Russian hackers were allegedly in the Ema system for weeks

Who hacked the drug agency Ema, which is testing corona vaccines in the EU? And what was the goal of the attacker (s)? These questions have been discussed since mid-December.

At that time, the agency made public that it was the focus of a cyber attack. But she did not reveal any details. Finally, it became known through the media that the hackers gained access to vaccine documents from the Mainz company Biontech during their attack. A few days later, the Ema itself said that “a limited number of documents belonging to third parties had been illegally viewed”.

The Dutch newspaper “de Volkskrant” has now published a major research on the case, based on sources from the context of the investigation that have not been named. According to their information, it was apparently Russian hackers who first managed to gain insight into Ema’s e-mail traffic by means of forged e-mails in the fall.

Via the e-mails into the system

In those emails, the attackers at some point came across a message that was supposed to activate two-factor authentication for a new user, it is said. The hackers used this discovery to connect their own device to the Ema system. Due to a certain technical setting, it was now possible for both the actual new user and the hacker to log in. That weak point in the security system had such serious consequences.

After their successful penetration, the hackers are said to have had unnoticed access to the drug authority’s system for weeks and even more than a month, writes “de Volkskrant”. As their sources reported to the newspaper, the attackers are said to have been less interested in the vaccines from companies like Biontech itself. They would rather have wanted to know which countries they are buying and in what quantities, it is said. “Classic industrial espionage,” one of the sources is quoted as saying.

In the course of the attack, internal Ema documents ended up on the network, including combined extracts of captured emails. This could be part of a disinformation campaign aimed at undermining trust in Ema, the EU or the safety of vaccines.

However, the insiders suspect that the leak was not the main target of the action. The article suggests that the Russian hackers would have been more interested in the European vaccine strategy. The focus would make sense insofar as Russia has developed Sputnik V, its own vaccine, which it also offers to other countries.

Allegedly just one of two major incidents

There were indications from investigators that state actors could be behind the attack as early as December. At the time, however, it was said that it was still unclear which state could be responsible for the attack.

Another serious cyber attack on Ema is said to have already occurred in spring 2020, writes “de Volkskrant”: According to some sources, Chinese spies gained access to the Ema system by attacking a German university. The exact extent of that attack is unclear, however, and Ema herself denies the incident.

The drug authority has not yet commented on the details that »de Volkskrant« has now published on the alleged Russian attack. A SPIEGEL request on the subject went unanswered on Saturday. The agency only confirmed to the Reuters news agency that criminal investigations into the hack, in which Ema itself was also involved, are still ongoing.

The Russian Foreign Ministry has not yet commented to Reuters on the allegations that the attackers were working on behalf of Russia. Moscow regularly denies involvement in hacker attacks.

Incidentally, the Ema hack is said to have been exposed after a few weeks when a system manager of the authority checked so-called log data. He noticed that a certain employee regularly logged into the network outside of office hours, it is said.