Industrial Spy ransom group sells data from pharmaceutical giant Novartis for $500,000 on the dark web; Novartis says no sensitive data was compromised

Pharmaceutical giant Novartis says no sensitive data was compromised in the recent cyber attack by the Industrial Spy ransom ring.

Industrial Spy is a hacking group that operates an extortion marketplace on the dark web where they sell data stolen from victim companies. The marketplace sells different types of stolen data, from "premium" data for millions of dollars to individual files for as little as $2, and even offers free downloads of the data.

Threat participants use these files to promote their markets and explain that readers can purchase competitors' programs, drawings, technology, political and military secrets, accounting reports and customer databases.

The V3 address for the Industrial Spy dark online marketplace is

http://spyarea23ttlty6qav3ecmbclpqym3p32lksanoypvrqm6j5onstsjad.onion

Recently, the hacker group began selling data allegedly stolen from Novartis on its Tor ransom marketplace for $500,000, claiming to "provide files directly from the manufacturing plant's laboratory environment" and describing as follows.

Latest RNA and DNA-based drug technology from Novartis. Currently developed and used as next-generation enabling technology for the development of current Covid vaccine variants, among others. This variant of the technology is also used in Novartis' genetic cancer therapy (Kymriah).
Offered files come directly from the laboratory environment of the manufacturing plant.

The data for sale consists of 7.7MB PDF files numbered "b537531f-c84f-4d73-b259-34c00fd4a3ca", all of which are timestamped 2022-02-25 04:26, which is likely the time the data was stolen. Since the amount of data shown is relatively small, only 11 pdfs, it is unclear if this is all the data stolen by the threat actors, or if they have more data to sell later.

The leaked data is as follows.

Analytical Procedures-AM64044(AS5004549)-0000168406_V3.pdf
Analytical Procedures-AM64046(AS5004549)-0000168217_v3.pdf
Analytical Procedures-AM64047(AS5004549)-0000162079 _V5.0.pdf
Analytical Procedures-AM64047(AS5004550)-0000536669_4.0.pdf
ANM_IPC_00075140.pdf
ANM_IPC_00657892.pdf
ANM_MIXED_00089643.pdf
Method Validation Report-MVR64044(AS5004549)-0000415345.pdf
Method Validation Report-MVR64046(AS5004549)-0000329721.pdf
Method Validation Report-MVR64047(AS5004549)-0000352670.pdf
PROC_LP_00799702.pdf

Technology media outlet BleepingComputer sent an email to Novartis confirming the attack and data theft and received the following statement.

"Novartis is aware of this matter. We have thoroughly investigated it and we can confirm that no sensitive data has been compromised. We take data privacy and security very seriously and have implemented industry standard measures in response to these kind of threats to ensure the safety of our data." - Novartis.

Novartis declined to answer any further questions about the breach, when it occurred, and how the threat actors gained access to their data.

It is understood that the Industrial Spy ransomware group has launched its own ransomware operation and they are now also encrypting victims' devices, but there is no evidence that the devices were encrypted in the Novartis incident.