Chinese Hackers After Keys to the Pharma Kingdom

Governments and hackers chase COVID-19 vaccine

When the World Health Organization declared COVID-19 a pandemic in early March, two things happened: Governments and pharmaceutical companies around the world went into overdrive to find a vaccine and Chinese hackers stepped up their efforts to steal the data and intellectual property (IP) this vast effort was producing. 

The Chinese government has denied these allegations but Chinese hacking is nothing new. According to reporting over the past decade, they have worked diligently to break into the networks and systems of pharmaceutical companies around the world.

The aim is as simple as it is criminal: find and pilfer as much personal identifiable information (PII), employee data (including names, titles, usernames, and passwords), and IP as possible.

Unlike credit card data and social security numbers that usually show up for sale on the Dark Web, this information is not typically used to make money (even though it is widely reported that many hackers are state-sponsored, which means they are compensated) but to give state-affiliated and state-sponsored Chinese companies a competitive advantage. 

This is particularly true in the race to find a COVID-19 vaccine. The first company to market with a viable, safe, and widely available vaccine stands to make billions of dollars. The nation that produces the first vaccine (Russia’s claims aside) also stands to raise its global image considerably.

The Chinese also stand accused of stealing research data and IP on cancer and other diseases to boost their domestic drug development capabilities while helping the country achieve its ambitious Made in China 2025 plans.

IP is more valuable that you may think

While it may seem on the surface that only individual companies’ IP and potential profits are at risk, nothing could be further from the truth. At stake is a massive percentage of US GDP. 

According to the Global Innovation Policy Center (GIPC), “America’s IP is worth $6.6 trillion, more than the nominal GDP of any other country in the world. IP-intensive industries account for over one third, or 38.2%, of total U.S. GDP. IP accounts for 52% of all U.S. merchandise exports, which amounts to nearly $842 billion.

The direct and indirect economic impacts of innovation are overwhelming, accounting for more than 40% of U.S. economic growth and employment … IP-intensive industries employ over 45 million Americans, and hundreds of millions of people worldwide.” 

At the corporate level, “the importance of intellectual property is even more pronounced,” said IP law firm Heer Law. “The value of intellectual property exceeds 65% for Fortune 500 companies and exceeds 90% for certain technology-based companies within the list (Wilson, 2010).”

With the race to find treatments and a vaccine in full swing, drug development IP is more valuable than ever. The active targeting and theft of this data in a time of global need may make it much harder for drug companies to justify the opportunity costs many are bearing by devoting so much time, energy, and resources to COVID-19. 

U.S. pharmaceutical companies are particularly juicy targets. According to the GIPC, “57% of all new medicines come from the United States and private biopharmaceutical companies make up more than 80% of the investment in the research and development of those new drugs.”

It is little wonder the Chinese are so interested in IP. It takes years of effort and, in the case of the pharmaceutical industry, billions of dollars to create. But the hackers are after more than just IP. Corporate organizational charts, PII about managers and executives, credentials, and of course usernames and passwords also are very valuable.

These documents and data, when combined with social media mining about the personal lives of employees, give hackers a roadmap to an organization’s structure and daily life. This allows them to micro-target just the individuals they need to escalate their attacks. Even CAD drawings that show the physical layout of facilities and where the checkpoints like card readers are placed are fair game these days.

Most networks all to vulnerable

Unfortunately, it is still relatively easy to infiltrate even the best corporate cyber defenses. Chinese hackers breached Equifax via a known but unpatched vulnerability in a web server. A three-day vulnerability scan conducted by CybelAngel in 2020 looking for the SMBv1 Windows protocol vulnerability that allowed the Wannacry virus to spread like wildfire in 2017 uncovered 343,000 unpatched servers.

People fall for spear phishing emails that take them to credential stealing spoof websites all the time. Whaling, where an organization’s leadership is targeted, is common. And then there is just the old-school insider threat. 

In September of 2018, for example, while working for Glaxosmithkline, scientist Tao Li was indicted for sending Glaxosmithkline scientific documents and trade secrets to a front company he had set up in China. 

What’s needed to combat these threats is to implement a multi-layered, defense-in-depth strategy to keep hackers out in the first place; develop a culture of cyber security within the organization that assumes everyone and every device is a threat; and then understanding where the leaks are most likely to occur and block them before they become breaches.

This requires actively monitoring not only the corporate network for leaks but every network and device, including Internet of Things (IoT) devices, that access it. It also means scanning the entirety of the internet (e.g.: connect storage, cloud apps, open databases/datasets, surface web, deep and dark web) for breached data and tracing it back to its source. 

While cybersecurity can never stop every exploit, a strong, determined, systematic approach that focuses on the most valuable data and vulnerable endpoints can, in most instances, unmask and stop data leaks before they become headlines.