Site icon Sophos News

Was there a “COVID-19 vaccine hack” against the European Medicines Agency?

If you’ve been following the news today, you’ve probably seen headlines announcing a breach at the European Medicines Agency (EMA).
The EMA, based in Amsterdam in The Netherlands, is responsible for the evaluation and approval of medicines in the European Union – a role reflected in its former name, the European Agency for the Evaluation of Medicinal Products.
That was a bit of a mouthful, so EMA is what it became.
The range of different headlines is somewhat confusing: we’ve seen everything from “vaccine documents hack“, through “hackers steal […] COVID-19 vaccine data“, all the way to “vaccine documents unlawfully accessed“.
We’ve love to tell you more about this incident, notably whether any data relating to individuals or organisations such as EMA’s creditors, debtors, employees, contractors, researchers or volunteers lost any personal data in the attack.
Unfortunately, the EMA hasn’t been very helpful in this regard, issuing a statement of just 45 words, dated 2020-12-09, to say:

EMA has been the subject of a cyberattack. The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities.
EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course.

There’s no suggestion of when the attack was discovered, how it was found, when it probably started, how extensive it seems to have been, how much disruption it has caused, whether anyone outside the EMA was potentially affected, how long it’s likely to take to restore the network to normal, or what the EMA is doing right now to stop it happening again.

The guessing game

Was it ransomware?
That's often one of the first conclusions that people jump to these days when an organisation discloses an attack but is opaque about what happened.
Observers understandably assume that the victims are still "negotiating" with some gang of cybercriminals over whether to pay blackmail money to stop stolen files being leaked and to recover scrambled files on their own network.
Were files indeed stolen here, and if so, how much personal and confidential data has gone missing?
German biotech company BioNTech has gone public with a document stating that its data was breached in this intrusion:

Today [2020-12-09], we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.

Whether that unlawful access was revealed by a few access control log entries spotted in the last few days, or whether there’s evidence of widespread data theft on the scale that precedes many ransomware attacks these days, we just don’t know.
And, given the wording of the EMA’s notification, it may be a long time before we find out the breadth and depth of the breach, because the organisation claims that it “cannot provide additional details” while the investigation is ongoing.
However, as we know from previous incidents, investigations of crimes like this may literally take years to conclude, while law enforcement and prosecutors bide their time trying to piece together enough evidence to reach the standards needed to get an arrest warrant issued.

Are you off the hook?

What worries us in this case is that the dramatic “coronavirus vaccine hacking” angle that some headlines have adopted for on this story…
…may end up lulling some businesses and organisations into a false sense of security.
After all, at first glance, it feels as though EMA “obviously” has important data worth attacking, because of its high-profile association with anti-coronavirus research; while companies that do, say, contract drain cleaning or pizza delivery “obviously” don’t have anything of value or importance.
But that’s a dangerous line of thought to take.
Whether you’re an individual or a business, an employer or an employee, a splash-it-all social media fan or a privacy-centred citizen:

Simply put: you don’t need to be explicitly on a cybergang’s radar to be on its radar implicitly.
Indeed, the crooks may decide to attack you because they already have a list of networks they know they can breach, and from which they think they will be able to extort money, and you just happen to be next on the list.
As SophosLabs explained this week in a report it published on the Egregor ransomware gang, which uses the two-pronged blackmail method of stealing and scrambling your files, the only thing “typical” about the known victims is that they have networks connected to the internet:

We first detected Egregor in September during an attack against a customer. As of November 25, the ring has posted details on over 130 victims on its Tor hidden services (.onion) website. The alleged victims of these attacks are diverse, both in terms of location and organisation type—they include schools, manufacturers, logistics organisations, financial institutions, and technology companies.

Those 130 organisations, by the way, are the ones that didn’t pay, so the true number of victims is almost certainly even higher.

What to do?

To keep data-stealing criminals out of your network, try any or all of the following:

HEALTHCARE AND HACKING – LEARN MORE ABOUT KEEPING CROOKS OUT

Talk given 30 October 2020. Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.


Exit mobile version