Russian and Chinese hackers gained access to EMA

Last year, the European Medicines Agency (EMA) was hacked by a Russian intelligence agency and a Chinese espionage group. The Russians gained access to EMA’s internal network by exploiting a setting in the authentication system that allowed them to abuse the two-step verification, as research by de Volkskrant has shown.

Huib Modderkolk
EMA-office in Amsterdam, the Netherlands.  Beeld Freek van den Bergh / de Volkskrant
EMA-office in Amsterdam, the Netherlands.Beeld Freek van den Bergh / de Volkskrant

In early December, the EMA made it known it had been the victim of a ‘cyber-attack’, and announced a thorough investigation in collaboration with criminal investigation agencies. Specialists from the European safety authority CERT-EU as well as the Team High-Tech Crime of the Dutch police are involved. Via various media it transpired that the hackers had gained access to documents from Pfizer/BioNTech and that these hackers were probably members of foreign intelligence agencies.

Dozens of internal documents and emails of the EMA appeared on Internet forums. According to the EMA the documents had been tampered with, which makes it likely that this was a disinformation campaign aimed at spreading doubts about admission procedures and safety of the vaccines.

Some of the people concerned – who wish to remain anonymous as they are not allowed to speak with the media – have stated that as early as the spring of 2020 the EMA had already been targeted by Chinese hackers. These hackers succeeded in hacking a German university and in gaining access to EMA networks, among other targets. The EMA denies this, but sources assume that the Chinese were successful at least to some degree and that the hack continued for months. In the autumn new attacks followed when Russian hackers targeted various medical organisations in Europe. They sent selected EMA employees emails that appeared to be from a colleague (spearfishing). When an employee clicked on one of these, they activated malware (implant).

This made it possible for the Russians to intercept email traffic. Because the EMA has secured their internal network with two-step verification, the hackers didn’t gain further access at first. That changed when they saw a zip file being sent via email. This zip file contained a token for a new user. Before new employees can access the system, they need to turn on two-step verification. EMA then sends a token to an email address. The employee opens this email message, enters a username and password, thereby linking a device – in this case an app on a mobile phone – for two-step verification. The app then generates a unique access code.

The Russians noticed this file, intercepted it, and linked it to their own device. At that point the system should have issued an error message: it should not be possible to use multiple tokens for one and the same user. However, sources say that the EMA had disabled this option, thereby making it vulnerable to abuse. No one noticed that an employee was logging in from multiple devices. The various firewalls at the EMA didn’t flag any suspicious attempts to log in either.

The hackers cleverly hid their own IP address and for weeks on end, and certainly for more than a month, they could log in without being noticed. According to sources, they were not so much interested in the technique of the Pfizer/BioNTech and Moderna vaccines, but more in which countries were buying them and in what quantities. ‘Classical economic espionage’, says one source, which makes it likely that hackers of Russia’s foreign intelligence agency SVR were responsible, rather than those of the military branch GROe.

Eventually, the hack was discovered during an internal audit. When looking at log files, a system manager noticed that a certain EMA employee regularly logged on to the network outside of office hours. According to a statement by EMA the hackers had had access to ‘a limited number of documents of third parties’. In view of the extended period during which the hackers remained unnoticed, one wonders what the EMA means by ‘limited’. The organisation has not responded to questions from de Volkskrant.

Why the hackers decided to publish some of these documents is not known. Their motive may have been to create confusion. The documents, which de Volkskrant has seen, have appeared in several places, including on a Russian Internet forum where they were published under the title ‘Evidences of BIG DATA SCAM of Pfizer’s vaccines’. They contained confidential emails, documents from the evaluation process, comments by EMA employees, and from communication with the EU in November. They showed that the EMA felt pressure from the European Committee to authorise vaccines as quickly as possible, in any case not much later than the American FDA. According to the EMA, discussions with the Committee were ‘tense, and at times somewhat unpleasant’. The EMA claimed that the documents had been tampered with, but has provided no details about what exactly had been changed. Later it turned out that the documents were indeed authentic, but that excerpts from various emails were combined and that the Russians had sometimes added titles of their own.

Sources do not think that the leaking itself was the main purpose of the operation. The Russian hackers seemed particularly interested in the European vaccination strategy and in information about which vaccines the various countries were buying. Russia has its own trump card with the Sputnik vaccine and will want to sell it as widely as possible. The EMA announced this week that they started the evaluation process of Sputnik for use in the European Union. A spokesperson of CERT-EU says that they are ‘closely monitoring’ the situation and that they are in touch with the EMA and criminal investigation agencies. During the criminal investigation by the Dutch police, the Department of Justice declines to discuss the content of the matter. The Dutch civil intelligence agency AIVD too says that it ‘cannot comment’ on the hack.

Wilt u belangrijke informatie delen met de Volkskrant?

Tip hier onze journalisten

Op alle verhalen van de Volkskrant rust uiteraard copyright.
Wil je tekst overnemen of een video(fragment), foto of illustratie gebruiken, mail dan naar copyright
© 2023 DPG Media B.V. - alle rechten voorbehouden