Russian spies had access to EMA systems for four months in 2020 hack

Russian attackers hacked the European Medicines Agency (EMA) in 2020, gaining unauthorized access to COVID-19 vaccine information and personal correspondence for at least four months. The Dutch police warned Europe in 2021 that these attackers might access other European institutions, but no action was taken, according to the Volkskrant's (a Dutch daily morning newspaper) investigation.

The EMA discovered the hack on December 1, 2020, after detecting a suspicious login attempt at 2:00 a.m. and an effort to download the agency's entire database of employee passwords and usernames. The EMA alerted CERT-EU and the Dutch police, leading to an investigation by the Team High Tech Crime.

By mid-December 2020, police found traces of the attackers on the EMA network dating back at least four months before the breach was discovered. They identified that highly confidential documents were accessed starting July 30, 2020. Despite denials from pharmaceutical companies Moderna and BionTech, documents containing data from vaccine test subjects were found.

On December 30, 2020, a Russian message appeared on the dark web linking to the stolen EMA documents. Investigators traced the break-in to two temporary workers at the EMA, both employed by the Greek IT service provider UniSystems, which serves many European organizations, including Europol and the European Aviation Authority.

The police realized the attackers likely accessed UniSystems' systems, posing threats to numerous other European entities. As of May 2021, the Dutch police had received no response from Greek authorities regarding an investigation into UniSystems, leading them to believe that cyber threats remained unresolved. By July 2021, after receiving no feedback, they forwarded their findings to CERT-EU and the National Cyber Security Center without further response.