EU Vaccine Approval Agency Investigating CyberattackIncident Comes as Government Agencies Warn of Cybercrime Related to COVID-19
This developing story has been updated twice.
In a brief statement Wednesday, the Netherlands-based agency said: "EMA has been the subject of a cyberattack. The agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities. EMA cannot provide additional details whilst the investigation is ongoing."
The agency declined Information Security Media Group's request for additional details about the attack, but says it is "fully functional and work continues."
EMA is working on approval of two COVID-19 vaccines, which it expects to conclude within weeks, the BBC notes.
In a joint statement issued Thursday by pharmaceutical makers BioNTech and Pfizer, which are partnering on their COVID vaccine, the two companies said "some documents relating to the regulatory submission for Pfizer and BioNTech's COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed. ... No BioNTech or Pfizer systems have been breached in connection with this incident, and we are unaware that any study participants have been identified through the data being accessed."
Then on Dec. 14, news service Reuters reported that pharmaceutical firm Moderna was also informed by EMA that some of its COVID-19 vaccine related documents were also accessed in the hacking incident.
On Thursday, the EMA is scheduled to brief members of the EU's Public Health Committee on the status of COVID-19 vaccines expected to receive authorization, the BBC reports.
BioNTech and Pfizer in their joint statement said "EMA has assured us that the cyberattack will have no impact on the timeline for its review" of their COVID-19 vaccine.
The incident follows a string of recent advisories from global law enforcement and other government agencies, including the Department of Homeland Security in the U.S. and Europol and Interpol in the EU, warning of cybercriminals targeting COVID-19 supply chain and related organizations.
The attack on the EMA is "unsurprising" because there have been so many attacks against medical and healthcare organizations worldwide, says Mark Hendry, director of data protection and cybersecurity at global legal firm DWF, based in the U.K.
"What is unknown at this time is the identity of the perpetrator, whether they are an advanced persistent threat actor and whether the attack is ... directly linked to other attacks we have seen on governmental, research and health-related organizations throughout the pandemic," he says.
Retired FBI supervisory special agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP, offers a similar assessment.
"As the health and financial value of COVID-19 vaccines moves to the forefront of society, it is inescapable that criminal and cyberthreat actors are laser-focused on attempting both obvious and deliberate attacks against COVID-19 vaccine makers," he says. "Additionally, it is becoming patently obvious that many of these attacks are being instigated by hostile nation-state threat actors, as well."
Europol and Interpol last week issued notifications warning of a potential surge in organized crime activity tied to COVID-19 vaccines (see: Europol Warns of COVID-19 Vaccine Crime Gangs and Interpol: Organized Crime to Capitalize on COVID-19 Vaccines ).
And in the U.S., the DHS' Cybersecurity and Infrastructure Security Agency last week also issued an advisory citing a new report by IBM warning organizations involved in COVID-19 vaccine production and distribution of a global phishing campaign targeting the cold storage and transport supply chain (see: Phishing Campaign Targets COVID-19 'Cold Chain').
Many vaccines in development - including coronavirus vaccines - must be kept at low temperatures before being administered.
IBM says a spear-phishing campaign, which started in September, spans six countries and targets organizations and agencies that support the Cold Chain Equipment Optimization Platform program. That program was launched in 2015 by the United Nations Children's Fund and other partners to distribute vaccines.
The COVID-19 "cold chain" phishing campaign aims to harvest account credentials at companies involved with vaccine production, storage and distribution, IBM reports.
"While we wait for a timeline and more information, there's no doubt scammers will be scheming," the FTC says.
With cybercriminals targeting entities involved in COVID-19 vaccine development and distribution, organizations must be prepared to deal with potential attacks.
"Where possible, seek to understand the methods used to attack and disrupt organizations in your sector and be ready to defend against common types of attack and deal with the disruption they inevitably cause when they arrive," Hendry says.
"In the case of organizations on the front line of vaccination deployment, it would be prudent to consider redundancy planning - for instance, the use of alternative facilities and equipment, which may involve redundancy partnering relationships with other organizations fulfilling a similar role to your own," he suggests.
COVID-19 vaccine providers and others need to protect their IT and OT networks, "especially with the growing threat of disruptionware attacks, which include a broad variety of cyberattacks including the most common: ransomware attacks focusing on the encryption and exfiltration of this critical data," Weiss says.
"These growing threats are even more dangerous now that most of the transactional criminal organizations and cyberthreat actors, both within the United States and around the world, are laser-focused on disrupting, stealing or delaying the COVID-19 vaccine and its distribution in the hopes of a major payday. Throw in the certainty of insider threat actors hired by these criminal and cyber actors, and security will be paramount to get this vaccine out to the world safely and effectively."