Biotechnology companies are starting to look more and more attractive to hackers, and a number of successful exploits should give pause to industry leaders. However, things are not quite what they seem.
First Published 14th January 2022 | Latest Refresh 7th August 2022
"Nope! Can't find a breach in this sample."
5 min read | Reflare Research Team
The rise of biotech as a target
COVID-19 has seen the stock prices and evaluation estimates for companies in pharmaceutical and biotechnology skyrocket since the first vaccine became available on the market. This attention has led to them becoming an increasingly tempting target for cyberattacks.
BIO-ISAC, a not-for-profit organisation launched in August 2021 to provide early-warning and education on digital biosecurity threats, announced an undisclosed bio manufacturer was involved in an advanced persistent threat (APT) attack named Tardigrade in the Spring of 2021.
One of the more eyebrow-raising quotes of their statement read, “Through the subsequent investigation, a malware loader was identified that demonstrated a high degree of autonomy as well as metamorphic capabilities. In October 2021, further presence of this malware was noted at a second facility.”
Hmmm. Okay.
Well, it must be a foreign government, right?
Only a few months earlier, South Korea’s intelligence agency accused North Korean state actors of hacking into Pfizer to steal information on COVID vaccines. Furthermore, in December 2020, the European Medicines Agency (EMA) announced it had been the subject of a cyberattack when they discovered a number of documents related to covid-19 vaccine candidates had been altered by hackers.
Of course, news like this is often followed by wild speculations and impossible to prove conspiracy theories from Iran and China trying to steal vaccine information to help develop their own vaccines to malicious states trying to slow down the development of those vaccines for their own benefits and evil purposes. But could there be other possibilities here why there is an increase in attacks against the pharmaceutical and biotechnology sectors that do not involve state actors?
Let us start by first saying that, some organisations and media companies these days have the annoying habit of reporting threats that are slightly sophisticated, utilising new methods, or anything that they never heard about as “highly advanced” or “state-of-the-art”, and therefore must be state-backed.
Shapeshifting malware is nothing new
To use the BIO-ISAC statement as an example, while we have no idea what they meant by “high degree of autonomy”, we are quite certain that the so-called “metamorphic capabilities” are nothing to be surprised about.
A malware with metamorphic capabilities is simply malware that can alter its code in order to avoid detection. This modification can be as minor as flipping a single bit to something more radical that would change the malware execution flow. However, self-modifying malware has been around since the first antivirus engines were created and modern malware is more likely to have metamorphic capabilities than they are not.
Today, there are tools, algorithms, and underground services out there to help make the creation of metamorphic malware very easy. So, the presence of such capabilities should not be seen as a sign that malware is written by highly sophisticated hackers let alone state-backed actors.
The fact that the malware is only targeting the biotech industry is also not evidence that it is state-sponsored. This is because not all malicious programs are designed to infect systems indiscriminately as it would increase the chance of them getting discovered and detected by antivirus products. So it is quite common for malware to be made to run at its full capabilities only after certain criteria are met.
But why would anyone else other than state-sponsored actors hack into biotech companies to steal trade secrets or confidential information?
High dependency on data = high probability of 'pay day' (& everyone knows it)
Well, remember that cybercriminals are opportunists. More than a significant number of these biotech companies are publicly traded and currently doing rather well both in sales and in share prices. Subsequently, sizing up the value of a successful attack is relatively straightforward.
There is nothing cyber-criminals, especially those behind ransomware, love more than targets who are doing well financially. As such, they are more likely to pay good money for ransoms to either unlock their systems or keep compromised sensitive information from getting leaked to the public. Even if these victims don’t pay the right price, depending on how valuable the information is, it wouldn’t be too hard to find buyers on the black market.
Let’s also not forget that the world is not short of strange but talented people like Gary McKinnon – who in 2002 committed the "biggest military computer hack of all time" to look for “evidence of free energy suppression and a cover-up of UFO activity and other technologies”. These are types of threat actors that are often overlooked or even dismissed due to the misguided belief that only well-funded threat actors have the resources to breach the network of a large institution, even though teenagers like Graham Ivan Clark keep proving us otherwise.
Is the biotech industry the new 'plaything' for the hacking community?
It’s worth remembering that the biotech sector is not the only one that has seen an increase in cyberattacks during the pandemic. According to FireEye and McAfee, 81% of global organisations experienced increased cyber threats during COVID-19. So, perhaps the increase in attacks the biotech industry is now experiencing is merely a reflection of this new reality.
However, whatever the underline drivers, it is clear that biotech, pharma, and the life science industry as a whole is (now, more than ever) an increasingly attractive target for hackers to pursue.
While we should all be worried about the increase in cyber-attacks, especially against organisations in the industry we are in – we must not too quickly jump to the conclusion that some state-backed actors are responsible for them. Simultaneously, we must be prepared to face evolving cyber challenges, regardless of the sophistication of the attack (perceived or otherwise) or who the threat actors might be (again, perceived or otherwise).
The time to act has arrived
But more specifically, now is the time for the executives, IT leaders, CISOs, L&D managers and procurement professionals of biotech companies to come together and map out what is needed to bolster their cyber resilience.
The capabilities and behaviour of staff are often the weakest links that enable organisational security breaches, and compliance-led awareness training almost always covers only the basics. Explore how we can help your developers, administrators and non-tech employees strengthen their IT security skills, and stay abreast of the latest IT security trends and breaches by subscribing to our email newsletter.