for pharmaceuticals.

Some companies in the pharma industry, like Taro, a multi-national pharmaceutical company, have taken a proactive approach to securing their connected OT environments with a passive network monitoring solution, specifically designed for OT environments. This enables them to have full visibility into their network, to reduce the risk of operational downtime, to enhance their network and pharma data security and to comply with demanding industry regulations.



How SCADAfence Discovered Targeted Ransomware In A Pharmaceutical Facility>


SCADAfence’s Incident Response team recently assisted a big pharmaceutical company with an industrial cyber security emergency. Our CTO, Ofer Shaked, recently published a white paper that discusses a recent incident response activity to a targeted cyber-attack, in which SCADAfence has taken part. The whitepaper was published with the goal of assisting organizations, such as yours, to plan for such events and reduce the impact of cyber-criminals on their networks. The pharmaceutical company that was attacked didn’t have the SCADAfence Platform deployed at the time of the attack. The SCADAfence Platform was installed upon the arrival of our Incident Response team as part of the investigation, and helped them to contain the threat.

Here is the full white paper:



What Mistakes Are Manufacturing Companies Still Making?


Many manufacturing companies are still applying IT-oriented security tools in OT networks. This strategy will do very little to safeguard manufacturing facilities from the kind of attacks currently aimed at industrial networks. These include financially motivated attacks, nation-state sponsored attacks, rogue 3rd party vendors and unaware insiders.

Increasing connectivity between OT, IT and other networks means that pharmaceutical companies must now use OT-network tailored security tools to safeguard not only the integrity of their manufacturing facilities but also their increasingly valuable intellectual property in the form of new drug formulas. Planning effective security for pharmaceutical manufacturing and research facilities now means tailoring the network security architecture to the unique traffic patterns and security gaps in the OT network.


Written by: Michael Yehoshua,  vice-president global marketing, SCADAfence.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Originally published in SC Media