IBM’s cyber-security division says that hackers are targeting companies associated with the storage and transportation of COVID-19 vaccines using temperature-controlled environments — also known as the COVID-19 vaccine cold chain.
The attacks consisted of spear-phishing emails seeking to collect credentials for a target’s internal email and applications.
While IBM X-Force analysts weren’t able to link the attacks to a particular threat actor, they said the phishing campaign showed the typical “hallmarks of nation-state tradecraft.”
Government agencies and private companies targeted alike
Targets of the attacks included a wide variety of companies, sectors, and government organizations alike. This included the European Commission’s Directorate-General for Taxation and Customs Union, an organization that monitors the movement of products across borders — including medical supplies.
The attackers also targeted a company that manufactures solar panels used for solar-powered vaccine transport refrigerators and a petrochemical company that manufactures dry ice, also used for vaccine transportation.
Further, the same threat actor also targeted a German IT company that makes websites for “pharmaceutical manufacturers, container transport, biotechnology and manufacturers of electrical components enabling sea, land and air navigation and communications.”
According to IBM, the attackers specifically targeted select executives at each company, usually individuals working in sales, procurement, IT, and finance positions, which were likely to be involved in company efforts to support a vaccine cold chain.
The selected targets typically received emails using the spoofed identity of a business executive from Haier Biomedical, a Chinese company part of the UN’s official Cold Chain Equipment Optimization Platform (CCEOP) program.
“The subject of the phishing emails posed as requests for quotations (RFQ) related to the CCEOP program,” IBM researchers Melissa Frydrych and ClaireZaboeva said in a report today.
The emails contained malicious HTML files as attachments that victims had to download and open locally. Once opened, the files prompted victims to enter various credentials to view the file.
“This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement,”
All in all, companies in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan were targeted in this campaign.
COVID-19 companies repeated targeted in recent months
But this phishing operation is just the latest in a long list of different attacks by different threat actors that targeted the COVID-19 vaccine research field this year.
Previous targets included Johnson & Johnson, Novavax, Genexine, Shin Poong Pharmaceutical, Celltrion, according to the Wall Street Journal, and AstraZeneca and Gilead, according to Reuters.
Some of the attacks have been linked back to the governments of China, Iran, Russia, and North Korea.
However, while the previous attacks targeted the vaccine makers directly, this particular campaign was different because it targeted their supply chain — suggesting threat actors are also looking for information on how to transport and store vaccines, and not only how to make it.
The US Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency are scheduled to release a security alert later today about the phishing campaign spotted by IBM.
The joint FBI and CISA alert comes after Interpol published a different security alert on Wednesday to warn that organized crime syndicates, active both in the real world and online, are most likely to infiltrate and disrupt vaccine supply chains for their own financial profits.
Several pharmaceutical companies have announced this fall that they’ve developed successful COVID-19 vaccines, most of which are expected to enter broad distribution in early 2021 — if their supply chains don’t get disrupted.