Wednesday, June 28, 2017

It happened to Natanz, it happened to Merck, it's coming for all of us

I learned about this via Twitter, but here it is in the Washington Post: 
Merck, a U.S.-based pharmaceutical giant, was among dozens of businesses affected by a sprawling cyberattack Tuesday, with victims across the globe facing demands to hand over a ransom or have their computer networks remain locked and inaccessible. 
The widespread intrusion that hit the New Jersey-based drug company was similar to a massive ransomware attack last month that deployed a virus dubbed WannaCry. Merck also has a European presence, with an office in Ukraine, where many of the ransomware attacks were concentrated. 
The extent of the Merck hack is not yet known. 
Merck employees arrived at their offices Tuesday morning only to find a ransomware note on their computers. The company confirmed via Twitter soon afterward that “its network was part of a global hack.” 
Employees were told to get off their computers and go home, said one scientist who works at a Merck lab in New England. “Some people looked like they had their hardware wiped — it just shut down the whole network site,” said the employee, who spoke on the condition of anonymity because she was not authorized to speak on the record. 
All U.S. offices of Merck were affected, she said. “Without computers these days you can’t do anything,” the employee said. As a scientist, her instruments are connected to a computer, her data is stored on central servers, and the safety data sheets are all online. “There’s not much you can do without access,” she said. “It’s one thing to have our laptop be corrupted. We’re really hoping that all the data [in the central servers] is protected. But we don’t know that.”
First of all, condolences to Merck chemists who are affected by this - this is no way to get a day off, and it sounds like it could take quite a while to get Merck systems back on line.

Second, the U.S.-led operation to interfere with the centrifuges at Natanz via a computer virus already tells us that chemically-related computer-controlled equipment can be affected by attackers. I presume that both 1) many advanced pharmaceutical manufacturing facilities have computer controls and 2) those systems are ill-prepared to deal with either random malware like Wannacry or actual direct attack*. Those of us who work in chemical manufacturing are probably already preparing, or need to start.

Finally, it seems to me that it would behoove those of us in the developed world to have a conversation about what kinds of computer-related activities are fair game for inter-state operations-other-than-war and what kinds of activities are forbidden for states (or their proxies) to participate in. Otherwise, the stakes are gonna get a lot higher than a pharmaceutical company's computers or even a nation-state's nuclear facilities - and that's not going to end well for anyone.

*I can't imagine anyone actually wanting to directly attack a pharma company's manufacturing operations, but maybe I have a limited imagination. 


  1. Sabotage has been around for thousands of years. I'm not sure why this is so different from poisoning a town's well.

  2. Theme Songs:

    "Don't Talk to Strangers" - Rick Springfield
    "I'm Down" - The Beatles
    "Secret Agent Man" - Johnny Rivers
    "Back in the USSR" - The Beatles
    "Shut Down" - The Beach Boys

    1. And I imagine "Cover it with gas and set fire" by Ween would be most people's reactions

  3. Even if nation-states recognize limits on what they and their assignees are willing to do with computer attacks, it's unlikely that people without a nation-state or nihilists/terrorists/people with a species-wide death wish will be bound by such strictures, and the weapons are likely easier to get than nukes or biological or chemical weapons (though those are probably available and so their lack of use may imply that other reasons exist for their lack of use). I think drones probably have some of the same problems, and I don't think we've been willing to contemplate limits on their use.


looks like Blogger doesn't work with anonymous comments from Chrome browsers at the moment - works in Microsoft Edge, or from Chrome with a Blogger account - sorry! CJ 3/21/20