Merck, a U.S.-based pharmaceutical giant, was among dozens of businesses affected by a sprawling cyberattack Tuesday, with victims across the globe facing demands to hand over a ransom or have their computer networks remain locked and inaccessible.
The widespread intrusion that hit the New Jersey-based drug company was similar to a massive ransomware attack last month that deployed a virus dubbed WannaCry. Merck also has a European presence, with an office in Ukraine, where many of the ransomware attacks were concentrated.
The extent of the Merck hack is not yet known.
Merck employees arrived at their offices Tuesday morning only to find a ransomware note on their computers. The company confirmed via Twitter soon afterward that “its network was part of a global hack.”
Employees were told to get off their computers and go home, said one scientist who works at a Merck lab in New England. “Some people looked like they had their hardware wiped — it just shut down the whole network site,” said the employee, who spoke on the condition of anonymity because she was not authorized to speak on the record.
All U.S. offices of Merck were affected, she said. “Without computers these days you can’t do anything,” the employee said. As a scientist, her instruments are connected to a computer, her data is stored on central servers, and the safety data sheets are all online. “There’s not much you can do without access,” she said. “It’s one thing to have our laptop be corrupted. We’re really hoping that all the data [in the central servers] is protected. But we don’t know that.”First of all, condolences to Merck chemists who are affected by this - this is no way to get a day off, and it sounds like it could take quite a while to get Merck systems back on line.
Second, the U.S.-led operation to interfere with the centrifuges at Natanz via a computer virus already tells us that chemically-related computer-controlled equipment can be affected by attackers. I presume that both 1) many advanced pharmaceutical manufacturing facilities have computer controls and 2) those systems are ill-prepared to deal with either random malware like Wannacry or actual direct attack*. Those of us who work in chemical manufacturing are probably already preparing, or need to start.
Finally, it seems to me that it would behoove those of us in the developed world to have a conversation about what kinds of computer-related activities are fair game for inter-state operations-other-than-war and what kinds of activities are forbidden for states (or their proxies) to participate in. Otherwise, the stakes are gonna get a lot higher than a pharmaceutical company's computers or even a nation-state's nuclear facilities - and that's not going to end well for anyone.
*I can't imagine anyone actually wanting to directly attack a pharma company's manufacturing operations, but maybe I have a limited imagination.