Covid-19 vaccines currently under development have become the object of significant international intrigue and drama. Most recently, the European Medicines Agency (EMA) announced that it was the victim of a cyber-attack that succeeded in stealing data related to Pfizer and BioNTech’s Covid-19 mRNA vaccine, which is being rolled out in the UK, US and Canada.

An initial review by the EMA revealed that ‘a limited number of documents belonging to third parties were unlawfully accessed’, and the full investigation demonstrated that ‘data has been breached,’ the EMA said on 11 December.

An illustration on the topic of vaccines and cybersecurity

Source: © Roy Scott/Ikon Images

More specifically, Pfizer and BioNTech revealed in a separate statement that documents relating to the regulatory submission for their Covid-19 vaccine BNT162b2, which had been stored on an EMA server, were ‘unlawfully accessed’. The EMA has offered assurances that the cyber-attack will have no impact on the timeline for its review of the vaccine, the companies said.

The EMA breach followed announcements by IBM’s cybersecurity division X-Force and the US Department of Homeland Security (DHS) in early December that a series of cyber-attacks had been launched against companies and government organisations distributing Covid-19 vaccines. These attacks were directed at the vaccine distribution network’s cold supply chain, which enables the vaccine to be delivered at safe temperatures.

IBM’s analysis indicates that the hacking operation began in September 2020, and involved a phishing campaign that spanned six countries. The company concluded that the culprit is probably very familiar with critical components and participants of the cold supply chain, which include solar panel manufacturers and makers of dry ice.

Impersonating and phishing

These hackers operated by impersonating a biomedical company and sending phishing emails to corporate executives and global organisations involved in vaccine storage and transport, the DHs explained. The goal was to try to get hold of the recipients’ account credentials and gain unauthorised access to internal communications, as well as information about the process, methods and plans to distribute a Covid-19 vaccine.

‘Physically, if you break the cold chain, the vaccine is useless, you’ve basically destroyed it,’ says Andrew Ginter, the vice president of industrial security at the Israel-based operational security company Waterfall Security. Pfizer and BioNTech’s vaccine, for example must be kept at between -70C and -80C for up to 15 days.

The potential theft of this information jeopardises the delivery of secure, effective, and efficient treatment options

In early December, the UK became the first country to grant emergency use authorisation for BNT162b2 to prevent the novel coronavirus. Within just over a week, regulators from Health Canada and the US Food and Drug Administration had approved emergency use of the vaccine. The product has been shown to be 95% protective against the virus in people 16 years and older, and its safety profile is similar to that of other viral vaccines.

Concerns about international cyber-attacks aimed at medical research related to the novel coronavirus gained attention in May, when the US Federal Bureau of Investigation and DHS formally accused China of trying to use computer espionage to pilfer information about Covid-19 vaccine candidates from the US and its allies.

‘These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with Covid-19-related research,’ the agencies said. ‘The potential theft of this information jeopardises the delivery of secure, effective, and efficient treatment options.’

Western intelligence agencies have also made similar claims against Russia. In July, the UK National Cyber Security Centre concluded that hackers likely operating as part of Russia’s intelligence services are targeting research organisations involved in Covid-19 vaccine development in the UK, US and Canada. Officials from all three countries agreed with the assessment.

Beyond the virtual

Just a few months later, in November, Microsoft cautioned about a surge in Windows attacks against Covid-19 vaccine researchers and manufacturers. ‘In recent months, we’ve detected cyber-attacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19,’ the company said in a blogpost. The assaults – whose targets include pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the US – came from an actor originating from Russia and two others originating from North Korea, according to Microsoft.

There are indications that these attacks go beyond the online realm, and are aimed at more than a few countries. In early December, Interpol warned its nearly 200 member nations – which include the US, UK and Canada – to prepare for organised crime networks targeting Covid-19 vaccines, through virtual as well as physical means.

‘As governments are preparing to roll out vaccines, criminal organisations are planning to infiltrate or disrupt supply chains,’ said Jürgen Stock, Interpol’s secretary general. He urged law enforcement to be be prepared for ‘an onslaught of all types of criminal activity’ linked to the Covid-19 vaccine.

‘I am not surprised that the manufacturers of Covid-19 vaccines are being targeted – not just by the nation-states, but by ransomware groups as well,’ Ginter tells Chemistry World, noting that the two often intersect. ‘If the ransomware criminals can find the factory network that produces a Covid-19 vaccine and disrupt that, then they might get a ransom – these are high value targets in the middle of a crisis.’

Ginter stresses that pharmaceutical companies making these vaccines are also vulnerable to theft of their confidential data and trade secrets because that information is very valuable right now. He suggests that Covid-19 vaccines will continue to be an object of such attacks for at least 18 months.

Vaccine patents are public, and only information that has not yet been patented is confidential, Ginter explains. He says it is likely that Covid-19 vaccine information will become less valuable to cyber-attackers once a critical mass of patents and patent applications relating to current research efforts have been made public.