Russian spies had access to EMA systems for four months in 2020 hack: report

Russian attackers were behind the hack of the European Medicines Agency EMA in 2020. They had “unauthorized access to knowledge of COVID-19 vaccines and personal correspondence” for at least four months. The Dutch police warned the rest of Europe in 2021 that these attackers may have access to other European institutions, but nothing was done with that warning, the Volkskrant reports based on its own research.

The EMA discovered the hack on 1 December 2020. A suspicious login on its network at 2:00 a.m. and an attempt to download the entire database of passwords and usernames of EMA employees set off an alarm. The European agency alerted CERT-EU, the European agency that assists institutions with digital incidents, and the Dutch police. The Dutch police’s Team High Tech Crime launched an investigation.

In mid-December 2020, specialists from Team High Tech Crime discovered traces of attackers on the EMA network that go back at least four months before the hack was discovered. “From 30 July 2020,” the police found traces of “highly confidential documents” being consulted at night. According to the police, the hackers had “unauthorized access to knowledge of COVID-19 vaccines and personal correspondence.” Despite a public denial by pharmaceutical companies Moderna and BionTech, the documents contained “data from test subjects for the vaccines.”

On 30 December 2020, a Russian message appears on the dark web with a link to the stolen EMA documents.

After further investigation, the Dutch police experts traced the break-in to two temporary workers at the EMA. Extra worrying is that they both worked for the same Greek IT service provider, UniSystems - a large company that provides IT services throughout Europe to telecom companies, energy companies, financial institutions, and many EU institutions. UniSystems’ customers include Europol, the European Aviation Authority, the Council of Europe, and the European Chemicals Agency.

The investigators immediately realized what the implications were, according to the Volksrkant. The attackers probably had access to UniSystems’ systems and through that to countless other European organizations. The police contacted their counterparts in Greece to investigate the Greek company, but that only led to frustration.

By May 2021, the police had still received no response from the Greek authorities, but remained convinced that the cyber threat around UniSystems “had not been eliminated,” the Volkskrant reported from another police request sent to the Greek police. The Dutch investigators asked their Greek counterparts to enable “digital forensic investigation” at UniSystems where “several digital doors are probably still open to hackers.”

By July 2021, the police had given up on getting a response from their Greek colleagues. After some deliberation, they sent their conclusions to CERT-EU and the Netherlands’ National Cyber Security Center.

Neither the police nor the Public Prosecution Service (OM) received a response, a police spokesperson told the Volkskrant.