Top Cyber Threats to the Pharmaceutical Industry

Top threats for the pharmaceutical fall into three key categories: (1) Cyber-enabled insider trading, (2) Executive impersonation fraud, and (3) Disruptive attacks like ransomware. Additionally, expected geopolitical developments in China and Ukraine may generate cyber risk for pharmaceutical companies that are operating within these countries. 

1. Cyber-Enabled Insider Trading

Niche groups of cybercriminals are likely to target the pharmaceutical sector with network intrusions that are geared toward the collection of sensitive, non-public information that can be used to facilitate insider trading. Insurance reimbursement rates, pricing schemes, negotiation agreements and positions, and related information can have a significant effect on the stock price of pharmaceutical companies, and, if obtained, may be used to facilitate illicit stock trades. There is precedent for sophisticated, non-U.S.-based cybercriminal groups conducting highly targeted attacks against pharmaceutical companies for this purpose, and we see no sign that interest in operations of this nature have abated. Fin4 and Morpho are two of the most notable examples of cybercriminal groups that are suspected of targeting pharmaceutical companies for the purposes of conducting insider trading.

Insider Trading-focused network intrusions may be tailored specifically for the targeted pharmaceutical company, and thus may be difficult to detect in early phases. Compromised third-party network accesses (e.g. information technology vendors), compromised internal email accounts, and legitimate, but maliciously modified (i.e. insertion of malicious code) internal company documents, are just a few of the target-specific tactics that the most sophisticated, insider trading-focused cybercriminals have used to distribute malware and/or gain an initial foothold into pharmaceutical companies’ networks. Use of a pharmaceutical company’s own resources—or those of its vendors—to enable network intrusions may lend an air of legitimacy to cybercriminals activities, thus increasing their chances of evading detection.

Potential Responses

1. Focus on maturation of the insider threat program.
2. Focus on maturation of the data loss prevention program and ensure that it is fused into the larger incident tracking program.
3. Establish a formal plan for responding to suspected incidents of insider training, including identification of any compliance actions that may be required.

2. Executive Impersonation Fraud

Executive impersonation fraud (e.g. business email compromise) may pose one of the greatest threats of direct financial theft from the pharmaceutical sector in 2018. Executive impersonation fraud cuts across all industry sectors and, in worst-case scenarios, has resulted in USD millions of losses for victim organizations. The Federal Bureau of Investigation (FBI) noted that between May 2013 and May 2016 executive impersonation fraud resulted in nearly USD 1.1B in combined losses for both U.S.- and foreign-based organizations. Public reporting on pharmaceutical companies with executive impersonation fraud is limited, but we suspect that this is a result of fraud instances going unreported, not a sign that pharmaceutical companies go untargeted. Just by way of example, in November 2016, Trend Micro reported that one U.K.-based pharmaceutical company and two Canada-based pharmaceutical companies were targeted with the email-based executive impersonation fraud, although the impact of the fraud was not reported.

Executive impersonation fraud may increasingly be preceded by malware installation and other network intrusion techniques as cybercriminals seek to lay the groundwork for execution of the fraud. Phishing pages, credential theft malware, and/or pre-established access to victim’s networks can be used to access a victim’s sensitive internal communications and resources, allowing cybercriminals to gain insight into the wording, format, and recipients of legitimate email-based fund transfer requests—information that can be used to craft realistic but fraudulent fund transfer email requests. Network intrusions may also be used to conceal indicators that fraud occurred, a tactic that was used against a New-Zealand-based taxidermy business when cybercriminals blocked legitimate email communications (via access to the company’s email services) that warned of possible fraudulent fund transfers.1

Multichannel communications with targeted organizations may become increasingly common as cybercriminals seek to improve the realism and success rate of executive impersonation fraud attempts. Phone- and social media-based outreach to victims can lend an air of legitimacy and urgency to email-based requests for fraudulent fund transfer requests, particularly when the victim is contacted shortly after receipt of the fraudulent email. The United Kingdom’s Government Internal Audit Agency noted that, in some cases, executive impersonation fraud emails have been followed by a phone call from the criminals to the victims in an attempt to increase the legitimacy of email requests. We anticipate that SMS, social media, and, in the cases of pre-established access to a victim's network, internal communication channels (e.g. Skype, Slack), could increasingly be used as methods for contacting targets of executive impersonation fraud.

