Technology Executive Council
To join the CNBC Technology Executive Council, go to
Technology Executive Council

The cyberthreat that could derail the world's race to develop a coronavirus vaccine

Key Points
  • Pharmaceutical companies working on a vaccine and on drugs and treatments to fight the coronavirus are facing an increased risk of cyberattack, according to cybersecurity experts.
  • The security challenges facing these companies are compounded by the fact that many now have large remote workforces, which puts them at bigger risk.
  • People in clinical trials with pharmaceutical companies are now vulnerable too, since their personal information is being tracked.
Tolga Akmen | AFP | Getty Images

As people all over the world are adjusting to life during the coronavirus pandemic, a threat has emerged that could potentially interfere with efforts to mitigate the damage. Cybercriminals are attacking pharmaceutical companies, and while these attacks pose a threat to customers' privacy rights, some wonder if they might also interfere with the development of a vaccine.

Sivan Nir, threat intelligence team leader at the cybersecurity company Skybox Security Research Lab, said that many cybercriminals have pledged not to attack health-care providers during the coronavirus outbreak. Pharmaceutical companies, on the other hand, are not so lucky.

"There is a certain amount of 'honor amongst thieves' that exists within cybercriminal communities," she said. "At the onset of the Covid-19 crisis, a number of ransomware operators said that they will no longer be targeting medical or health organizations during the pandemic. This compassionate approach, however, does not extend to pharmaceutical companies."

The pharmaceutical company ExecuPharm was the victim of such an attack in March. The company told the Vermont attorney general's office that the ransomware attack saw driver's licenses, financial information, Social Security numbers and other sensitive patient data compromised and published on the dark web.

ExecuPharm told TechCrunch that a ransomware group called CLOP was responsible, but why would anyone attack a pharmaceutical company in the middle of a pandemic? According to emails between CLOP and the technology security website Bleeping Computer, it's because the ransomware group sees ExecuPharm and other companies like it as profiting from coronavirus, making them fair game.

"We never attacked hospitals, orphanages, nursing homes, charitable foundations, and we won't," CLOP told Bleeping Computer. "Commercial pharmaceutical organizations ... are the only ones who benefit from the current pandemic."

Is China spying on US vaccine makers?
Is China spying on US vaccine makers?

The security challenges facing these companies are compounded by the fact that many now have large remote workforces. According to Mickey Bresman, CEO of the cybersecurity company Semperis, the working-from-home situation exposes organizations to increased risk.

"We're already seeing an uptick in opportunistic cyberattacks around the globe," he said. "Bad actors are using the crisis to launch new phishing, malware and other attacks that exploit public concern over Covid-19."

Big Pharma's line of defense

Chuck White, chief technology officer for the cybersecurity company Fornetix, said that pharmaceutical companies have options when it comes to protecting their data and intellectual property from malicious actors. One is to protect data with the strongest encryption methods available.

"Make sure that the organization is using the maximum strength in algorithms based on what their technology can use," he said. "Have your technology enforce that utilization."

Additionally, he suggested investing in storage technologies that can be secured with encryption and having staff use geofencing, which can provide security for local area networks. He also emphasized making sure everyone in the organization is safeguarding the company's intellectual property and personal data by practicing "cyber hygiene."

"Don't use work equipment for personal reasons," he said. "Browse what you need to do your job, not to learn what your favorite sports team is doing." Pharmaceutical companies may need to implement these practices sooner rather than later. According to Jason Smolanoff, global cyber-risk practice leader at the cybersecurity company Kroll, new attacks are already under way.

"It just happened with a pharmaceutical company that's working on a vaccine," he said. "In this case, it was done by a national actor, and indications are that the intention behind it was to steal trade secrets."

What's most at risk

He added that there are four main categories of attackers. These include nation-states that are looking to steal trade secrets; hacktivists who are promoting a social agenda; an insider who works for the company; and financially motivated cybercriminals, who conduct ransomware attacks for financial gain. This last category can create headaches beyond mere financial loss for the victimized company.

"These days, there are different versions of ransomware that encrypt the data and also steal it," he said. "The implication is that if data is stolen, the company has a legal obligation to notify people that their data was stolen."

As for the people who depend on pharmaceutical companies to manufacture their medicines, these attacks pose a personal threat to them as well.

"Patients in clinical studies are the main area of threat," Fornitex' White said. "Though the patient's progress and personal information roll into a pharmaceutical's development of the intellectual property, it is still personal information for the patient at the end of the day. Collateral damage from the pharmaceutical's perspective is possibly devastating for the patient."

He said that pharmaceutical companies could protect patient data by weighing how much of it they need to do their job effectively.

"In the spirit of 'cyber hygiene,' it needs to be the bare minimum," he said. "Things like tokenizing user IDs, not making the information useful for an attacker to sell, or possibly blackmail patients."

Despite CLOP's belief that pharmaceutical organizations should be targeted, Bresman of Semperis said that focusing on their profit motive misses the point. He said that targeting any part of the medical infrastructure at this time threatens the health and well-being of the entire general public.

"When attackers target healthcare and pharma companies, they aren't just hacking databases or defacing websites — they can actually put lives in danger, and the global pandemic is raising the stakes dramatically," he said. "When attackers shut down IT networks and disrupt services, the strain on already overwhelmed critical infrastructure compounds. [It] undercuts Covid-19 intervention efforts."

More from Technology Executive Council:
An Apple business you may not know that's poised to boom from coronavirus crisis
Would you let Google, Apple contact-trace your family? Here's what Reddit's Alexis Ohanian says
Google, Facebook, Twitter team up to support addiction recovery during pandemic