Threat Research Blog

Searching for the Cure: Targeted Threat Actors Pursuing the Pharmaceutical Industry

If you visit an unsafe area, you’re probably more careful about locking your doors, right? But what if it’s well publicized that you have valuables in your possession? You’d likely not only lock doors, but maybe also use a strongbox and have security in place. Knowing that you have something of value makes you a visible – and likely – mark.

It’s no different when thieves are targeting a company’s network.

That’s exactly what the pharmaceutical industry faces. And it’s a prescription for disaster.

Advanced Persistent Threat (APT) groups are targeting the pharmaceutical realm, compromising systems and stealing vital information – and perhaps putting lives at risk.

Recent reports of threat actors swiping personal data of healthcare providers’ patients reinforces what FireEye Labs researchers have been warning our customers about: the healthcare and pharmaceutical industries are data-rich goldmines for APT actors.

When we talk to our customers about targeted threats – especially threat actors backed by nation states – we urge them to consider which information assets are beneficial to targeted actors in the long haul. Nations that use cyber threat actors to achieve their objectives often have strategic healthcare initiatives that are a key indicator of compromises to come. The pharmaceutical industry falls squarely in the crosshairs: threat actors looking to improve their country’s ability to address domestic health concerns will set their sights on stealing IP related to technologies, processes and expertise.

The Symptoms

We’ve previously worked pharmaceutical company cases where we assessed that suspected nation state threat groups targeted the victims for economic espionage. In one incident we determined two China-based APT groups gained access to the environment as long as three years prior to our involvement. The threat groups accessed or compromised more than 100 of the company’s systems and installed backdoors to facilitate continued access to the victim’s network. One of the APT groups stole IP and business data from the victim, including information on bio cultures, products, cost reports and other details pertaining to the company’s operations abroad.

It’s highly probable the stolen IP and business information ultimately assisted beneficiary pharmaceutical industry companies in gaining a competitive advantage.[1] Information on cell cultures and products could allow a company to manufacture its own versions of products, or work from the victim’s findings to advance its research into a particular area while minimizing R&D outlay. Also, an organization might use information on another company’s operational costs and prices to undercut that company’s market share by offering cheaper products.

Countries could also use targeted cyber threat activity to steal data that could help with domestic health concerns. For example, during one week late last year, we saw a China-based APT group target three different companies that provide oncology treatments and services. This activity could have dovetailed with government initiatives to deal with China’s increasing cancer rates. (According to an article in the Guardian, “Cancer mortality rates in China have increased by 80% over the last thirty years, making [cancer] the nation’s leading cause of death.”[2])


The long-term strategic view – that is, identifying, analyzing and predicting targeted threat actors’ behavior – is only part of the threat intelligence picture. From an operational standpoint, our healthcare and pharmaceutical sector customers experience much of the same targeted threat activity as other industries.

We looked at the use of malware activity directed at clients in the pharmaceutical and healthcare sectors in July and saw quite a bit of consistency across tools used by targeted threat actors.  Overall that month, APT web/file/email detections for the pharmaceutical industry slightly increased compared to the prior month. We saw over 30,000 callbacks to existing command and control infrastructure, and the sector was hit by hard various RATs. Most detections came from njRAT and XtremeRAT, on which we wrote a Feburary blog post which included technical analysis. Because RATs can be publicly available, we noted that a wide range of threat actors use them, including targeted threat actors seeking to blend in with traditional cybercrime activity.


We suspect nation-state backed threat actors will continue to target companies in the pharmaceutical and healthcare industries for the foreseeable future, especially given the industries’ importance in both economic growth and domestic healthcare. Certainly, non-state threat actors motivated by financial gain also pose a risk. Financially motivated cybercriminals might target IP relating to drug formulation processes to facilitate the trade of counterfeit drugs, a global market that the National Association of Boards of Pharmacy estimates cost $75 billion USD in 2010.[3] Actors could breach an environment and steal information to compromise the integrity of a clinical trial. Beyond the potentially exorbitant costs to the company, there are the potential violations of privacy laws and other compliance regulations to consider. While we have not seen such a situation occur, it’s worth considering, especially as a greater understanding of potential risks is key to improving security.

[1] A recently unsealed FBI criminal complaint alleged that a Chinese national named Su Bin, along with two unnamed conspirators, colluded to conduct computer intrusions and steal data related to US military projects. The complaint gave an unusual glimpse into the mechanisms behind nation state sponsored espionage and detailed how an individual operator received targeting instructions and subsequently used those instructions to steal information. Several of the email conversations detailed in the complaint suggest that the final beneficiaries of the intrusions were Chinese state-owned companies. The FBI complaint concludes that Su and an unnamed conspirator conspired to sell the stolen aircraft information to multiple buyers, including Chinese aerospace companies, and that they sought to "match" stolen data with the most suitable buyer. We have no reason to believe that what occurred in the industry relevant to the FBI complaint is any different than the data theft flow in other industries, such as the pharmaceutical industry.

[2] Kaiman, Jonathan. “Inside China’s ‘Cancer Villages.’” The Guardian. 4 June 2013. Web. 9 July 2014.

[3] Gillette, Felix. “Inside Pfizer’s Fight Against Counterfeit Drugs.” Bloomberg LP. 17 January 2013. Web. 9 July 2014.