Skip to content

The Cure for AD: Pharma Under Attack

Active Directory is the center of an organization’s identity control and resource management/access. For the pharma industry, this means that AD holds the keys to the kingdom which must be protected at all costs. An attacker moving laterally and gaining privileges in AD could steal intellectual property, patented information, and company secrets.

Production itself could be disrupted. With the growth of pharma over the first half of 2020, mergers and acquisitions are occurring at breakneck speed. This only piles on more identity concerns for the overall security of the organization. Ensuring AD is secured today, as well as moving forward, can help reduce the attack surface currently allowing so many breaches.

Target of many attackers

Pharma is a primary target thanks to the press that a successful breach generates. Attacks have changed over the years, and attackers have shifted from stealth to once again making a statement. With new strains of ransomware waiting for an opportunity to spread to all computers on the network, industries like pharma are at high risk. More recently, ransomware attackers have even begun stealing copies of the data before encrypting it. The stolen data is used to force the payment of the ransom. If the ransom is not paid on time, the data is posted on the internet to pressure the victim.

Attackers want to go after companies with deep pockets. Ransomware especially targets businesses that have a lot to lose if the data is encrypted and posted. This model has been effective for many verticals, as the posted data is highly classified and valuable to the organization. The FBI has shown that this tactic has reduced the number of reports of ransomware attacks, as companies are just paying the ransom to get their data unencrypted.

More recently, the U.S. Department of the Treasury has come down hard on organizations that pay ransom to hackers, indicating it could violate U.S. sanctions. With this crackdown, companies might get a double whammy by paying a ransom, only to be investigated by the Treasury after.

Ransomware structure

Two years ago, email fraud attacks against pharma grew over 200%. Ransomware attacks typically start with a phishing email, which allows the attacker to gain a foothold on the endpoint. This is step one and two in the Cyber Killchain, which you can see in Figure 1 and Figure 2.

Figure 1. Cyber Killchain of an attack.
Figure 2. Cyber Killchain of an attack

Endpoints are easy targets since the computer user is often a security novice. Once the attacker has compromised the endpoint, the goal is to then gain local administrative privileges over the computer. With so many organizations configuring the user to be a local administrator on their PC, this is not even a step for the attacker. Once the attacker has local administrative privileges, enumeration of Active Directory is simple. Attacks on the vulnerable areas of AD are then launched so that domain privileges can be obtained and leveraged to access data.

With nearly every aspect of the Cyber Killchain being a vulnerability in the pharma industry, it is no wonder attackers are going directly after them.

• Susceptible to phishing attacks
• Users are local administrators
• Active Directory is growing with M&A, so most likely not secured
• Highly sensitive data and IP
• Making money, especially in a pandemic

Special issues with Mergers and Acquisitions

M&A has always been common in the pharma space, but with the need for more pharmaceuticals during the first half of 2020, there has been an uptick in the pharma vertical. M&A is good for many business reasons, but they are not especially great from an IT and security stance.

Most of IT falls short at documentation and persistent maintenance of the infrastructure. Thus, when it comes time to evaluate the infrastructure of the acquired company, it will take a significant effort to truly know the current state. At a minimum, the following areas of an Active Directory infrastructure need to be evaluated and verified before any migration of a recently acquired AD domain/forest occurs:

  • Privileged accounts
  • Domains, forests, and trust relationships
  • User attributes and configurations
  • Password policies and authentication technologies used
  • Group Policy use
  • Legacy protocols and technologies
  • Operating system versions
  • Patching and service pack levels
  • Cloud-based services and storage
  • Remote worker connections and security
  • Permissions on AD and Group Policy
  • Permissions on essential resources and IP
  • Permissions and access to services and applications

If this list sounds similar to how attackers have been breaching organizations, it is no coincidence.

Process automation systems are no longer
isolated and need to be secured

Also susceptible in pharma are the process automation systems. At one time, these systems were isolated, which allowed them to be kept separate from the production network. However, the need to control the automation aspects of the devices and integrate authentication into the systems has created a direct pathway from the production network to these process automation systems.

Being isolated, product automation systems never needed security controls. If there are security controls on the devices, the chances of them being set to the correct security level is slim, as the install and function of the device—not the security—were always key. In addition to not being properly secured, these devices may have other security concerns:

• Devices are not domain aware, so they can’t be controlled with Group Policy
• Devices might be old and lack controls
• Targeted due to the impact a DOS would have on these devices

Recent attacks have proven that the attackers are going directly after the production and research systems.


Pharma relies on outsourced services such as supply chain, research, and distribution. An attack on one corporation can have a dramatic effect on many more within its supply chain.

One notable example occurred in September 2020 when IQVIA, a contract research organization, was hit by a ransomware attack. The attack caused a ripple effect for contract companies such as AstraZenaca and Bristol Myers Squibb, as IQVIA was working on Covid vaccine trails for each.

Another case occurred in September 2020 when Universal Health Services (UHS) was taken down. The ransomware crippled all IT systems for the 400 hospitals and behavioral health facilities in the U.S. and U.K. Of course, the biggest fear for UHS was the safety and well-being of patients in need of operations and critical medication.

Taking action to secure the infrastructure
and defend against attacks

Some might feel that it is too late to act, but now is the time. It all might seem overwhelming due to the breadth and depth of security that must be considered. However, focusing on what attackers are targeting is the best place to start. Here is a set of actions that should be considered by every pharma and healthcare organization to increase security and reduce the overall risk of a successful attack:

• Ensure all systems have the latest patches
• Ensure that the core of your infrastructure, usually AD, is secured in-depth
• Secure devices that may have been left out of the security plans in the past
• Monitor for new security vulnerabilities and notify with real-time alerts
• Monitor for real-time attacks, which allow lateral movement and privilege
• Implement strict security requirements on all partners and supply chain organizations


It is unfortunate that pharma and healthcare are being targeted in these trying times. The only remedy is acting now to secure the infrastructure and reduce the attack surface. Security is no longer nice to have. It is required. Breaking the paths that attackers use to infiltrate our networks allows us to target immediate security needs. This is Active Directory and the components that rely on the security of AD. Securing AD is possible—with the correct tools and action plans.

Comments are closed.

Download pdf

Want more insights?

Contact us