Was Your Company Hacked? Biotech Firms Rush To Deny FIN4 Breach

Was Your Company Hacked? Biotech Firms Rush to Deny FIN4 Breach

December 2, 2014
By Riley McDermid, BioSpace.com Breaking News Sr. Editor

Large biotech firms are rushing to deny that they were on a list of healthcare and biopharmaceutical companies targeted by hackers as detailed in a report released this week by security company FireEye, with UCB, Inc. and Gilead Sciences, Inc. confirming to BioSpace, late Tuesday that they had not been hacked.

The report released found that two thirds of the more than 100 companies hacked by the group FIN4 were biotech related, and sources from within companies have told BioSpace that on that list were well-known biotech firms including Vertex Pharmaceuticals Incorporated and Allergan Inc. .

Spokespeople from both companies declined to comment, as did representatives from Merck KGaA , Novo Nordisk and Actelion Ltd. .

Was Your Company Hacked? Biotech Firms Rush to Deny FIN4 Breach

The group was dubbed FIN4 because of its apparent familiarity with the financial services industry. It appears to have targeted biotech companies for most of 2014 in order to gain a “market edge” in playing the white-hot biotech stock market via clandestinely obtained information.

“We don’t have conclusive evidence, but we believe FIN4 actors are likely American, or are at least native English speakers,” Jen Weedon, threat intelligence manager, told BioSpace. “They seem very familiar with the business of M&A which is a cottage industry within the financial and legal industries.”

Their targeting of biotech firms may indicate that they have experience in that industry or it may simply be that “this industry tends to be volatile” on the stock market and therefore is a natural target for hackers, she added.

FireEye told BioSpace it was bound by nondisclosure agreements with its clients and could not name them, but did say all by three of the affected organizations are publicly listed. It broke down the companies involved as half in the biotech sector; 13 percent medical devices makers; 12 percent medical instruments and equipment manufacturers; while 10 percent are drugmakers.

“We have worked to notify as many victims as possible that they have been compromised by FIN4,” said Weedon. “We have also given law enforcement detailed information on our FIN4 research.”

FireEye said the hackers also targeted peripheral businesses, such as health care providers, medical diagnostics and research organizations, and organizations that offer health care planning services.

“FIN4’s victims include Fortune 100 and Fortune 500 companies,” said Weedon. “Typically, the FIN4 actors have targeted the largest M&A deals, possibly because when it came time to make stock trades they would have more ‘noise’ to hide their trading activity.”

FIN4 typically would gain access to a company’s information by sending emails written in “flawless” English to the very heart of a biotech organization’s structure: top-level executives; regulatory, risk and compliance officers; researchers; legal counsel; and even scientists. Recipients would then sometimes be duped into clicking on links that would either direct them to a counterfeit login page, so hackers could gain their access credentials, or would allow hacked access to a target’s email account.

Was Your Company Hacked? Biotech Firms Rush to Deny FIN4 Breach

“IN4 appears to be heavily reliant on Tor (software that enables users to browse the Internet anonymously by encrypting their internet traffic and routing it through servers around the world) and has been seen using Tor to login to victims’ email accounts after obtaining the compromised user credentials,” said the report.

“We have detected at least two User Agents that the actors have used and which can be used to identify potentially suspicious OWA activity in network logs, when paired with originating Tor IP addresses.”

Biotech firms that have been targeted, or fear they may be next, have several concrete steps they can take, said Weedon.

“For avoiding FIN4’s attacks specifically, biotech firms can add two factor (i.e. password and RSA token) authentication for web access to email, block access from known Tor exit nodes to corporate resources, and disable macros for Microsoft Office documents by default,” she said.

Back to news