Data Theft Emerges as the Latest Threat as Criminals’ Tactics Shift
It’s not just patient data contained in the electronic health records and email systems of healthcare entities that are in the crosshairs of hackers. The intellectual property, including research results, of biotechnology companies and other medical organizations is also increasingly a target for hackers, who sometimes dump data on hacker forums or public websites.
“The top threats facing medical researchers, drug development firms and similar types of companies is the evolving nature of high impact cyberattacks, especially focusing on high impact ransomware, new types of malware and a brand new emerging cyberthreat known as disruptionware,” says Jason G. Weiss, a former FBI special agent and forensics expert who’s now an attorney at Faegre Drinker Biddle & Reath.
“These cyber dangers are a direct threat to the research and development work for all types of companies, and it is incumbent on potential victims to become proactive in their fight to secure their cyber domain. The days of reaction have to end,” he says.
Genesis Biotechnology Group Targeted
Among the most recent victims of hackers targeting research data is Genesis Biotechnology Group, a Hamilton, N.J.-based pharmaceutical and biotechnology firm with several units.
In a statement Monday, GBG said it learned on Dec. 2, 2019, that it was a victim of a malware attack “that was limited to the internal research work of a GBG member company engaged in contract research using non-human models to support drug discovery.”
While GBG did not identify the “member company” impacted by the attack, media outlet Bleeping Computer on Jan. 23 reported that Medical Diagnostics Laboratory – a unit of GBG – was a victim of a Dec. 2, 2019, Maze ransomware attack that resulted in the dumping of more than 9 Gbytes of research related data on the Maze Team website.
Susan Kase, GBG chief legal officer, confirmed to Information Security Media Group that the malware attack mentioned in GBG’s public statement indeed involved Maze ransomware, but she denied that the attack compromised Medical Diagnostics Laboratory’s data.
Rather, she says the GBG malware attack affected information that was “the internal research work of a GBG member company engaged in contract research using non-human models to support drug discovery.”
The affected information included rodent diagrams, charts, graphs and other internal data “with no identifiers to any particular client research study,” she says. No protected health information or personally identifiable information was compromised, she adds.
“Medical Diagnostics Laboratories network, including servers and endpoints, was not compromised,” the GBG statement notes.
Hackers have also targeted research data in other breaches.
For instance, last April, Wilmington, Mass.-based Charles River Laboratories reported an incident involving unauthorized access to portions of its information systems and the copying of data by an intruder.
The company did not divulge details about the type of data was that exposed in the attack.
But in a filing with the Securities and Exchange Commission, Charles River Labs noted: “Our contracts with our clients typically contain provisions that require us to keep confidential the information generated from the studies we conduct. The unauthorized access detected, as well as any future breaches, could expose us to significant harm including termination of customer contracts, damage to our customer relationships, damage to our reputation and potential legal claims from customers, employees and others.”
A Growing Target
Research data and other intellectual property of medical organizations are a growing target for hackers.
“It has been clear for a number of years that state actors have been targeting these types of organizations in an effort to acquired proprietary information,” says regulatory attorney Marti Arvin of the security consultancy CynergisTek.
“This is, and will continue to be, a significant threat to the industry globally. The profit motive of being first to market with the latest and greatest treatment will continue to motivate U.S. companies, but this will also be what motivates the bad actors to find the latest and greatest ways to hack the industry’s systems.”
Organizations that are involved in medical research, drug development and similar work “face the same cyberthreats as any other industry,” Arvin notes.
Research work often requires significant collaboration among a variety of organizations, such as academic medical centers, universities, pharmaceutical manufacturers and government agencies, she says. “This means the information is being shared across multiple entities, which increases the risk of compromise.”
The size of the threat is unclear, she says, “because this type of data theft will not likely require notifying anyone of the data compromise – unlike the breach of individually identifiable information. … Dumping IP or R&D data can pose a reputational risk to the brand and/or increase exposure because of the awareness that their system is vulnerable.”
Ransomware Tactics Change
Ransomware gangs, including Maze, Sodinokibi and DoppelPaymer, are increasingly dumping – or threatening to dump – data stolen in their attacks (see: Doppelpaymer Ransomware Gang Threatens to Dump Victims’ Data).
For example, in November 2019, the Maze gang leaked almost 700 MB of data that it stole from Allied Universal, a California-based security services firm. Subsequently, the attackers leaked even more information from additional victims, reportedly including Medical Diagnostics Laboratory, the Florida city of Pensacola, manufacturer Southwire, as well as an accounting firm (see: Maze Ransomware Gang Names More Alleged Victims).
“Every ransomware incident is now a potential data breach and, consequently, detection and prevention or more critical than ever,” says Brett Callow, a threat analyst at security company Emsisoft.
“Companies that have data exfiltrated have no good options. Whether they pay the ransom or not, the threat actor will still be in possession of their data,” he notes.
“While ransomware groups may claim that the stolen data will be deleted upon payment being made, it seems unlikely that a criminal enterprise would destroy information that it may be able to further monetize – and, obviously, this is especially true in the case of intellectual property which may be extremely valuable.”
Hackers targeting medical organizations can potentially steal research data that contains individuals’ PHI and PII and dump it or offer it for sale on darknet sites.
“Cybercriminals can make large amounts of money selling stolen PII data, and companies have to be as vigilant as ever in the never ending war to keep their data safe and off the darkweb,” Weiss says. “This battle is only in its beginning stages. The war will rage on as long as cybercriminals can make money selling stolen PII information.
“I do believe we will see a rise in attacks on medical researchers and drug development firms since they have, in the past, been soft targets with valuable PII and other patient electronic health record information.”