Cyber Incident Victim: Bilthoven Biologicals
Date:
Sep 2022
Location:
Netherlands
Summary
A Dutch vaccine manufacturer experienced a ransomware attack compromising internal servers and partially disrupting production facilities, though most operations continued. The Blackcat (ALPHV) group, suspected of originating from DarkSide, claimed responsibility and exfiltrated sensitive data including vaccine research, scientific work, employee information, emails, and documents. A limited portion of stolen data appeared on the dark web, prompting notifications to data protection authorities and affected personnel. The company engaged cybersecurity experts and prepared a police report but declined to disclose ransom details. Attackers reportedly exploited unpatched firewalls and VPN vulnerabilities, reflecting broader targeting of pharmaceutical entities for their financial resources and valuable intellectual property.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 21, 2022, Bilthoven Biologicals, a Dutch vaccine manufacturer producing polio, bladder cancer, and other critical disease vaccines, suffered a ransomware attack by the Blackcat group (also known as ALPHV). The attackers encrypted "several servers" within the company’s internal closed network, disrupting some vaccine production facilities, though most machinery continued operating during the incident. Blackcat claimed theft of vaccine-related data, scientific research, emails, and documents. Bilthoven Biologicals confirmed the breach and initiated an investigation through an unnamed cybersecurity firm, while preparing a police report. The company declined to disclose whether ransom demands were made or paid, citing advice from law enforcement and security experts.
The attackers published a "small portion" of stolen data on the dark web, prompting Bilthoven Biologicals to notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and employees due to potential exposure of personal information. Blackcat asserted most stolen data remained unpublished but provided no evidence. Operational impacts included partial disruption to vaccine production systems, though full details of compromised data or infrastructure were undisclosed as the investigation remained ongoing. Blackcat, suspected to include former members of the DarkSide ransomware group responsible for the Colonial Pipeline attack, reportedly exploited unpatched firewalls and VPN vulnerabilities to infiltrate the network. Cybersecurity experts noted pharmaceutical companies like Bilthoven Biologicals are frequent ransomware targets due to their financial resources and sensitive data holdings.