Hackers May Have Found a Simple Way to Steal Medtech Secrets

Nancy Crotti

December 1, 2014

3 Min Read
Hackers May Have Found a Simple Way to Steal Medtech Secrets

A group of Wall Street-savvy hackers has attacked nearly 100 companies--mostly publicly traded biotechnology, medtech or pharmaceutical firms--in a "likely attempt to play the stock market," a Silicon Valley cyber-security firm announced Monday.

FireEye said it found that the hackers have been targeting information related to product development, M&A strategies, legal issues, and purchasing processes of the companies since at least mid-2013.

And hackers reportedly used a pretty simple strategy: Send legitimate-looking emails with insider knowledge to executives with the intent of getting them to enter their username and password on a bogus log-in page. Unlike other phishing scams, however, this ploy seems to have been perpetrated by sophisticated hackers with considerable knowledge of their targets and investment banking.

Although it declined to name the victims, FireEye said that all but three are publicly listed on the New York Stock Exchange or NASDAQ, while the others are listed on foreign exchanges, the New York Times reported.

Biotechnology firms make up half of the affected companies, while 13% sell medical devices; 12% sell medical instruments and equipment; 10% manufacture pharmaceuticals; and the rest include medical diagnostics and research organizations, healthcare providers and organizations that offer healthcare planning services, the newspaper said.

Silicon Valley-based FireEye said it detected the group, which it has named FIN4, collecting intelligence from parties who handle insider information within the companies or their advisory firms. The security firm said it has shared the information with the victims and the FBI. FireEye told Bloomberg that it could not say whether the hackers gave the data to traders or a hedge fund.

FIN4 evades detection by using private email addresses of company employees rather than malware. The hackers'  "strong command of English colloquialisms, regulatory and compliance standards, and industry knowledge," indicate the hackers may be based in the United States or Western Europe, the company's researchers believe.

FIN4 sends different emails to different groups of people--frequently including top executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists, the Times reported.

The hackers include links and attachments to redirect the recipient to a fake email login page designed to steal the victim's credentials. Then they can log in as the victim and read their email, the Times story said.

The hackers have even used fake gossip to trick some executives into clicking on links sent from apparently trusted clients. Those "clients" reveal in the linked information that an employee has disparaged the executive in an investment forum, the newspaper said.

The hackers have used previously stolen, confidential company documents to make their inquiries seem authentic, or embedded generic investment reports in their emails, the newspaper added.

FIN4 probably focuses on these med tech and healthcare organizations because their stocks can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues, FireEye explained.

Medtronic reported to the SEC in June that it had been hacked, but "we have absolutely no reason to believe there's any connection," company spokesperson Marie Yarroll said in an email. Those hackers apparently attacked from Asia, the company said at the time.

"We have no reason to believe we are involved in any way" with the FIN4 attacks, Yarroll added.

Meanwhile, Reuters in October cited a "senior official at the agency" saying Homeland Security's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is investigating about two dozen cases of suspected medtech cybersecurity flaws. There have been no reported hacking instances, but Homeland Security officials consider the threat great enough to be working with companies to fix security vulnerabilities.

Nancy Crotti is a contributor to Qmed and MPMN.

Like what you're reading? Subscribe to our daily e-newsletter.

About the Author(s)

Nancy Crotti

Nancy Crotti is a frequent contributor to MD+DI. Reach her at [email protected].

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like