Attacks/Breaches

7/31/2017
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Ransomware Attack on Merck Caused Widespread Disruption to Operations

Pharmaceutical giant's global manufacturing, research and sales operations have still not be full restored since the June attacks.

New information released last week by pharmaceutical giant Merck reveals that a cyberattack that hit the company on June 27 caused significantly more disruption to its operations than many might have assumed.

In details included during Merck's earnings announcement July 28, the company described the attack as disrupting worldwide manufacturing, research and sales operations, and impacting its ability to fulfill orders for some products in certain markets.

Even more than one month after the attack, certain operations at Merck, continue to be impacted and the company still does not know the full magnitude of the disruption. Merck so far only been able to fully restore its packaging operations since the attack.

Manufacturing and formulation operations are still only in the process of being restored and so too is Merck's Active Pharmaceutical Ingredient (API) operations. Bulk product production, which was halted after the attack, has not yet resumed.

"The company’s external manufacturing was not impacted," Merck noted in its earnings statement.

Neither, apparently, was production of some of Merck's biggest products including cancer drug Keytruda, anti-diabetes medication Januvia, and Hepatitis C drug Zepatier. "In addition, Merck does not currently expect a significant impact to sales of its other top products," it said.

Merck has so far not publicly released technical details of the June 27 cyberattack, so it's not clear just what caused the widespread disruption reported in the earnings announcement. But many security experts believe the company was among the many caught up in the NotPetya ransomware outbreak last month.

Security analysts tracking NotPetya had at the time described it as a more sophisticated version of May's WannaCry global ransomware pandemic. Like WannaCry, NotPetya also attempted to spread via Server Message Block (SMB) shares using EternalBlue, a leaked exploit from the National Security Agency (NSA). Unlike WannaCry, however, NotPetya employed other methods to spread as well and was generally considered more professional and harder to eradicate than its predecessor.

Kaspersky Lab and others tracking the malware estimated that NotPetya hit at least 2,000 organizations globally including Merck, A.P. Moller-Maersk of Denmark, metal giant Evraz of Russia, and Ukraine's Boryspyl Airport.

Merck is the second major organization in recent weeks to publicly disclose a major disruption after a ransomware attack. In June, automaker Honda disclosed that it had to shutter a manufacturing plant in Sayama Japan for a couple of days after WannaCry infected plant floor systems at the facility. Production on some 1,000 vehicles was disrupted as a result of the shutdown.

"When it comes to ransomware and how it takes hold in every organization, nothing surprises me anymore," says Eldon Sprickerhoff, founder and chief security strategist of eSentire. "Best practice in manufacturing environments will mandate a strong network segregation stance between corporate and industrial, but the reality is that there are always access overlaps."

Such incidents highlight the need for any organization with highly sensitive networks to conduct risk assessments to identify critical assets, identify all access methods, and to identify the risks to those assets via the access methods.

They need to identify the controls they have in place to determine if they are sufficient and continuously monitor for signs of exploits and compromise, Sprickerhoff says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 9:14:33 AM
Business Continuity Plan?
Ok, so they got it bad.  And it could be through the update applied to an accounting program or some stupid user opening an infected email.  (Security practice - all users should NOT do this EVER).  I have read that some staff at Merck discovered they did not know if the backup-restore protocol worked.  My view of Ransomware, at heart, is that it is so similiar to a data center crash it is not funny.  Local desktops should be reimaged by a variety of means - PXE Boot, GHOST or whatever.  Restoration of data SHOULD be on server and NOT on user desktop.  (Oh, it can be backed up easier too if on server).  And thirdly the difference between encrypted files and crashed hard drive files is nil.  BOTH scenarios mean you cannot get to your stuff.  Merck should have had a verified, tested DR plan in place.  Apparently????
PeterL85702
100%
0%
PeterL85702,
User Rank: Apprentice
7/31/2017 | 7:56:10 PM
Why?
...are you still calling NotPetya ransomware??  It wasn't; it's clear from reporting all over the world that this was NEVER intended to be ransomware, but a wiper and the target was Ukrainian businesses. That Merck was impacted was probably an unintended consequence, but one that was no doubt welcomed by the attackers. After all, if Western companies do business in Ukraine, then the Russian hackers/attackers will naturally think of them as legitimate targets.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15137
PUBLISHED: 2018-07-16
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2017-17541
PUBLISHED: 2018-07-16
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
CVE-2018-1046
PUBLISHED: 2018-07-16
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow ...
CVE-2018-10840
PUBLISHED: 2018-07-16
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVE-2018-10857
PUBLISHED: 2018-07-16
git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN.