Hackers manipulated stolen data related to coronavirus vaccines before publishing it on the dark web, according to the European Medicines Agency. It was a tactic that cybersecurity analysts say aims to sow mistrust and confusion.
The Amsterdam-based agency, which regulates human and animal medicinal products in the European Union, disclosed a cyberattack on Dec. 9 in which information including email correspondence about a Covid-19 vaccine developed by Pfizer Inc. and BioNTech SE was stolen before the EMA’s approval of the drug on Dec. 21.
A spokeswoman for the EMA said in an email that hackers published some correspondence “not in its integrity and original form and/ or with comments or additions by the perpetrators.” She declined to comment on the content of the documents or authors of the emails. CERT-EU, a Brussels-based EU office that helps the bloc’s public agencies deal with cyberattacks, said in an email that it is helping the EMA investigate and respond to the breach.
BioNTech and Pfizer didn’t respond to requests for comment. BioNTech said last month that it learned from the EMA that hackers accessed documents related to its vaccine. The company said it wasn’t aware of data exposure that could identify study participants.
Around 55 leaked files with screenshots of email conversations, PowerPoint presentations and other documents from Pfizer, the EMA and other EU officials were posted on two dark web forums, said Nicola Bressan, chief technology officer of Var Group SpA’s Yarix Srl, an Italian cybersecurity company that reported finding the data this month.
One post was published first on a Russian-language darknet forum, followed by another on an English-language forum.
Among the files in the leak, according to documents viewed by WSJ Pro Cybersecurity, are those with names related to peer reviews, meeting notes and analysis regarding the vaccine, and responses to queries from regulators.
Some of the leaked correspondence related to the timing of the EMA’s vaccine approvals and referred to the U.S. Food and Drug Administration clearing the drugs quickly because of pressure from the Trump administration, Mr. Bressan said. Titles of the posts referred to fraud and fake vaccines, he said. EU lawmakers have criticized the EMA for approving vaccines more slowly than U.S. or U.K. regulators.
“It’s obvious that this kind of information, whether it was manipulated or not, has the intention to undermine the credibility of the vaccine,” Mr. Bressan said.
Mr. Bressan said there were no obvious signs the data had been changed, such as incorrect grammar or visibly manipulated documents. Mr. Bressan said he hasn’t been in contact with the EMA but informed the Italian postal police about the leaks.
Disinformation campaigns can damage companies’ share prices and reputations. While rare, documents containing misleading information have been published after hacks, such as when medical records were posted online after a cyberattack on the World Anti-Doping Agency in 2016 that sought to damage the reputations of some U.S. athletes.
U.S. intelligence authorities said in May that Chinese and Iranian hackers were targeting companies developing coronavirus vaccines. Cyberattacks originating in Russia and North Korea also targeted online accounts of seven companies researching virus drugs and vaccines, according to Microsoft Corp. The countries have consistently denied involvement in such cyberattacks.
The spread of manipulated vaccine data could undermine public acceptance of the drugs, said Benedict Hamilton, managing director at Kroll Business Intelligence and Investigations, a unit of consulting firm Duff & Phelps.
Dietram Scheufele, the Taylor-Bascom chair in science communication at the University of Wisconsin-Madison, said that scientists already must counter misinformation on Covid-19 vaccines. Manipulated data only makes that job harder, he said.
“It’s probably the worst possible time to deal with something like this,” he said.
Skepticism about coronavirus vaccines varies among European countries. France has a particularly low rate of acceptance, with a December Ipsos poll indicating that only 40% of the population wants to receive the vaccine.
Complex data about pharmaceuticals is an easy target for disinformation because it is difficult for nonexperts to understand, said Lukasz Olejnik, an independent cybersecurity researcher and former adviser to the International Committee of the Red Cross. “If someone was a skeptic already, they may simply assume that since the data was leaked, it definitely must contain something notable,” he said.
The information was later posted on a popular forum known for data leaks and that is accessible via the regular internet, said Kurtis Minder, chief executive of cybersecurity company GroupSense Inc.
Fighting hackers intent on spreading disinformation is difficult and attackers could also try to manipulate data while still inside a victim’s network, said Sven Herpig, director for international cybersecurity policy at Berlin-based think tank Stiftung Neue Verantwortung.
It is crucial to respond quickly and publicly refute false information, Mr. Hamilton said. Investigating a disinformation campaign can take time, he said, “at which point the damage has already been done.”
Write to Catherine Stupp at [email protected] and James Rundle at [email protected]
