China, Russia & North Korea hackers target AIIMS, SII, Patanjali for Covid data — report

New Delhi: A group of Chinese, Russian and North Korean hackers have targeted crucial information of India’s top drug and vaccine makers including Serum Institute of India (SII), Bharat Biotech, Zydus Cadila and AIIMS, cyber intelligence firm Cyfirma has found.

Bharat Biotech and SII have developed vaccines against Covid-19 in India, which were approved for emergency use authorisation in the country in January, and Zydus Cadila is involved in the last stage trial of its Covid vaccine. The All India Institute of Medical Sciences (AIIMS) is the country’s apex public hospital and research institute.

“The early warnings were identified where we noted the eminent threats related to the IT assets of the global healthcare companies including several Indian firms,” Kumar Ritesh, chief executive officer of Cyfirma told ThePrint.

According to the firm’s report, these cyberattacks originated from three major state-sponsored threat groups that were primarily based in Russia, China and North Korea.

The report, which was accessed by ThePrint, further noted that apart from India, healthcare companies in the US, UK, Japan, Australia, South Korea, Italy, Spain, Germany, Brazil, Taiwan and Mexico were also targeted.

“Researchers have observed the hacking groups are aiming to steal COVID-19 vaccine related data. This includes vaccine research, medical composition, clinical trials information, logistics and distribution plans,” the report said.

It added that “there is a global competition among nations, and in parallel, there are heightened activities among cybercriminals who are motivated to seek competitive advantage for their countries”.

ThePrint reached AIIMS, SII, Bharat Biotech, Zydus Cadila, Lupin and Sun Pharma via email for a comment but received no response till the time of publishing this report.

A source at SII said the firm was “strengthening” its IT assets but did not confirm or deny the attack.

Also read: China used hackers to target India’s power grid amid border tensions, US study claims

Vaccine research, trial data draw attention

A key observation from the report highlighted that clinical trial data of vaccines has been of particular interest to these hackers.

“India’s series of clinical trials involving millions of research records is highly valuable. This data can help accelerate research work in aid of producing more effective vaccines,” noted the report, which was submitted to the Indian Computer Emergency Response Team (CERT) — the nodal agency under the Ministry of Electronics and Information Technology that deals with cyber threats.

The report further stated that hackers view India as an easy target as the country’s cybersecurity maturity level is relatively low.

“Cyfirma recommends India CERT authorities to alert the targeted companies and take immediate measures to mitigate these attacks,” it said.

“We have submitted the report but haven’t heard back from CERT if they have forwarded the information to the companies concerned,” said Ritesh, a former top cyber official with British intelligence agency MI6.

His team of researchers also noticed an increased interest in India’s vaccine research and development by these state-sponsored threat actors.

“India was lagging in the COVID-19 vaccine research and started to catch up in the last couple of months. This has drawn the attention of Chinese state-sponsored threat actors whose intentions are to tarnish India’s reputation as well as to disrupt her national vaccination effort,” the report said.

It added: “Russian state-sponsored threat actors are seeking a combination of geopolitical gain as well as financial rewards while Korean threat groups are focused on financial gain.”

Also read: Why paying hackers a ransom for your data isn’t the best idea

North Korea attacks Patanjali, Chinese group targets SII, Bharat Biotech

The report contains details about cyber attack campaigns that are in the making and currently underway.

The Russian hacking group ATP 29, has either targeted or is looking to target 18 global pharmaceutical companies, hospitals, healthcare support, universities and research firms, and approving authorities.

These include Pfizer, Cipla, AstraZeneca, Divi’s Labs, Dr. Reddy’s, Abbott India, Torrent Pharma, Zydus Cadila and AIIMS.

Meanwhile, APT 10, the Chinese group, has identified 17 global organisations including Sun pharma, Ahmedabad Civil Hospital, Lupin, SII, Bharat Biotech and AIIMS.

The North Korean group has identified 14 global organisations including Dr. Reddy’s, Torrent Pharma, SII and Patanjali.

“These groups are either looking at committing cyber crimes at these firms or have already started doing (so),” Ritesh said.

Also read: Unknown nation-state hackers targeting vaccine cold chain in phishing scam, IBM finds

What else is being targeted?

The Cyfirma researchers have observed 15 active hacking campaigns — seven Russian groups, four Chinese, three Korean and one from Iran.

According to them, these hackers are targeting multiple assets of pharmaceutical companies who are investing in medical research, clinical trials and vaccine production.

They also target the vaccine supply chains, national vaccination campaigns, individual and personal information apart from government agencies in charge of approving vaccines, medicines and related appliances.

Vaccine development and implementation tracking systems, clinical trial information, hospital operating details, employee and patient information are also being targeted.

The report noted that the objective of the hackers is to secure sensitive information related to vaccines and medical research for competitive advantage.

The other objectives include exfiltrate vaccine trial information, intellectual property theft, financial gain, business advantage and reputation damage to competition.

Also read: SII seeks govt nod to ‘unblind’ trial data as volunteers ask if they got vaccine or placebo