Threat Defiance Report

Threat Intelligence: Hacking MSPs to Target Pharmaceuticals


Cyberattacks against pharmaceutical companies go beyond downtime and lost revenue as corporate losses can result in lawsuits for breach of contract, result in the need to repeat clinical trials, and delay the release of new medicines. Nation-states are interested in pharmaceutical data to gain an edge in technology, to obtain scientific methods, and to alter chemical formulas for manufacturing and sales. China is the largest perpetrator. While there is a 2015 U.S.-Sino agreement to halt cyber intrusions aimed at theft of intellectual property, China-sponsored cyber intrusions continue.


Recently, a new campaign by a Chinese-based cyber actor has targeted pharmaceutical companies (among other industries) seemingly in search of trade secrets to use in Chinese markets. The cyber actor APT10 (aka, CVNX, Stone Panda, MenuPass, and POTASSIUM) used vulnerabilities to compromise managed service providers (MSPs), taking advantage of common infrastructure between MSPs and victim networks to steal data. MSPs are often granted remote access to customer networks (and sometimes store customer data on internal servers). They are alluring targets to compromise many victims through a single access point. Adversaries move laterally through MSP networks to customer networks, expanding the pool of available data. APT10 employed either malware such as PlugX, RedLeaves, or the Quasar RAT, or legitimate, stolen MSP credentials to access multiple victims employing the same MSP. Additionally, in some cases APT10 used MSP infrastructure to exfiltrate intellectual property to evade victim network defenses. Beijing-sponsored cyber actors will likely continue to target intellectual property despite the 2015 U.S.-China agreement. They will find new, creative ways to exploit victims and avoid detection. In fact, China’s Thirteenth Five Year Plan (2016-2020), which is an all-inclusive document describing China’s goals, explicitly sanctions a culture of theft to improve Chinese businesses.  

Nation-states are not the only adversary targeting pharmaceuticals. For several years, hacktivists operating under the umbrella of the Anonymous collective conducted OPERATION PHARMA, targeting private corporations related to the pharmaceutical and biotechnology industries. This year’s campaign allegedly targeted over 600 companies, but appears to have limited effects to date.

Source: PWC and BAE report https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf