Illusive Blog May 25, 2021

Pharma and Healthcare Under Attack - Looking at the Top Cyber Threats

By Steve Almquist
Life Sciences, Pharma, Insider Threats, Nation-State Attacks, Targeted Ransomware

The cybersecurity threats facing pharmaceutical and life sciences companies are unprecedented. From targeted ransomware to nation-state espionage targeting COVID-19 research to insider threats (either malicious or unintentional), cybersecurity teams at these organizations have a lot to be concerned about.

Leaving aside hospital and healthcare providers – though that is something we’ve talked about before as well – the 2020 Cost of a Data Breach Report from IBM and the Ponemon Institute found that biotechnology and pharmaceutical companies actually experience more breaches than any other industry.

And a large part of the risks involved are the result of an increased attack surface: the digitization of research, the move from on-premise storage to cloud environments, a disconnect between security teams and other lines of business within the larger organization, the need to monitor an increasingly complex set of security tools that too often don’t work well with one another, and the era of remote work accelerated by the global pandemic – all of these contribute to a higher number of attack vectors that attackers can discover and exploit. But there is also the challenge of exposed credential and connection information that enables attackers to move laterally if they can gain access to it. 

According to the Cost of Data Breach Report mentioned above, stolen or compromised credentials were the most expensive because of malicious data breaches. One in five companies (19%) that suffered a malicious data breach were infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million. 

This wider attack surface can expose the risks and consequences of a devastating cyberattack against pharma and life sciences companies, which include stolen IP, repeating clinical trials, litigation, and lost revenue, all of which end up resonating throughout an organization.

Nation-State and Espionage Attacks

A significant portion of the media coverage surrounding cyber threats and pharma companies focuses on attackers targeting COVID-19 vaccine and treatment research.

As Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft wrote late in 2020, “two global issues will help shape people’s memories of this time in history – Covid-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic. ”

In Sept 2020, the Cybersecurity and Infrastructure Security Agency (CISA) warned that COVID Vaccine Hacks Could Endanger Millions. In the U.S., several government agencies joined forces early on to safeguard pharmaceutical companies that are developing a vaccine or working on manufacturing and distribution.

There have been reports of North Korea attacking Pfizer to gain access to COVID-19 research, as well as other attacks that have not been reported publicly. In one attempted attack, hackers suspected to be from North Korea tried to infiltrate life sciences companies Johnson & Johnson and Novavax in a quest for COVID-19 research data.11 attackers linked to China and Russia attacked two Indian pharmaceutical companies involved in vaccine production.

And while the fallout is still under investigation, it is possible that the massive attack on SolarWinds, revealed in December 2020, impacted pharmaceutical and biotechnology companies as well.


Perhaps the most well-known and documented cyberattack against a large pharmaceutical firm was the 2017 ransomware attack against Merck & Co. That attack crippled 30,000 end-user devices and 7,500 servers. The malware caused $1 billion in damages, lost sales, and resources to recover from the incident. 

Targeted Ransomware, or Big Game Ransomware, often combines Advanced Persistent Threat (APT) techniques with ransomware techniques. Like an APT, sophisticated ransomware attackers target and navigate to carefully selected strategic assets on the network that hold business-critical information. Attackers then take those assets hostage using advanced evasive ransomware techniques, massively disrupting operations and saying they will stop only in exchange for a very high fee. Organizations without proper targeted-ransomware protection have no choice but to pay the fee to avoid further disruptions, loss of money, and worst of all the potential loss of life.

Insider Threats

A workforce that has been mostly working remotely the past year and a half, particularly employees who feel exhausted, overworked, under a lot of stress, and perhaps underpaid or underappreciated – is one that is susceptible to insider cyber attacks.

These attacks might be malicious in nature. A study on the cause of data breaches that happened between March–July 2020 determined that 43% of reported breaches are caused by malicious insiders, according to Tessian. When it comes to malicious insiders, fraud and financial motivations are the most prevalent of all insider threat crimes, which can often include a broad age range and generally lower-level positions in the company. They might feel a personal grievance toward the company, or a feeling of loss, and might seek revenge. Threats include IT sabotage, file transfers, leaks to the media, or something else.

In addition to malicious insiders, the rapid move to a remote workforce has resulted in well-meaning employees inadvertently doing insecure things with work devices, potentially increasing the risk of accidental data loss. Recent research finds that security incidents caused by careless or malicious insiders cost healthcare and pharmaceutical companies nearly $11 million annually. Working remotely has also increased the threat of malicious insiders as well, particularly with large enterprises spread out across the world. Without the human connection formed when employees have had face-to-face time with each other, there is increased risk.

Detect Early Malicious Lateral Movement With An Active Defense

The common element for most sophisticated cyberattacks that have targeted pharmaceutical and life sciences companies is that lateral movement is involved. Attackers establish an initial beachhead (whether through a phishing attack, recruiting an insider, or some other way), and then attempt to pivot from one endpoint to another and another, on the path to a critical Crown Jewel asset.

Cybersecurity teams should utilize Active Defense techniques to confuse and paralyze attackers at every turn. Through the continuous auditing of the endpoint environment and the automated removal of exploitable credentials and connections, the attack surface is diminished. Then, through distributed deceptions at every turn, the moment attackers interact with planted deceptive data, they are detected—whether they are attempting a targeted ransomware attack, trying to steal data, or another intrusion. Finally, detailed source telemetry data is readily available in real time or on demand to accelerate incident investigation and response.

Learn more about the top cyber threats facing pharma and life sciences companies and how you can strengthen cybersecurity


Watch the on-demand webinar at any time, Big Game Ransomware – The evolution of ransomware in the enterprise and how to mitigate the risk

Steve Almquist is Regional Sales Director at Illusive.