Attacks/Breaches

7/31/2017
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Ransomware Attack on Merck Caused Widespread Disruption to Operations

Pharmaceutical giant's global manufacturing, research and sales operations have still not be full restored since the June attacks.

New information released last week by pharmaceutical giant Merck reveals that a cyberattack that hit the company on June 27 caused significantly more disruption to its operations than many might have assumed.

In details included during Merck's earnings announcement July 28, the company described the attack as disrupting worldwide manufacturing, research and sales operations, and impacting its ability to fulfill orders for some products in certain markets.

Even more than one month after the attack, certain operations at Merck, continue to be impacted and the company still does not know the full magnitude of the disruption. Merck so far only been able to fully restore its packaging operations since the attack.

Manufacturing and formulation operations are still only in the process of being restored and so too is Merck's Active Pharmaceutical Ingredient (API) operations. Bulk product production, which was halted after the attack, has not yet resumed.

"The company’s external manufacturing was not impacted," Merck noted in its earnings statement.

Neither, apparently, was production of some of Merck's biggest products including cancer drug Keytruda, anti-diabetes medication Januvia, and Hepatitis C drug Zepatier. "In addition, Merck does not currently expect a significant impact to sales of its other top products," it said.

Merck has so far not publicly released technical details of the June 27 cyberattack, so it's not clear just what caused the widespread disruption reported in the earnings announcement. But many security experts believe the company was among the many caught up in the NotPetya ransomware outbreak last month.

Security analysts tracking NotPetya had at the time described it as a more sophisticated version of May's WannaCry global ransomware pandemic. Like WannaCry, NotPetya also attempted to spread via Server Message Block (SMB) shares using EternalBlue, a leaked exploit from the National Security Agency (NSA). Unlike WannaCry, however, NotPetya employed other methods to spread as well and was generally considered more professional and harder to eradicate than its predecessor.

Kaspersky Lab and others tracking the malware estimated that NotPetya hit at least 2,000 organizations globally including Merck, A.P. Moller-Maersk of Denmark, metal giant Evraz of Russia, and Ukraine's Boryspyl Airport.

Merck is the second major organization in recent weeks to publicly disclose a major disruption after a ransomware attack. In June, automaker Honda disclosed that it had to shutter a manufacturing plant in Sayama Japan for a couple of days after WannaCry infected plant floor systems at the facility. Production on some 1,000 vehicles was disrupted as a result of the shutdown.

"When it comes to ransomware and how it takes hold in every organization, nothing surprises me anymore," says Eldon Sprickerhoff, founder and chief security strategist of eSentire. "Best practice in manufacturing environments will mandate a strong network segregation stance between corporate and industrial, but the reality is that there are always access overlaps."

Such incidents highlight the need for any organization with highly sensitive networks to conduct risk assessments to identify critical assets, identify all access methods, and to identify the risks to those assets via the access methods.

They need to identify the controls they have in place to determine if they are sufficient and continuously monitor for signs of exploits and compromise, Sprickerhoff says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 9:14:33 AM
Business Continuity Plan?
Ok, so they got it bad.  And it could be through the update applied to an accounting program or some stupid user opening an infected email.  (Security practice - all users should NOT do this EVER).  I have read that some staff at Merck discovered they did not know if the backup-restore protocol worked.  My view of Ransomware, at heart, is that it is so similiar to a data center crash it is not funny.  Local desktops should be reimaged by a variety of means - PXE Boot, GHOST or whatever.  Restoration of data SHOULD be on server and NOT on user desktop.  (Oh, it can be backed up easier too if on server).  And thirdly the difference between encrypted files and crashed hard drive files is nil.  BOTH scenarios mean you cannot get to your stuff.  Merck should have had a verified, tested DR plan in place.  Apparently????
PeterL85702
100%
0%
PeterL85702,
User Rank: Apprentice
7/31/2017 | 7:56:10 PM
Why?
...are you still calling NotPetya ransomware??  It wasn't; it's clear from reporting all over the world that this was NEVER intended to be ransomware, but a wiper and the target was Ukrainian businesses. That Merck was impacted was probably an unintended consequence, but one that was no doubt welcomed by the attackers. After all, if Western companies do business in Ukraine, then the Russian hackers/attackers will naturally think of them as legitimate targets.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...