A new report on the biopharma industry by cybersecurity firm Bluevoyant LLC found that the eight most prominent players in the race for a COVID-19 vaccine faced the highest volume of targeted, malicious cyberattacks, and 77% of the total 20 companies examined had unsecured remote desktop protocol (RDP) ports and email domains lacking basic measures to block hackers. “COVID-19 vaccines are the crown jewels of 2020 – and cyber attackers know it,” the report says.

Ten of 25 attacks reported in the media since 2017, or 40%, happened this year. More specifically, attacks on the biopharma world are up 200% from 2017 to 2018 and another 50% from 2019 to 2020. More than half of are due to ransomware, which buttoned-up RDP ports could fend off.

Timeline of cyberattacks. Source: Bluevoyant LLC’s 2020 Biotech and Pharmaceutical Report

“While the number-one threat driving the 2020 headlines is nation-state espionage [from the likes of Russia, China, Iran and North Korea] looking to steal COVID-19 vaccine research, the top threat for most biotech and pharmaceutical companies is still ransomware,” according to the report. “Ransomware groups are many,” including those with names such as Maze, Ryuk, Revil/Sodinokibi, Netwalker and Nefilim, the report notes. Each group’s code is different, “but these malware groups follow extremely similar techniques, tactics, and procedures, which rely overwhelmingly on exploiting RDP vulnerabilities and phishing. While phishing is the eternal cyber threat, RDP vulnerabilities have become even more critical in 2020, as companies rely more heavily on employees working from home.” In an earlier report, Bluevoyant identified the rise of COVID-19-related domain registrations during the first few weeks of the pandemic. “Many of these were opportunistic; many others were outright criminal,” the company said.

Austin Berglas, global head of professional services, BlueVoyant

Also busy in the cyber-mischief space are access brokers who procure RDP passwords and VPN credentials and offer them for sale on the dark web to parties wanting to launch ransomware attacks. “It’s essentially buying a key to a door so that you can open the door and rob the house instead of having to [put forth] the effort of breaking in,” said Austin Berglas, global head of professional services for New York-based Bluevoyant. “Once you have sensitive credentials being bought and sold on these underground forums, it’s a problem” that may be out of control already. “Oftentimes, the purchase of these credentials happens quickly, before the organization knows that they have a stolen or lost credential floating around.” He urged “simple cybersecurity hygiene,” such as multifactorial authentication, tightened RDP and never-reused passwords consisting of complex phrases.

Companies developing COVID-19 vaccines “saw a much larger volume of threat, both in number and proportionally,” than those not doing COVID-19 research, Berglas told BioWorld.

Cyberattacks, studied companies chartAmong the 20 firms analyzed in the open-source report are the 12 largest in biopharma and eight of the main COVID-19 vaccine researchers. “[With] all of them, every single one, we observed evidence of what we call malicious inbound traffic, or connections from known, bad places on the internet,” said Berglas, whose background includes a stint as assistant special agent in charge of the FBI’s New York office cyber branch, where he oversaw all national security and criminal cyber investigations. “Sixteen of [the 20 companies] had targeted malicious traffic, attempts to break into the organization using stolen credentials – we call that brute force attack,” Berglas said. “We saw targeted exploits in malware, custom-crafted malware looking to compromise these organizations. We saw what we call anonymized probing, scans looking for open doors in their environment, coming from infrastructure that we know to be owned by bad actors. Even more concerning, in seven of these 20 companies, we saw evidence of actual compromise,” though the report does not single them out by name.

“When a bad guy puts some sort of malware or virus inside a network, that piece of software has to communicate with something to get its instructions,” in a process called beaconing, Berglas said. “When you see communication from one of these companies to infrastructure that we know to be bad, that’s indicative of a compromise.” Struck just this week by an apparent cyberattack was cold-storage firm Americold Logistics LLC, of Atlanta, which supports such products as COVID-19 vaccines. “As a precautionary measure, the company took immediate steps to help contain the incident and implemented business continuity plans, where appropriate, to continue ongoing operations,” the company said in a statement, adding that it “has notified and is working closely with law enforcement, cybersecurity experts and legal counsel.” In October, Hyderabad, India-based Dr. Reddy’s Laboratories Ltd., the contractor for Russia’s Sputnik V COVID-19 vaccine, was hit by a cyberattack and had to shut down operations briefly. This summer, the U.K. National Cyber Security Center warned that pharmaceutical companies and academic researchers working on COVID-19 vaccines were being targeted by Russian state-sponsored hackers.

The Bluevoyant report concludes that “once a company has secured its own systems, it needs to look outward to supply chain security. Biotech and pharmaceutical companies, more than most industries, are in tight and varied webs of supply chain dependencies – with links across manufacturing and distribution, health care and data centers and tech providers. Supply chain security is a critical step in ensuring adequate security against third-party risk.”