EMA warns over doctored COVID-19 vaccine data hacked and leaked online

The European Medicines Agency (EMA) has warned that information on COVID-19-related medicines and vaccines, which was stolen in a cyberattack last December and leaked online earlier this week, includes correspondence that’s been manipulated prior to publication “in a way which could undermine trust in vaccines”.

It’s not clear exactly how the information — which includes schematics of drug structures and correspondence relating to evaluation processes for COVID-19 vaccines — has been doctored.

We’ve reached out to the agency with questions.

One security researcher, Lukasz Olejnik, who has raised concerns about the leak via Twitter, suggested the doctored data will be “perfect for sowing distrust” because the biotechnical language involved in the leaked correspondence will not be widely accessible.

Equally, it also seems possible that the high bar of expertise required to properly parse the data could limit how much damage the manipulated versions can do by limiting their viral appeal.

But it’s notable the EMA has raised concerns over the risk to trust in coronavirus vaccines.

“Two EU marketing authorisations for COVID-19 vaccines have been granted at the end of December/beginning of January following an independent scientific assessment,” the EMA writes in the latest update on the hack.

“Amid the high infection rate in the EU, there is an urgent public health need to make vaccines available to EU citizens as soon as possible. Despite this urgency, there has always been consensus across the EU not to compromise the high-quality standards and to base any recommendation on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.

“EMA is in constant dialogue with the EC, and other regulators across the network and internationally. Authorisations are granted when the evidence shows convincingly that the benefits of vaccination are greater than any risks of the vaccine. Full details of the scientific assessments are publicly available in the European Public Assessment Reports on EMA’s website,” it adds.

At the time of writing, a criminal investigation into the cyberattack remains ongoing.

The attack has not been attributed to a specific hacking group or state actor and there’s no confirmation of who is responsible for trying to sew coronavirus-related disinformation by seeding doctored medical documents online.

However, last November Microsoft warned that hackers backed by Russia and North Korea had targeted pharmaceutical companies involved in the COVID-19 vaccine development efforts.

Back in June, the European Commission also raised concerns about the risks of coronavirus vaccine disinformation spreading in the coming months — simultaneously name-checking China and Russia as foreign entities it said it had confirmed as being behind state-backed disinformation campaigns targeting the region.

So suspicion seems likely to fall on the usual “hostile suspect” states.

We’ve seen similar “doctored leak” tactics attributed to Russia before — typically related to attempts to interfere with elections by smearing candidates for high political office.

Researchers have suggested that the hackers responsible for the 2015-16 breaches of the Democratic National Committee’s network snuck doctored data into the leaked emails — an attack that was subsequently attributed to Russia.

While, more recently, there was the infamous “Hunter Biden” laptop incident — which supporters of president Trump sought to leverage against his challenger for the White House (now president-elect) in last year’s presidential race.

In that case, any disinformation punch fizzled out amid a raft of dubious claims around the finding and timing of the claimed data cache (along with much greater general awareness about the risk of digital fake smear tactics in political campaigns in the wake of revelations about the scale of Russia’s social media influence disops in the 2016 U.S. presidential election).

In an earlier incident, from 2017, emails linked to the French president Emmanuel Macron’s election campaign also leaked online shortly before the vote — coinciding with a document dump on an internet forum that suggested the presidential frontrunner had a secret bank account in the Cayman Islands. A claim Macron’s political movement said was fake.

While in 2019 Reddit also linked to a suspected Russian political influence operation account activity involving the leak and amplification of sensitive U.K.-U.S. trade talks on its platform during the U.K. election campaign.

It’s not clear whether that leaked trade dossier had been doctored or not (it was heavily redacted). And it certainly did not deliver a landslide election win to Jeremy Corbyn’s Labour Party — which used the leaked data in its campaign. But a similar, earlier operation which was also attributed to Russia had involved the leak of fake documents on multiple online platforms. (That disinformation operation was identified and taken down by Facebook in May 2019.)

The emergence of leaks of doctored medical data linked to COVID-19 vaccines and treatments looks like a troubling evolution of hostile cyber disops which seek to weaponize false data to generate unhelpful outcomes for others — as there’s a direct risk to public health if trust in vaccine programs are undermined.

There have been state-level hacks targeting medical data before too — albeit without the pandemic-related backdrop of an ongoing public health emergency.

Back in 2016, for example, the World Anti-Doping Agency confirmed that confidential medical data related to the Olympic drug tests of a number of athletes had been leaked by the Russia-linked cyber hacking group, ‘Fancy Bear”. In that case there were no reports of the data being doctored.