Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/31/2017
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Ransomware Attack on Merck Caused Widespread Disruption to Operations

Pharmaceutical giant's global manufacturing, research and sales operations have still not be full restored since the June attacks.

New information released last week by pharmaceutical giant Merck reveals that a cyberattack that hit the company on June 27 caused significantly more disruption to its operations than many might have assumed.

In details included during Merck's earnings announcement July 28, the company described the attack as disrupting worldwide manufacturing, research and sales operations, and impacting its ability to fulfill orders for some products in certain markets.

Even more than one month after the attack, certain operations at Merck, continue to be impacted and the company still does not know the full magnitude of the disruption. Merck so far only been able to fully restore its packaging operations since the attack.

Manufacturing and formulation operations are still only in the process of being restored and so too is Merck's Active Pharmaceutical Ingredient (API) operations. Bulk product production, which was halted after the attack, has not yet resumed.

"The company’s external manufacturing was not impacted," Merck noted in its earnings statement.

Neither, apparently, was production of some of Merck's biggest products including cancer drug Keytruda, anti-diabetes medication Januvia, and Hepatitis C drug Zepatier. "In addition, Merck does not currently expect a significant impact to sales of its other top products," it said.

Merck has so far not publicly released technical details of the June 27 cyberattack, so it's not clear just what caused the widespread disruption reported in the earnings announcement. But many security experts believe the company was among the many caught up in the NotPetya ransomware outbreak last month.

Security analysts tracking NotPetya had at the time described it as a more sophisticated version of May's WannaCry global ransomware pandemic. Like WannaCry, NotPetya also attempted to spread via Server Message Block (SMB) shares using EternalBlue, a leaked exploit from the National Security Agency (NSA). Unlike WannaCry, however, NotPetya employed other methods to spread as well and was generally considered more professional and harder to eradicate than its predecessor.

Kaspersky Lab and others tracking the malware estimated that NotPetya hit at least 2,000 organizations globally including Merck, A.P. Moller-Maersk of Denmark, metal giant Evraz of Russia, and Ukraine's Boryspyl Airport.

Merck is the second major organization in recent weeks to publicly disclose a major disruption after a ransomware attack. In June, automaker Honda disclosed that it had to shutter a manufacturing plant in Sayama Japan for a couple of days after WannaCry infected plant floor systems at the facility. Production on some 1,000 vehicles was disrupted as a result of the shutdown.

"When it comes to ransomware and how it takes hold in every organization, nothing surprises me anymore," says Eldon Sprickerhoff, founder and chief security strategist of eSentire. "Best practice in manufacturing environments will mandate a strong network segregation stance between corporate and industrial, but the reality is that there are always access overlaps."

Such incidents highlight the need for any organization with highly sensitive networks to conduct risk assessments to identify critical assets, identify all access methods, and to identify the risks to those assets via the access methods.

They need to identify the controls they have in place to determine if they are sufficient and continuously monitor for signs of exploits and compromise, Sprickerhoff says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PeterL85702
100%
0%
PeterL85702,
User Rank: Apprentice
7/31/2017 | 7:56:10 PM
Why?
...are you still calling NotPetya ransomware??  It wasn't; it's clear from reporting all over the world that this was NEVER intended to be ransomware, but a wiper and the target was Ukrainian businesses. That Merck was impacted was probably an unintended consequence, but one that was no doubt welcomed by the attackers. After all, if Western companies do business in Ukraine, then the Russian hackers/attackers will naturally think of them as legitimate targets.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 9:14:33 AM
Business Continuity Plan?
Ok, so they got it bad.  And it could be through the update applied to an accounting program or some stupid user opening an infected email.  (Security practice - all users should NOT do this EVER).  I have read that some staff at Merck discovered they did not know if the backup-restore protocol worked.  My view of Ransomware, at heart, is that it is so similiar to a data center crash it is not funny.  Local desktops should be reimaged by a variety of means - PXE Boot, GHOST or whatever.  Restoration of data SHOULD be on server and NOT on user desktop.  (Oh, it can be backed up easier too if on server).  And thirdly the difference between encrypted files and crashed hard drive files is nil.  BOTH scenarios mean you cannot get to your stuff.  Merck should have had a verified, tested DR plan in place.  Apparently????
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21302
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2
CVE-2021-21308
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2
CVE-2021-21273
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
CVE-2021-21274
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
CVE-2021-23345
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.