Cyber Incident Victim: Evotec
Date:
Apr 2023
Location:
Germany
Summary
Evotec, a German drug development company, suffered a cyberattack that forced it to proactively disconnect all IT systems from the internet to prevent data corruption or breaches. The incident caused production delays and slower response times for its partners while forensic experts examined the systems. Business continuity was upheld at its global sites as the company worked to restore services, but it did not reconnect its network until the investigation was complete and security plans were implemented.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around 06 April 2023, the German drug development company Evotec SE experienced a cyberattack that targeted its IT systems. In immediate response to the incident, the company proactively shut down all of its IT systems and disconnected them from the internet. This decisive action was taken to secure the systems from potential data corruption or data breaches. The initial public disclosure of the attack was made on the same day, 06 April 2023, through an ad hoc release on the company’s investor relations website. This first communication confirmed the attack had occurred and stated the primary containment measure of disconnection. The company announced that its IT systems were undergoing examination and that the full scope of the impact was being reviewed, with the highest diligence being applied to ensure data integrity throughout the process.
By the following day, 07 April 2023, the company remained in a state of active response and investigation. Evotec confirmed that a forensic examination of its compromised systems was being conducted with the assistance of external cybersecurity experts. This detailed investigation was crucial for understanding the nature and extent of the attack, identifying any potential data exfiltration, and planning the secure restoration of services. In parallel with engaging technical experts, Evotec formally contacted law enforcement agencies in Germany to report the incident, initiating an official legal and investigative process into the attack. The company’s global operations, which span multiple sites, were maintained under its business continuity plans, though entirely on offline systems.
The primary impact of the incident was operational disruption caused by the necessary precaution of keeping systems disconnected. Evotec stated that while business continuity had been upheld at all of its global sites, the disconnection of its IT network caused significant production delays. The company communicated directly with its partners and suppliers, acknowledging that certain delays or slower responses might occur as a direct result of the ongoing IT outage. To facilitate essential communication while its primary email system remained offline, Evotec established a centralized email address and urged its partner organizations and suppliers to use this channel for all correspondence during the recovery period. This workaround was a critical component of maintaining minimal viable operations while the core IT infrastructure was secured and restored.
The company's recovery strategy was methodical and prioritized security over speed. Evotec management decided that selected systems would remain offline until the forensic examination had been thoroughly completed and comprehensive security plans were firmly in place. This cautious approach underscored the company's commitment to ensuring data integrity and preventing any further compromise before systems were brought back online. The implementation of solutions to keep all services available to its partners was underway, but the process was expected to extend over a period of time due to the careful measures being taken. No specific details regarding the type of cyberattack, such as whether it involved ransomware, were disclosed in the public statements from the company during this initial phase.
As of the latest report on 07 April 2023, no hacking group had claimed responsibility for the attack on Evotec. The absence of a public claim by a threat actor left the motivation and identity of the attackers undetermined publicly. The incident was noted as one of several recent cyberattacks targeting companies within the pharmaceutical sector, highlighting a trend of attacks against critical healthcare and research infrastructure. For context, the article mentioned a separate, contemporaneous attack on Sun Pharmaceuticals, which had been claimed by the Black Cat/AlphV ransomware group. However, no such link was made to the Evotec incident, which remained an isolated event with no public attribution at the time of reporting.
Evotec is a significant entity within the global pharmaceutical landscape, employing more than 4,200 people and generating revenue of nearly $700 million in 2021. The company's work involves developing treatments for serious diseases including Alzheimer's and Huntington's disease. Its business model relies heavily on long-term strategic drug discovery partnerships with several pharmaceutical giants, including Bristol Myers Squibb, Bayer, and Sanofi. The cyberattack and the subsequent IT outage therefore had the potential to disrupt not only Evotec's internal research and production timelines but also the collaborative projects and supply chains integral to its partners. The financial and operational repercussions of the production delays were not quantified in the immediate aftermath of the attack. The company's focus remained exclusively on the forensic investigation, securing its systems, and gradually restoring full IT functionality in a secure and controlled manner.