Serum Institute, Bharat Biotech, Dr Reddy’s Labs, Abbot India, Patanjali and All India Medical Sciences were some of the Indian pharma companies and hospitals which were allegedly targeted by hacker groups from Russia, China and North Korea as part of a massive global campaign to steal sensitive information related to vaccine research and trial, reported Cyfirma, a Goldman Sachs backed Singapore based threat intelligence firm, in its latest threat landscape report on pharmaceutical companies.
Cyfirma identified 15 active hacking campaigns out of which 7 were from Russia, 4 from China, 3 from North Korea and 1 from Iran.
Indian companies were believed to be targeted by three campaigns led by Russian threat actor group APT 29 also known as Cozy Bear, Chinese threat actor APT10 also known as Stone Panda and North Korea based Lazarus Group.
“Our research showed the suspected threat actors were mainly sponsored by China, Pakistan and North Korea. The hackers’ objectives were centered around smearing India’s reputation, cause productivity loss, create operational damage and seek financial gains,” said Kumar Ritesh, founder, CEO, Cyfirma.
The first campaign called cold “unseco33″ was launched in October 2020 by APT29 to steal sensitive personal, clinical trial information, health care report and customer information. According to Cyfirma, hackers exploited vulnerable systems Citrix, RDP, SSHD, web application and mail applications; planted malware and ransomware and used spear phishing attacks targeting employees and individuals.
The second campaign called “UnwPock” was active since June 2020 and was led by Chinese APT10. The objective of this attack was to steal intellectual property, medical devices, medicine chemical combination, sensitive database and customer information. In addition to exploiting vulnerable systems, hackers also used spear phishing attack and sensitive data exfiltration malware variants of Agent Telsa, Emotet, and Gh0st.
Patanjali was targeted by the third hacker campaign “PuM4Y” which was active since September 2020 and was led by North Korea based Lazarus Group. The group used targeted spear phishing attack and data exfiltration malwares to steal sensitive medical database.
All three hacker groups have alleged ties with their respective governments and have acted at the behest on several occasions.
According to Cyfirma, Stone Panda was also involved in the plans to launch a massive cyberattacks targeting Indian government, pharma companies, media houses and telcos in June 2020. The attack was planned in retaliation to the escalating border tension between India and China in the hill state of Ladakh. During the festive season sales of October-November 2020, millions of Indians were targeted by shopping scams with alleged links to unknown Chinese threat actors based out of Guangdong and Henan provinces, according to Cyberpeace Foundation, an Indian cybersecurity think tank.
State-backed cyberattacks have become a common mode of retaliation and sabotage by powerful nation states that do not want to get into actual wars. The pandemic has made attacks easier as many Indian organisations and employees were not ready for remote working.
“The situation is compounded by the fact that over 46% of commercial businesses are operating on traditional legacy systems. These are aged technologies which are no longer supported by their vendors, and they present cybersecurity gaps, loopholes and vulnerabilities where hackers can exploit to gain entry to corporate networks,” warns Ritesh.