Cyber Incident Victim: Mipharm SPA
Date:
Apr 2021
Location:
Italy
Summary
Mipharm SPA, a Milan-based pharmaceutical company, experienced a cyberattack attributed to the Sodinokibi (REvil) ransomware group, which resulted in the theft of sensitive data. The attackers publicly disclosed screenshots of the compromised information as proof of the breach, though specific details of the stolen data were not fully elaborated. The incident coincided with separate claims by the Avaddon threat actors targeting another pharmaceutical entity, MSpharma in Jordan, though confirmation of that attack's validity remained pending at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 26, 2021, the Milan-based pharmaceutical company Mipharm SPA suffered a cyberattack attributed to the Sodinokibi ransomware group, also known as REvil. The threat actors compromised the company’s servers and exfiltrated sensitive data, later publishing screenshots of the stolen information as proof of the breach. This public disclosure occurred through REvil’s dedicated leak site, a common tactic to pressure victims into paying ransoms. The published samples indicated that the attackers successfully accessed internal company data, though the specific scope of compromised records (e.g., research data, employee information, or client details) was not detailed in the available reports. Mipharm SPA’s website, mipharm.it, was identified as one of two pharmacological research firms targeted during this period, though the incident remained distinct from a separate claim by the Avaddon ransomware group against Jordan-based MSpharma. No explicit confirmation from Mipharm SPA regarding operational disruptions, ransom demands, or data recovery efforts was documented in the source material.
The attack occurred amid broader targeting of pharmaceutical entities, with Avaddon separately alleging an intrusion against MSpharma (mspharma.com), which online research suggested might be linked to United Pharmaceutical Manufacturing Co. due to branding similarities in leaked files. DataBreaches.net attempted to contact MSpharma to verify the Jordan-based incident but noted no immediate response at the time of reporting. REvil’s history of high-profile ransomware operations contextualized the Mipharm breach, though the company’s specific detection methods, containment actions, and post-incident remediation steps were not publicly disclosed. The confirmed impact centered on data theft and its publication by attackers, with no verifiable information regarding financial losses, regulatory penalties, or third-party notifications. DataBreaches.net indicated it would update its coverage if additional details emerged from outreach efforts, but the status of MSpharma’s alleged breach remained unconfirmed in the initial report.