News broke yesterday about a serious cyber-attack (in a week of serious cyber-attacks) on the European Medical Agency. If ever you need proof that nefarious actors in cyberspace have no morals, and operate to no ethical code, you need only look at this news, writes Ellie Hurst, of the info-security awareness consultancy Advent IM.
The European Medical Agency is working on approval of two Covid-19 vaccines, which it expects to conclude within weeks and now it has been subjected to a cyber-attack; a new low has been reached.
The Agency has not yet issued any further information on the scope and nature of the attack and has simply said that a full investigation has been launched in close cooperation with law enforcement and other relevant entities. Whilst the Agency has not said whether there is a connection to their work with the vaccine or not, given that it comes a day before they are due to brief MEP’s on the progress of vaccine assessments, well, readers can draw their own conclusions.
Rather than speculate on motive however, in part because as regular followers will know we often say don’t assume you know the motive behind a cyber-attack, what I do want to say is that the fact the EMA is assessing vaccines and is due to brief MEPs, is open source, widely available information. Whether the attack was connected with the vaccine or not, anyone conducting the attack will have known that an attack had the potential to disrupt and delay the approval process for a medicine which has the potential to change millions of people’s lives for the better.
One thing we do know for certain is that cyber criminals and those allied with organised crime groups, have been raising the level of impact on people for a few years now. Inconvenience, disruption or exfiltration of data or financial assets may have been the purpose in years gone by. But the steady escalation to ransomware that endangers lives, is now part of our lives and should be part of our security regimen too. Authorities in Germany, for instance are looking into a ransomware attack on IT systems in a hospital that tragically resulted in the death of a patient. Imagining that a bad actor would therefore never target something that would risk life on a widespread scale, seems naïve now.
If we link this to news of sophisticated attacks on pharmaceutical companies and the statement from IBM that it had tracked a campaign which targeted organisations linked to the Cold Chain Equipment Optimisation Platform (CCEOP) of Gavi, the international vaccine alliance and the World Health Organization (WHO) among others (two of the vaccines require significant cold storage during transportation) and there starts to emerge a compelling picture in favour of this being a coordinated campaign by serious hostile actors.
Whether attacks from cyberspace come from nation states (or attacks they sponsor because we have to acknowledge the relationship between some rogue states and transnational organised crime groups), organised criminal groups acting unilaterally or simply those out to cause harm upon society, we must never for one minute think that there is genuinely any interest in the harm such attacks may wreak upon society. Indeed, sometimes the agenda may be exactly the opposite. Whichever way you look at this, the stakes are high on both sides.
The latter part of this year has shown once more why we believe it is more important than ever that the use of cyberspace as a ‘legitimate’ arena of warfare and conflict, for state on state or otherwise needs to be addressed. The new ‘weapons of mass destruction’ are no longer nuclear, biological or chemical, they are cyber, they are without convention and they have more potential than other to cause widespread threat to life.
To make a convention work, we need all nations to subscribe and commit, however the current state of play is that those nations we most want to cooperate, do not. I would question if this most recent escalation and the timing should force us to again redouble our call for a Geneva Convention on cyber weapons. Even if this latest attack proves not to be a hostile nation state, we know that the will to do serious harm through cyberspace exists and is a genuine threat.
More on the Advent IM blog.
