Recent Hack of Sangamo Therapeutics Exec Underlines Increased Risk for Biopharma

Sangamo Therapeutics, based in Richmond, California, recently filed a notice with the U.S. Securities and Exchange Commission (SEC) describing a data security breach.

The breach involved a senior executive’s email account, which lasted for approximately 11 weeks. Sangamo notified federal law enforcement agencies immediately and hired external network security experts. The investigation apparently did not turn up evidence that any of the company’s networks or other information technology systems were compromised. There is also no evidence that patient personal information or any individuals besides the executive’s were affected.

However, Reuters notes that “proprietary, confidential and other sensitive information of the Company and other entities was accessed and may have been compromised as a result of the incident.”

The incident underlines what appears to be a trend of cyber thieves attacking the biopharma industry. Researchers with Moscow, Russia-based Kaspersky Lab have identified the trend, particularly in relation to PlugX, which is a remote access tool (RAT) that was used by Chinese-speaking cyber criminals known as Deep Panda, NetTraveler and Winnti.

Kaspersky Lab stated, “PlugX RAT allows attackers to perform various malicious operations on a system without the user’s permission or authorization, including—but not limited to—copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as with other RATs, is used by cyber criminals to discreetly steal and collect sensitive or profitable information for malicious purposes.”

Yury Nemestnikov Makrushin, a researcher with Kaspersky Lab, notes that medical organizations and life science companies are increasingly the target of hacks. “While the security of the network infrastructure of this sector is sometimes neglected,” he told ITWeb, “the hunt by APTs for information on advancements in drug and equipment innovation is truly worrying. Detections of PlugX malware in pharmaceutical organizations demonstrate yet another battle with cyber criminals that we need to fight.”

In June 2017, Merck & Co. was one of several victims of a worldwide ransomware cyberattack. It was believed to be part of the “Petyka” cyberattack that began in Ukraine and hit major companies in Spain, India, the UK and the U.S. In a Twitter statement at the time, Merck said, “We confirm our company’s computer network was compromised today as part of a global hack. Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.”

Sangamo stated in the filing, “The Company is continuing to analyze the effects of the incident, along with appropriate remediation of the Company’s information technology systems, and that analysis and the related remediation efforts could ultimately reveal that other Company information technology systems were compromised and/or that additional information was revealed or compromised.”

To diminish further risk, Kaspersky Lab suggests healthcare businesses “Remove all nodes that process medical data from public and secure public web portals, and automatically update installed software using patch management systems on all nodes, including servers.”

Kaspersky also recommends corporate-grade security solutions in combination with anti-targeted attack technologies and threat intelligence. “These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and giving cyber security teams full visibility over the network and response automation.”