Cyber Incident Victim: Gilead Sciences, Inc.
Date:
Apr 2020
Location:
United States of America
Summary
Hackers linked to Iran targeted a U.S. pharmaceutical company developing COVID-19 treatments, attempting to compromise employee email accounts through phishing campaigns impersonating journalists. The attacks included a fake login page sent to a senior executive involved in legal affairs, utilizing infrastructure previously associated with the Iranian group "Charming Kitten." Cybersecurity researchers confirmed the malicious domains and servers were tied to Iranian operations, though the success of these attempts remained undetermined. The incident occurred amid heightened global cyber espionage targeting organizations involved in pandemic-related research, with state-backed actors seeking potential advantages in treatment development. The company, known for its antiviral drug remdesivir, was warned about by U.S. and British authorities as a target of such campaigns. Iran denied involvement, claiming its cyber activities are purely defensive.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2020, hackers linked to Iran targeted employees of Gilead Sciences Inc., a U.S. pharmaceutical company developing remdesivir as a COVID-19 treatment. The attackers sent a phishing email containing a counterfeit login page designed to steal passwords to a senior Gilead executive involved in legal and corporate affairs. Cybersecurity researchers from Israeli firm ClearSky and U.S.-based Recorded Future identified the infrastructure used in this attack as belonging to an Iranian group known as "Charming Kitten," which had previously conducted cyber espionage campaigns. The hackers impersonated journalists in communications targeting Gilead staff email accounts. Three independent cybersecurity analysts confirmed the malicious domains and hosting servers were connected to Iranian operations, though Reuters could not verify whether any attacks succeeded in compromising accounts. Iran's UN mission denied involvement, stating its cyber activities were purely defensive. Gilead declined to comment on the incident per company policy regarding cybersecurity matters.
The attacks occurred amid heightened global targeting of organizations involved in COVID-19 research, with British and U.S. authorities warning about state-backed hacking campaigns against pharmaceutical firms. Two sources familiar with the matter identified Gilead as one such target, given its status as the first company to receive U.S. FDA emergency authorization for a COVID-19 treatment. The incident reflected broader geopolitical tensions, as Iran—then experiencing the Middle East's worst COVID-19 outbreak—sought potential advantages in treatment development. Security researchers noted access to pharmaceutical company communications could provide strategic benefits in pandemic response. Concurrently, Reuters reported similar hacking attempts against the World Health Organization and Chinese government entities by groups linked to Vietnam and other nations. An unnamed European biotech executive described industry-wide heightened security measures, including air-gapped computers for vaccine research, though Gilead's specific defensive actions remained undisclosed. The company maintained high-profile engagement with U.S. leadership during this period, with CEO Daniel O'Day meeting President Trump twice to discuss COVID-19 treatments.