Criminals haven’t given up on stealing COVID-19 vaccine data. Yet another cyberattack has been launched — this time, threat actors were able to break into the European Medicines Agency (EMA) server and access documentation about the vaccine candidate from Pfizer and BioNTech.
The breach is just another in a series of particularly cruel efforts by malicious actors to capitalize on the global desperation and suffering as COVID-19 spreads and death tolls mount.
The EMA, Pfizer and BioNTech have acknowledged the attack but are not releasing any details while the matter is investigated.
“EMA has been the subject of a cyberattack,” the agency’s brief statement read. “The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities.” It added that details “will be made available in due course.”
Pfizer and BioNTech, the companies behind a proposed vaccine called BNT162b2 (authorized for emergency use in the U.K. and elsewhere), also released a statement, adding that the two companies’ systems remain secure, including personal data collected from patient trials.
“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyberattack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” the Pfizer-BioNTech statement said. “It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”
Most critically, all parties assured the breach won’t slow down the EMA’s review of the vaccine for distribution.
COVID-19 Vaccines Under Attack
What’s also unlikely to be slowed down is the ongoing barrage of attacks aimed at every aspect of the vaccine’s lifecycle, from development to clinical trials and distribution.
The rise of the COVID-19 pandemic was almost immediately irresistible to scammers of all stripes. Back in March, the World Health Organization was targeted by a malicious site attempting to steal staffer credentials.
By May the FBI and CISA were compelled to release a statement warning about Chinese nation-state-backed attacks on a wide swath of the healthcare sector researching COVID-19 treatments and therapies.
“Health care, pharmaceutical, and research sectors working on COVID-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems,” the May 13 FBI and CISA joint statement said.
Two months later, in July, the U.S. Department of Homeland Security issued a joint alert with the U.S. National Cyber Security Center and Canada’s Communications Security Establishment to warn about cybercriminal gang APT29, also known as CozyBear, which were targeting research and academic institutions working on a COVID-19 vaccine.
“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” the report said.
By late July, the U.S. Justice department accused China of spying on Moderna in an effort to “conduct reconnaissance” on the company’s vaccine research.
Third-party vendors were also easy targets. Medical software supplier eResearchTechnology provides platforms for pharmaceutical companies to conduct clinical trials and was the target of a ransomware attack in early that forced researchers back to slow and tedious pen and paper data tracking.
Once the development of a vaccine got to the manufacturing stage, malicious actors kept up their efforts to capitalize.
Vaccine manufacturer Dr. Reddy’s Laboratories, which was contracted to manufacture the Sputnik V COVID-19 vaccine for the Russian government, was forced to shut down factories in India, Russia, the UK and the U.S. after a cyberattack in mid-October.
Cold Supply-Chain Attacks
By early December, criminals shifted their sights to the limited number of companies which could distribute the vaccine at the necessary super cold temperatures. Gavi, the Vaccine Alliance group aimed at rallying “cold chain” companies for vaccine distribution, was attacked in September.
More recently, phishing emails were sent impersonating an executive of Haier Biomedical, one of the sole end-to-end cold supply chain providers, in an attempt to steal credentials. The attack was uncovered by IBM.
On Dec. 7, Europol, the European Union’s law enforcement agency issued a warning about the rise of illicit COVID-19 vaccine activity on the Dark Web, including the sale of counterfeit vaccines.
“The detection of a fake influenza vaccine confirms that criminals seize opportunities as soon as they present themselves,” the Europol warning read. “Owing to the pandemic, the demand for the influenza vaccine has been higher than usual and their risks being a shortage. Criminals have reacted quickly by producing counterfeit influenza vaccines. The same scenario is also likely to happen when COVID-19 vaccines do become available.”
In turn, CISA issued guidance to Operation Warp Speed, the U.S. government’s designated COVID-19 vaccine development and distribution oversight group, about the need for cybersecurity vigilance around the vaccine’s supply chain.
“IBM X-Force has released a report on malicious cyber-actors targeting the COVID-19 cold chain—an integral part of delivering and storing a vaccine at safe temperatures,” the CISA statement read. “Impersonating a biomedical company, cyber-actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.”
This latest attack against the EMA is just another reminder of just how valuable COVID-19 vaccine data is to the world — and the criminals who would gladly steal it and sell it back to us for a profit.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.