infosec

Merck left the door open to a devastating cyberattack, missing two chances to raise a defense

Merck missed two critical opportunities earlier this year to inoculate themselves from the vicious cyberattack they suffered this week, roiling operations and raising questions about their lack of preparation to defend themselves.

The June 27 “Petya/NotPetya” cyberattack hit the multinational Merck and several other companies, such as the law firm DLA Piper, shipping giant Maersk, and even a West Virginia hospital, which was forced to scrap its electronic medical records in favor of paper.

The core technology in Petya is called ETERNALBLUE and it was developed by American spy agencies, the Washington Post previously reported.  Obviously, it was never intended for wide distribution. It relied on bugs in Windows that Microsoft presumably wasn’t aware of until earlier this year, when a group of still-unknown hackers calling themselves ShadowBrokers allegedly broke into the US NSA and demanded payment in exchange not releasing the ultra-secret exploits.

The stolen tools were eventually dumped on the internet.

In March, Microsoft quickly issued a critical bulletin advising IT administrators of the precise steps needed to patch their systems to prevent hackers — ranging from the state-sponsored to lone-wolves — in using the ETERNALBLUE technology to gain unauthorized access to their networks. Experts recommend critical bulletins be installed immediately, versus merely recommended ones, which large companies sometimes test out before deploying to a large network.

Then in May, the first global attack based on this exploit, dubbed WannaCry, spread widely, notably shutting down sixteen hospitals in the UK.

Microsoft issued yet another patch in the aftermath, and along with the most prominent security firms worldwide, began pleading with companies to immediately employ these crucial patches to prevent unauthorized access to private networks.

So after continuous warnings from Microsoft starting in March, with two critical software updates, and a global cyberattack in May which showed the potential impacts on the healthcare industry, Merck still neglected to update their systems.

Repeated attempts to contact Merck have been unsuccessful.


UPDATE 7:42p ET: A Merck spokesperson sent Endpoints News the following statement:

We have made good progress in our response to the June 27 global cyber attack. We have implemented business continuity plans and continue to ship orders and meet patients’ needs.

We and our external partners see no indication that the company’s data have been compromised.

Government authorities working with us have confirmed that the malware responsible for the attack contained a unique combination of characteristics that enabled it to infect company systems despite installation of recent software patches.


The best place to read Endpoints News? In your inbox.

Full-text daily reports for those who discover, develop, and market drugs. Join 17,000+ biopharma pros who read Endpoints News by email every day.

Free Subscription

EvaluatePharma World Preview 2017