Cyber Incident Victim: AmerisourceBergen
Date:
Nov 2022
Location:
United States of America
Summary
A major pharmaceutical distributor experienced a security breach at one of its subsidiaries, MWI Animal Health, attributed to the Lorenz ransomware group. The attackers compromised the subsidiary's IT system, leading to data exfiltration and subsequent leaks on their extortion site. The parent company confirmed the intrusion, stating it was isolated and quickly contained, with investigations ongoing to determine potential sensitive data exposure. Lorenz, known for targeting large organizations, allegedly exploited vulnerabilities in telephony systems to gain network access, then delayed exfiltration and encryption activities. While leaked files appeared genuine, the company has not yet verified their authenticity or confirmed data compromise. The incident underscores the group's focus on high-impact attacks against critical infrastructure entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 1, 2022, threat actors later identified as the Lorenz ransomware gang breached the IT systems of MWI Animal Health, a subsidiary of pharmaceutical distributor AmerisourceBergen. The intrusion remained undetected until February 2023, when Lorenz ended a prolonged silence by listing AmerisourceBergen on its extortion site and leaking files purportedly stolen during the attack. AmerisourceBergen confirmed the security breach upon being contacted by media outlets, clarifying that only a subsidiary's systems were compromised rather than its primary corporate network. The company stated its internal investigation identified the breach quickly, though the exact timeline between initial detection and public confirmation wasn't disclosed. Immediate containment actions were implemented to limit the intrusion, with precautionary measures taken to purge all systems of malicious activity. AmerisourceBergen emphasized this was an isolated incident but acknowledged an ongoing investigation to determine whether sensitive data was exfiltrated.
Lorenz ransomware operators backdated their data leak post to November 1, 2022, suggesting the breach occurred months prior to the February 2023 publication. The threat actors posted all allegedly stolen files from both AmerisourceBergen and MWI Animal Health, though the company has not verified the authenticity of these leaked documents at the time of its public statement. Security researchers noted Lorenz's established pattern of exploiting vulnerabilities in Mitel telephony systems to gain initial access, then remaining dormant for extended periods before activating backdoors for data exfiltration and ransomware deployment. While not the most active ransomware group, Lorenz targets large organizations, with prior attacks including a 2022 breach of defense contractor Hensoldt that resulted in significant data theft. AmerisourceBergen, which operates 150 offices globally and employs 42,000 people, faces potential operational and reputational impacts pending confirmation of data compromise. The company reiterated its commitment to securing networks against future incidents but provided no specifics regarding affected systems, data types, or remediation costs. No ransomware deployment or encryption was mentioned in the company's statement or observed in the attackers' leak announcement.