Was there a “COVID-19 vaccine hack” against the European Medicines Agency?

If you’ve been following the news today, you’ve probably seen headlines announcing a breach at the European Medicines Agency (EMA).
The EMA, based in Amsterdam in The Netherlands, is responsible for the evaluation and approval of medicines in the European Union – a role reflected in its former name, the European Agency for the Evaluation of Medicinal Products.
That was a bit of a mouthful, so EMA is what it became.
The range of different headlines is somewhat confusing: we’ve seen everything from “vaccine documents hack“, through “hackers steal […] COVID-19 vaccine data“, all the way to “vaccine documents unlawfully accessed“.
We’ve love to tell you more about this incident, notably whether any data relating to individuals or organisations such as EMA’s creditors, debtors, employees, contractors, researchers or volunteers lost any personal data in the attack.
Unfortunately, the EMA hasn’t been very helpful in this regard, issuing a statement of just 45 words, dated 2020-12-09, to say:

EMA has been the subject of a cyberattack. The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities.
EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course.

There’s no suggestion of when the attack was discovered, how it was found, when it probably started, how extensive it seems to have been, how much disruption it has caused, whether anyone outside the EMA was potentially affected, how long it’s likely to take to restore the network to normal, or what the EMA is doing right now to stop it happening again.

The guessing game

Was it ransomware?
That's often one of the first conclusions that people jump to these days when an organisation discloses an attack but is opaque about what happened.
Observers understandably assume that the victims are still "negotiating" with some gang of cybercriminals over whether to pay blackmail money to stop stolen files being leaked and to recover scrambled files on their own network.
Were files indeed stolen here, and if so, how much personal and confidential data has gone missing?
German biotech company BioNTech has gone public with a document stating that its data was breached in this intrusion:

Today [2020-12-09], we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.

Whether that unlawful access was revealed by a few access control log entries spotted in the last few days, or whether there’s evidence of widespread data theft on the scale that precedes many ransomware attacks these days, we just don’t know.
And, given the wording of the EMA’s notification, it may be a long time before we find out the breadth and depth of the breach, because the organisation claims that it “cannot provide additional details” while the investigation is ongoing.
However, as we know from previous incidents, investigations of crimes like this may literally take years to conclude, while law enforcement and prosecutors bide their time trying to piece together enough evidence to reach the standards needed to get an arrest warrant issued.

Are you off the hook?

What worries us in this case is that the dramatic “coronavirus vaccine hacking” angle that some headlines have adopted for on this story…
…may end up lulling some businesses and organisations into a false sense of security.
After all, at first glance, it feels as though EMA “obviously” has important data worth attacking, because of its high-profile association with anti-coronavirus research; while companies that do, say, contract drain cleaning or pizza delivery “obviously” don’t have anything of value or importance.
But that’s a dangerous line of thought to take.
Whether you’re an individual or a business, an employer or an employee, a splash-it-all social media fan or a privacy-centred citizen:

• You have and hold data that you are supposed to keep to yourself. Some of that data is hard or impossible to make private again (e.g. by changing it or having it reissued) if it’s stolen.
• You have and hold data that has value to cybercriminals if they get their hands on it, whether they sell it on the dark web immediately or try to blackmail you first in return for not selling it on.

Simply put: you don’t need to be explicitly on a cybergang’s radar to be on its radar implicitly.
Indeed, the crooks may decide to attack you because they already have a list of networks they know they can breach, and from which they think they will be able to extort money, and you just happen to be next on the list.
As SophosLabs explained this week in a report it published on the Egregor ransomware gang, which uses the two-pronged blackmail method of stealing and scrambling your files, the only thing “typical” about the known victims is that they have networks connected to the internet:

We first detected Egregor in September during an attack against a customer. As of November 25, the ring has posted details on over 130 victims on its Tor hidden services (.onion) website. The alleged victims of these attacks are diverse, both in terms of location and organisation type—they include schools, manufacturers, logistics organisations, financial institutions, and technology companies.

Those 130 organisations, by the way, are the ones that didn’t pay, so the true number of victims is almost certainly even higher.

What to do?

To keep data-stealing criminals out of your network, try any or all of the following:

• Keep on educating your users about the latest phishing threats. A significant proportion of cyberattacks begin with a foothold gained by the crooks through fraudulent web links or attachments sent in via email. Consider tools such as Sophos Phish Threat that allow you to test and educate your own users with realistic but fake phishing emails, so they can make their mistakes with you and not with the crooks.
• Regularly review your remote access portals. Shut down remote access tools you don’t need; pick proper passwords; and require the use of 2FA whenever you can. One forgotten or incorrectly configured RDP server, for example, or one SSH account that’s been phished and isn’t protected by 2FA, might be all the crooks need to initiate their attack.
• Patch early and patch often. Patches aren’t just for internet facing servers. Criminals idenitify and exploit buggy software inside your network in order to make a bad thing worse by expanding what’s called the surface area of an attack.
• Don’t ignore the early signs of an attack. If your system logs are showing an unusual pattern of threat detections – notably of malware apparently launched from inside the network, or sysadmin tools turning up where you wouldn’t expect them – don’t delay. Investigate today.
• Consider getting help if you need it. Experts such as the Sophos Managed Threat Reponse and Rapid Response teams can jump in at short notice when you spot trouble. They can help out (or even take care of the whole thing for you if you are really short of staff or expertise) when you simply don’t the time to investigate in detail yourself.
• Give your staff a single phone number or email address where they can report trouble. Help your own staff to be the eyes and ears of your security team and they will help you to catch sight of attacks sooner. Cybercrooks don’t send one phishy email to one person and then move on to another company if it doesn’t work, so the sooner anyone says something to someone, the sooner everyone can be advised and the better the chance than no one will be affected.

HEALTHCARE AND HACKING – LEARN MORE ABOUT KEEPING CROOKS OUT

Talk given 30 October 2020. Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.