Data thieves target thriving supplement industry

Data-thieves-target-thriving-supplement-industry.jpg
©Getty Images - Andy (Getty Images/iStockphoto)

Recent cyberattacks on a contract lab and a contract manufacturer lay bare the risk all data-based businesses run in a globalized world where threats can come from anywhere and can potentially be motivated by factors beyond mere financial gain.

The dietary supplement industry has prospered during the pandemic crisis, something that has not gone unnoticed by data thieves.  Ad hoc work from home situations can create additional risk.

Two companies in the supplement industry that have been hit by ransomware attacks recently shared the hard lessons they learned.  Alkemist Labs, a contract lab located in Garden Grove, CA and Gemini Pharmaceuticals, a contract manufacturer located in Commack, NY were among the dietary supplement companies that have been targeted by hackers in recent weeks.  At least one other prominent manufacturer was targeted around the same time.

Alkemist: Recovery is possible, but time consuming and costly

Elan Sudberg, CEO of Alkemist Labs, said the experience of dealing with a cyber attack was a sobering one.  The company went through a period of a couple of weeks of 20-hour days to regain full functioning.

“We are fortunate that the attack happened through our IT firm and didn’t happen as a result of an employee clicking on the wrong email,” Sudberg told NutraIngredients-USA.  “So the IT firm had a responsibility to fix it.”

Sudberg said he was notified on a weekend by the IT firm that it had noticed unusual online activity connected to the lab.  It soon developed into a full scale attack that saw all of the company’s data locked up and a ransom demand issued.

“They’re very polite and like to act all professional.  They just want the insurance company to pay up, and a lot of them do,” Sudberg said.

“From what they were asking, I could tell right away that our financial information had not been compromised,” he joked.

Sudberg said it was fortunate that Alkemist had invested in adequate and comprehensive backup, so no customer data was lost.  But the process of returning to full functioning is a painstaking one.  Every desktop, every computer connected to an analytical device had to be wiped clean—lobotomized essentially—and rebuilt from scratch.

And the process is uncertain, too.  It could last for days, or weeks, and the money clock is ticking all the time.

Such ransomware attacks are nothing new. The practice first started to come to the attention of law enforcement authorities in the mid 2000s.  In 2017, the Federal Bureau of Investigation recorded 1,784 complaints about such attacks.

Attack came suspiciously close to CofAs incident

Sudberg said in his company was probably targeted as a result of being ensconced in one of the industries that was thriving during the coronavirus crisis.  Thieves go where the money is, and know that making a ransom demand on a company stalled by the pandemic and  that might be facing bankruptcy anyway is probably a nonstarter.

But he said the timing of the attack against his firm piqued the interest of federal law enforcement officials.  Sudberg had recently publicly raised issues about fraudulent certificates of analysis using his company’s name that were circulating within the industry.  The ransomware attack came suspiciously close on the heels of that incident.

“When the people at the Homeland Security Administration heard that, they really sat up in their chairs,” Sudberg said.  Any firm connection between the two is speculation at this point, he said, as the investigation is ongoing.

Gemini: Pre existing disaster plan aided in recovery

Another company that has had to deal with a recent ransomware issue is Gemini Pharmaceuticals, a family owned contract manufacturer serving the pharmaceutical and dietary supplement industries. 

CEO Mike Finamore said his company was fortunate in having already developed a solid disaster recovery plan that included what to do in case of a ransomware attack so few decisions needed to be taken ad hoc in the heat of the moment.  And the company had adequate internal firewalls in place so that while the thieves were able to get their cyberhands on files, they couldn’t get at what was inside those files.

“They weren’t able to open individual files, so no customer data was lost.  They were able to rename files, though, and in that way restrict access to them,” he said.

Finamore said his company’s involvement in the pharmaceutical supply chain may be what brought his firm to the attention of the cyber thieves.

“We have bad actors overseas pinging our industry, especially if you are involved with the production of certain critical APIs (active pharmaceutical ingredients),” Finamore said. “Because we were classified as an essential business we had the help of Homeland Security.”

At least one other manufacturer in the dietary supplement industry has been targeted and reportedly successfully fended off the attack.  In these three cases the companies chose to fight rather than pay up.  It’s possible other dietary supplement companies have been attacked and have made the business decision to pay the ransom and move on, something that many of them might understandably be loathe to admit.

New risks as a result of pandemic

Both Sudberg and Finamore said the dislocations caused by the pandemic have raised the risk of data breaches, meaning companies have to be even more vigilant than they have in the past.  Many employees are working from home, possibly with less secure connections, and employees are moving in and out of facilities in ways they hadn’t previously. In a way it’s like trying to keep a pet contained—the more often you open the door, the more likely the cat is to get out.

“You have to think about things like setting up an employee on that laptop that hasn’t been turned on in a couple of months.  That machine might have a worm on it set up to lay dormant and then activate after a period of months,” Finamore said.

Sudberg said even though his attack didn’t come as a result of the action of one of his employees, he plans to ramp up training to make them better able to recognize the danger and avoid it.

“We’re going to do some more training on phishing emails.  And we’re going to send out some bogus phishing emails of our own to see how effective the training has been,” Sudberg said.

Another lesson learned, Sudberg said, is that storing your backup data only on the most up to date equipment might be costly but is money well spent in the case of an attack.  While Alkemist was able to successfully rebuild the operating systems of all of its equipment, the process took more time than it might have if the data had been housed on faster drives.

“And our backup drives were only four or five years old,” Sudberg said.

FBI: Forewarned is forearmed

The FBI cybercrime division offers this broad advice for companies seeking to lessen their risk:

  • Prevention efforts—both in terms of awareness training for employees and robust technical prevention controls
  • The creation of a solid business continuity plan in the event of a ransomware attack.

More specific information is available in the division’s website.