Rivals China and India have both sold or gifted COVID-19 shots to many countries. India produces more than 60% of all vaccines sold in the world.
Goldman Sachs-backed Cyfirma, based in Singapore and Tokyo, said Chinese hacking group APT10, also known as Stone Panda, had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India (SII), the world’s largest vaccine maker.
“The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies,” said Cyfirma Chief Executive Kumar Ritesh, formerly a top cyber official with British foreign intelligence agency MI6.
He said APT10 was actively targeting SII, which is making the AstraZeneca vaccine for many countries and will soon start bulk-manufacturing Novavax shots.
“In the case of Serum Institute, they have found a number of their public servers running weak web servers, these are vulnerable web servers,” Ritesh said, referring to the hackers.
Frequently Asked Questions
A vaccine works by mimicking a natural infection. A vaccine not only induces immune response to protect people from any future COVID-19 infection, but also helps quickly build herd immunity to put an end to the pandemic. Herd immunity occurs when a sufficient percentage of a population becomes immune to a disease, making the spread of disease from person to person unlikely. The good news is that SARS-CoV-2 virus has been fairly stable, which increases the viability of a vaccine.
There are broadly four types of vaccine — one, a vaccine based on the whole virus (this could be either inactivated, or an attenuated [weakened] virus vaccine); two, a non-replicating viral vector vaccine that uses a benign virus as vector that carries the antigen of SARS-CoV; three, nucleic-acid vaccines that have genetic material like DNA and RNA of antigens like spike protein given to a person, helping human cells decode genetic material and produce the vaccine; and four, protein subunit vaccine wherein the recombinant proteins of SARS-COV-2 along with an adjuvant (booster) is given as a vaccine.
Vaccine development is a long, complex process. Unlike drugs that are given to people with a diseased, vaccines are given to healthy people and also vulnerable sections such as children, pregnant women and the elderly. So rigorous tests are compulsory. History says that the fastest time it took to develop a vaccine is five years, but it usually takes double or sometimes triple that time.
“They have spoken about weak web application, they are also talking about weak content-management system. It’s quite alarming.”
China’s foreign ministry did not reply to a request for comment.
SII and Bharat Biotech declined to comment. The office of the director-general of the state-run Indian Computer Emergency Response Team (CERT) said the matter had been handed to its operations director, S.S. Sarma.
Sarma told Reuters CERT was a “legal agency and we can’t confirm this thing to media”.
Cyfirma said in a statement it had informed CERT authorities and that they had acknowledged the threat.
“They checked and they came back,” Cyfirma said. “Our technical analysis and evaluation verified the threats and attacks.”
The U.S. Department of Justice said here in 2018 that APT10 had acted in association with the Chinese Ministry of State Security.
Microsoft said here in November that it had detected cyber attacks from Russia and North Korea targeting COVID-19 vaccine companies in India, Canada, France, South Korea and the United States. North Korean hackers also tried to break into the systems of British drugmaker AstraZeneca, Reuters here has reported.
Ritesh, whose firm follows the activities of some 750 cyber criminals and monitors nearly 2,000 hacking campaigns using a tool called DeCYFIR, said it was not yet clear what vaccine-related information APT10 may have accessed from the Indian companies.
Bharat Biotech’s COVAXIN shot, developed with the state-run Indian Council of Medical Research, will be exported to many countries, including Brazil.
U.S. drugmaker Pfizer Inc and its German partner BioNTech SE said in December that documents related to development of their COVID-19 vaccine had been “unlawfully accessed” in a cyberattack on Europe’s medicines regulator.
Relations between nuclear-armed neighbours China and India soured last June when 20 Indian and four Chinese soldiers were killed in a Himalayan border fight. Recent talks have eased tension.