Published on 02 Mar 2020

Updated on 02 Mar 2020

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


Research and development (R&D) in the pharmaceutical industry has produced scientific breakthroughs, which has helped to treat health conditions and save lives. Pharmaceutics is a lucrative industry, dominated by global multinational corporations. The global market for pharmaceutics reached US$1.2 billion in 2018, increasing by about US$100 billion from 2017.

Figure 1: Spending and revenue by top pharmaceutics companies in 2019


Yet, this flourishing industry has been plagued by cyber-attacks, with actors ranging from crime syndicates, business competitors and even Advanced Persistent Threats (APT) groups. Proprietary information on trade secrets, drug patents and clinical trials data are valuable commodities for cybercriminals, and the increasing digitalisation of the industry has helped fuel cyber-attacks.

This issue of CyberSense looks at the trend of cyber-attacks within the pharmaceutical industry.





In July 2019, Swiss pharmaceutics company Roche announced that it was hit by the Winnti malware. Roche informed that it had detected and deflected the attack. Attacks were also launched on companies in other sectors, including Siemens, BASF, Henkel, Marriot, Lion Air and Sumitomo.

Cybersecurity firms, including MITRE and ProtectWise, have previously assessed that Winnti - which also uses the malware going by the same name - is quite likely an umbrella grouping of threat actors with links to a country. The group is noted for its wide and diverse range of interests, which includes online gaming, aerospace, chemicals and pharmaceutics. The Winnti malware typically operates by using stolen certificates to sign the malware, and is designed to seek specific processes on the victim’s computer to run the malicious code. Winnti was observed to use a rootkit to modify the functionality of the victim’s servers.



The cyber-attack on Roche bore similar hallmarks to a separate attack on Bayer, the German pharmaceutics company. The malicious attack on its network was first noticed by officials in 2018, who decided to isolate and monitor the malware to determine its purpose, rather than sanction an immediate removal of the malware. The malware was eventually removed in March 2019 after the conclusion of the investigation, and the company made a public announcement in April 2019.

Bayer officials said that the threat was contained, and there was no evidence of data theft or third-party data compromise. Bayer later accused the state-sponsored APT threat group Wicked Panda, which was believed to be affiliated to the Winnti group, of the attack.

For these two cases, the perpetuator’s goals may be tied to industrial espionage, to gain access to trade secrets and business plans. The information held by the pharmaceutics industry would be highly valuable to countries looking to develop their own indigenous industry or to address domestic healthcare needs, if the cyber-attacks were indeed state-sponsored. With the high costs of pharmaceutics R&D, the stolen data may be game-changing, providing the country an added advantage for drug development.



Pharmaceutics giant Merck was a victim of collateral damage during the NotPetya ransomware attacks that emerged in June 2017. The malware took down Merck’s global manufacturing operations, and affected its formulation and packaging systems. The financial damage suffered by the company provided a stark example of how damaging such cyber-attacks can be, with losses estimated to be in the region of US$915 million.

Merck was one of many organisations worldwide affected by the NotPetya malware. The UK and US pointed the finger at Russia, claiming that the latter initiated the attacks to disrupt the Ukrainian government and its entities and cause severe disruptions to the economy. Looking at the extensive damage suffered by Merck, it is clear that firms may suffer from catastrophic repercussions even if they are not the intended victims.

Read more on Health IT Security, Deutsche Welle, and Fierce Pharma.



Eurofins Scientific

Food and biopharma testing company Eurofins Scientific confirmed on 3 June 2019 that part of its IT systems had been affected by a strain of ransomware, which caused disruption to its operations. The attack was described by the company to be “highly sophisticated”, and the malware used was a new variant that evaded its existing cybersecurity solutions. On 5 July 2019, BBC News reported that the company had paid the ransom to the hackers to restore its IT systems, although the actual ransom amount was unknown. 


Charles River Laboratories

On 1 May 2019, the US biotechnology and pharmaceutics company Charles River Laboratories confirmed a cybersecurity breach, reporting that part of its IT systems were hacked by intruders who exfiltrated some client data before the company could contain the attack. The company disclosed that around 1% of client data was stolen. The cyber-attacks on Eurofins Scientific and Charles River have not been attributed to any specific attackers, although APT threat actors cannot be ruled out. Notwithstanding, it is equally plausible that non-APT groups - such as cybercriminal gangs and lone hackers - may want to attain IP and clinical test results that could be sold to fledgling/rival pharmaceutics firms. The stolen data could potentially allow these firms to beat off competition to develop and launch its own “blockbuster” drugs, even if it means that the product might not have gone through adequate clinical trials and tests.

Read more on BBC and Cyber Security Hub.


Peddling of counterfeit drugs online

Cybercrime in the pharmaceutics industry also adversely affects the general public. Criminal gangs use the Internet to peddle fake drugs, which are sold considerably cheaper than the legitimate versions. These sellers frequently operate as bogus online pharmacies or anonymous private sellers.

Rogue online pharmacies have been blamed for opioid misuse in US, with more than 130 people dying each day from opioid overdose. To combat the opioid crisis, the US Food and Drug Administration (FDA) and the Drug Enforcement Administration (DEA) issues joint warning letters to website operators that were illegally marketing and selling opioids. On 30 September 2019, the FDA and DEA announced that warnings were sent to four Internet pharmacy networks that were operating such websites. The networks named were Divyata, Euphoria Healthcare, JCM Dropship and Meds4U.

The threat posed by such online bogus pharmacies cannot be underestimated. In January 2019, it was reported that a surge in the number of deaths of homeless people in Glasgow, UK, was linked to illegal versions of prescription tranquillisers that have flooded the market over the past year. The deaths were believed to be linked to fake Valium pills, which criminal gangs have been peddling online at a fraction of the cost of genuine tablets.

Read more on CNN and The Guardian.



Singapore could also be adversely impacted. The economic impact to Singapore, should our pharmaceutical industry be affected by a mass ransomware infection, on a scale similar to the WannaCry and NotPetya outbreaks, cannot be understated. Pharmaceutics is a key pillar - about 15% - of Singapore’s manufacturing sector, with output measuring ~S$16 billion each year. The domestic market has also been expanding steadily, quite likely driven by the ageing population. Major multinationals such as GlaxoSmithKline (GSK), Sanofi and Pfizer already have a presence in Singapore. As a first line of defence, companies should ensure that valuable and sensitive data are adequately backed up, and their IT systems sufficiently patched/reviewed.

Figure 2: Singapore pharmaceutical industry 2014-2023 (Source: Market Research Future)


The actors and motivations of cybercrime in the pharmaceutics industry are varied. Cyber-attacks by APT groups could be tied to cyber espionage to access IP or business plans to benefit competitors and aid the government’s national objectives. For cybercriminals, data stolen from pharmaceutical firms can either be sold on the Dark Web or to business rivals, or ransomed back to companies who are deeply reliant on IP. Regardless, the threats to pharmaceutical firms will only increase as the industry focuses on deeper - and potentially more lucrative - research into cutting-edge biomedical technologies and revolutionary drugs. 



BBC, CNN, Cyber Security Hub, Deutsche Welle, Economic Development Board, Fierce Pharma, Health IT Security, and The Guardian