Potential Responses

1. Focus on cyber hygiene and awareness activities. Known executive impersonation fraud activity rarely employs malicious payloads and minimizes content subject lines and content to prevent blocking by filtering.
2. Running anti-phishing training campaigns to train staff and identify weaknesses in overall awareness of this malicious activity’s hallmarks.

3. Ransomware and Other Disruptive Attacks

Cybercriminals may increasingly deploy ransomware against pharmaceutical companies with the expectation that the companies will quickly pay ransoms out of concerns about high-impact disruptions to operations. In 2017, a NotPetya pseudo-ransomwarea, infection forced pharmaceutical manufacturer Merck to delay the production of some vaccines for several months, and ultimately resulted in more than an estimated USD 300M in losses for the company, including USD 135M in lost revenue and USD 175M in additional costs.The Merck ransomware infection was opportunistic and untargeted, but its impact—combined with the publicly reported impact of ransomware on the operations of other companies and organizations—will no doubt motivate some cybercriminals to increasingly selectively deploy ransomware against pharmaceutical companies and other high-value targets, something akin to the early 2016 ransomware attack against the San Francisco Municipal Transportation Agency.

Disruptive attacks intent on achieving precise disruptions of specific production processes will likely be limited in both scale and frequency, as operations of this nature will almost certainly be beyond the skillset of most cybercriminals. To achieve a precise effect on a pharmaceutical company’s network, cybercriminals will likely need to do more than just gain network access—they will likely need to have knowledge and skills that extend beyond those required to access and traverse victim’s networks. It seems reasonable to assume that, at a minimum, cybercriminals will need to know how the targeted process is controlled, its failure conditions, and its dependencies—information that most cybercriminals will be unwilling or unable to obtain.

Potential Responses

1. Focus on hardening endpoints to reduce the attack surface and vulnerability exposure.
2. Deploy next-gen antivirus software to better identify ransomware before it encrypts data.
3. Ensure processes and plans are in place for responding to losses of critical systems, data, or other resources and test them through wargaming.

4. Geopolitical Activity that impacts Cybersecurity 

Ukraine—Multinational organizations with operations in Ukraine may be targeted by Russia-aligned cyber-threat actors to harm the Ukrainian economy as part of the on-going military conflict in Eastern Ukraine. The ongoing conflict between Russian-backed separatists and the Ukrainian government continued to spill into cyberspace in 2017, with no end in sight. Two pseudo-ransomwares (NotPetya and BadRabbit) caused countrywide IT disruptions in June and October 2017. Ukrainian officials and security researchers attributed these attacks to Russian security services, a claim Russia denies. The reported uptick in fighting in late 2017, agreements by the U.S. to begin providing weapons to Ukraine in December 2017, and the Russian response that weapons provision would only escalate the conflict, all indicate that separatist fighting and Russian-sponsored cyber attacks will likely continue in 2018. While the pharmaceutical industry may not be a direct target, additional costly attacks against Ukrainian private sector organizations may continue with the conflict, potentially putting multinational firms with operations in-country at risk.

Potential Responses

1. Conduct wargames and tabletop exercises to determine the quality of response plans and mitigations for major categories of Russian threats.
2. Track the evolution of Russian attacks and tactics and maintain awareness holidays and political developments. Doing so may provide a heads up to future attacks’ timing and nature.

China—China's "Made in China 2025" (MIC 2025) policy may drive intellectual property cyber-theft operations against the U.S. pharmaceutical sector. The Chinese national strategic plan MIC 2025 outlines ten priority sectors to undergo rapid expansion in domestic R&D and production capability, including biomedicine and high-performance medical devices. Benchmarks for the state-sponsored plan called for the development of 10-20 chemical and high-end drugs and 3-5 new biotech drugs by 2020, and industrialization of 20-30 innovative new drugs by 2025.7 China historically was a major perpetrator of economic espionage in the US private sector.8 However, a 2015 U.S.-China cyber armistice has reportedly been followed by a general cessation of this activity in the United States.9 Several factors, however, could lead to a return to old ways. These factors might include pressure from the government’s policy apparatus to meet the ambitious MIC goals or an internal justification for the industrial espionage having a national security purpose (a category not prohibited by the agreement).

Potential Responses

1. Maintain awareness of the Chinese market’s tracking against goals and reports of Chinese IP theft from pharmaceuticals or U.S. companies. These data points may provide leading indicators of future Chinese activity and its relevant indicators and tactics, techniques, and procedures.