Merck hack part of a massive global attack

TOWNBY08
The Merck facility in Upper Gwynedd Township.

A massive ransomware attack Tuesday took down computers across the globe, including the systems of the pharmaceutical firm Merck & Co., which has extensive operations in the Philadelphia area.

The attack was detected at computers in Merck facilities in Pennsylvania and New Jersey around 8 a.m., and the company acknowledged it a few hours later.

“We confirm our company’s computer network was compromised today as part of global hack,” the statement said.

The attack on Merck was part of a larger digital assault worldwide. The Danish shipping giant Maersk said its computers had been infected in multiple locations, while the food company Mondelez and others said they had been hit.

The French construction materials company Saint-Gobain, whose North American headquarters are in Malvern, said it was forced to isolate “our information technology systems to protect our data,”  a spokeswoman wrote.

The global law firm DLA Piper, which has an office in Philadelphia, was also victimized. “We are taking steps to remedy the issue as quickly as possible,” DLA said.

Also hit was the Heritage Valley Health System, a two-hospital chain in Western Pennsylvania, which made “operational adjustments to ensure safe patient care continues unimpeded,” a spokeswoman said.

As word of the attack spread, businesses and other entities took steps to protect themselves. Mark McCreary, chief privacy officer and a partner at the Fox Rothschild firm in Center City, said that lawyers and staff had been warned not to open suspicious emails.

“The best we can do is tell people to be careful,” McCreary said.

The damage appeared to be worst in Ukraine, which first reported Tuesday’s cyberattacks, saying they targeted government ministries, banks, utilities, and companies, demanding ransoms from government employees in the cryptocurrency bitcoin.

The virus even hit systems monitoring radiation at the former Chernobyl nuclear power plant, where computers running Microsoft Windows were temporarily knocked offline.

By late Tuesday morning, reports of cyberattacks had spread as far as India and the United States.

Cybersecurity experts zeroed in on a form of ransomware, programs that hold data hostage by encrypting it, and making it unusable, until a payment is made.

The hack’s scale and the use of ransomware recalled the massive May cyberattack in which hackers likely linked to North Korea disabled computers in more than 150 nations using a flaw that was once incorporated by the National Security Agency’s surveillance tool kit. That attack used the vulnerability called WannaCry to install ransomware.

Tuesday’s attacks used a different form of ransomware similar to a virus called Petrwrap or Petya, said Costin Raiu, director of the global analysis team at Kaspersky Lab in Moscow.

Cyber researchers have tied the vulnerability in Petya to the one used in WannaCry — a vulnerability discovered by the NSA years ago that the agency turned into a hacking tool dubbed EternalBlue. Petya works like WannaCry in that it is a worm that spreads quickly, said Bill Wright, senior policy counsel for Symantec, the cybersecurity firm. “Once you unleash something that propagates in this manner, it’s impossible to control.”

He also expressed puzzlement about why firms and governments were still being hit. Microsoft in March made available a patch for the Windows flaw that EternalBlue exploited. An updated operating system would protect you, Wright said.

Sandra Jeskie, a Duane Morris partner in Center City, said that if the latest attack exploited vulnerabilities in the older Windows software, companies that had failed to update could face legal exposure if it disrupted business relationships.

Given the rising number of attacks and extortionist demands, it is only a matter of time before hackers seek to disrupt so-called hard targets such as utilities and air traffic control systems, said Jordan Rand, a litigation partner at the Philadelphia firm of Klehr Harrison Harvey Branzburg.

An internal Merck communication early Tuesday warned employees that the company was the target of a ransomware attack and advised them to disconnect their computers from the network.

Employees also were asked to disconnect all mobile devices and told not to interact with reporters or post messages on social media.

At 2 p.m., the company sent employees another email: “Until further notice, do not access the company network from your home or office. Use your mobile phone on cellular networks only, meaning do not connect your phone via Merck MSD WiFi.”