India has a definite advantage today as it produces 60% of the world’s vaccines. Even developed countries are not producing enough for their own consumption and are reaching out to India for help. The latest country to do so is Canada. India has also distributed millions of doses to friendly countries, free-of-cost. Amid this, India’s lead in vaccine R&D and vaccine production has caught the attention of state-sponsored threat actor groups. Goldman Sachs-backed Cyfirma, a threat discovery and cybersecurity platform company headquartered in Singapore and Tokyo, notes that, in the last four days there have been a series of cyberattacks on pharmaceutical and healthcare companies in India. India has two main vaccine producers, SII (Serum Institute of India) and Bharat Biocon. According to a press release issued to Reuters this week, Cyfirma says cybercriminals from Russia, China, North Korea, and the Middle East have been targeting pharmaceutical companies, hospitals, and government health departments to carry out various malicious activities.
In the Reuters report, Kumar Ritesh, Chief Executive Officer of Cyfirma said, “The real motivation here is actually exfiltrating intellectual property and getting a competitive advantage over Indian pharmaceutical companies.” Kumar Ritesh was formerly a top cyber official with the British foreign intelligence agency, MI6.
He said APT10 was actively targeting SII, which is making the AstraZeneca vaccine for many countries, and will soon start bulk-manufacturing Novavax shots.
The researchers have observed that the hacking groups are aiming to steal COVID-19 vaccine-related data, which is highly sensitive in nature. This includes vaccine research, medical composition, clinical trials information, logistics and distribution plans.
“Our researchers have noticed an increased interest amongst state actors in India’s vaccine R&D. India was lagging in the COVID-19 vaccine research and started to catch up in the last couple of months. This has drawn the attention of Chinese state-sponsored threat actors whose intentions are to tarnish India’s reputation as well as to disrupt her national vaccination effort,” said Cyfirma.
While the Chinese government has vehemently denied these attacks, Cyfirma has substantial proof, by way of traced IP addresses, indicators of compromise, event logs, and other forensics data.
It is also sharing this data with Indian authorities like CERT-In. Cyfirma is also advising CERT-In to alert the targeted companies and take immediate measures to mitigate the attacks.
What is the motivation for cyberattacks on pharma companies?
According to Cyfirma, the motivation for such cyberattacks varies slightly among the nations identified by Cyfirma. Russian state-sponsored threat actors are seeking a combination of geopolitical gain as well as financial rewards while Korean threat groups are focused on financial gain.
And of course, the Chinese threat actors have multiple reasons. Following reports in the media, we see that Chinese hackers are not just after India’s R&D data on vaccines, but also intend to disrupt supply chains. India stepped up its vaccination drive on March 1, when it began administering vaccines for all above 60 years of age and those with comorbidities.
But Chinese state-sponsored actors have also been attacking other sectors in India, such as power and utilities. Research from security firm Recorded Future found a China-linked threat actors group dubbed RedEcho, targeting 12 Indian organizations, 10 of which are in the power sector. Recorded Future’s threat research team Insikt Group uncovered a subset of the servers that share some common tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups.
It is being speculated whether the massive power outage in the Indian city of Mumbai last October, could have been caused by a cyberattack on the power grid. This attack was first reported in The New York Times. RK Singh, Minister of State for Power ruled out sabotage from China or Pakistan-supported hackers. A former energy minister said the power grid does not have such a sophisticated network and also ruled out hacking. However, evidence has been found about cyberattacks on India’s northern and southern load despatch centers, though the malware could not reach the controlling system.
The train system, which is considered Mumbai’s lifeline, was impacted by the power outage. Stock exchange trading was momentarily impacted, but many businesses could not operate for a few hours due to power loss.
But India is not the only nation under attack. Nations like the U.K., U.S. Japan, Australia, Italy, Spain, Germany, Brazil, South Korea, Taiwan, Mexico and others have also been targeted. The adversaries are after sensitive research data on vaccine trials, either for financial gain or business advantage. The impact of such attacks is reputation damage, supply chain disruption, and weakening of the economy.
What are the Target assets?
- Pharma companies who are investing in medical research, clinical trials, and vaccine production
- Vaccine supply chain, national vaccination campaign, individual and personal information
- Government agencies in charge of approving vaccine, medicine, and related appliance
- Vaccine development and implementation tracking systems
- Clinical trial information
- Hospital operating details, employee and patient information
- Government health department and demographic details
- Medical devices and appliance design and architecture
Who’s behind the cyberattacks?
CYFIRMA researchers have observed 15 active hacking campaigns (7 Russian groups, 4 Chinese, 3 Korean, 1 Iranian).