IBM finds phishing threat to covid-19 vaccine ‘cold chain’

• Big Blue security researchers uncovered a phishing campaign targeting a COVID-19 vaccine ‘cold chain’ 
• Efforts are likely to have been led by nation-state attackers — motivations may have been espionage or disruption
• Enterprises must be alert to increasingly targeted attacks, as cybercrime shows no bounds  

IBM researchers have detected cyber-espionage targeting international COVID-19 vaccine supply chain intelligence. 

The computing giant’s security division identified phishing emails targeted at key recipients, seemingly in efforts to gather vital information on the World Health Organization’s initiative for distributing a vaccine to developing countries. 

While researchers aren’t sure who was behind the attack which began in September, or whether it had been successful, the precision targeting bore “the potential hallmarks of nation-state tradecraft,” according to IBM.

The discovery follows warnings and reports that cybercriminals could target vaccine research and supply chains to cause economic and societal disruption.

What happened?

As reported by the Associated Press, the phishing campaign was targeted across countries including Germany, Italy, South Korea, and Taiwan, and is likely associated with the “cold chain” required to ensure the vaccines are refrigerated, and therefore remain effective, throughout the shipping process.  

The attackers impersonated a business executive from a legitimate Chinese company Haier Biomedical, a Chinese company considered the world’s main cold-chain supplier. They then sent phishing emails to organizations that provided transportation, which contained malicious code, and asked for people’s login credentials.

Targets included the European Commission’s Directorate-General for Taxation and Customs Union and companies that make solar panels for powering portable vaccine refrigerators. 

Other targets were petrochemical companies, likely because they produce dry ice, which is used in the cold chain, Claire Zaboeva, an IBM analyst told AP. 

What it means…

At ‘best’, the motivations behind the operation could be a desire for a nation-state to learn how the vaccines are best able to be shipped and stored, in order to replicate it. At worst, attackers might have sought to undermine a vaccine’s legitimacy or launch a destructive attack.

Following a year where organizations and consumers have been pummelled by a rise in cybercrime, the discovery by IBM indicates professional cybercrime rings have now turned their attention to seizing control of information and disrupting services of organizations vital to vaccine distribution. 

“The purpose of this concerted attack on the Covid vaccine supply ‘cold chain’ is likely to acquire leverage in a multi-million-pound ransomware attempt, to sell key data on the ‘black market’ to the highest international bidder, or, quite simply, to disrupt […]” said Chris Ross, SVP sales, international, for Barracuda Networks. 

Ross continued: “[…] this is the first time that a significant phishing campaign has been used on a global scale to disrupt the progress of our battle with the coronavirus – this issue must be taken extremely seriously by all afflicted targets and organizations who have anything to do with the logistics, transport or distribution of the vaccine, who may have already been breached, and do not yet know it.”

Why it matters…

Since lockdowns began, phishing campaigns have targeted sectors ripe to cause disruption, such as healthcare and education. Just this week, a ransomware attack on a school district in Maryland has halted classes for more than 115,000 pupils.

In July, more than 20 universities and charities across the UK, US, and Canada reported themselves victim to a supply chain cyber-attack via compromised cloud provider Blackbaud. 

However, a third of all ransomware data breaches happen in hospitals, and the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from ​15 million to 40 million. A patient died as a result of a hack on Düsseldorf University Hospital’s computer systems in September, leading detectives to investigate the first ‘negligent homicide’ caused by a cyberattack.  

Regardless of sector, all organizations should expect to be targeted by phishing campaigns, and expect the maximum disruption and financial loss as a result of lapses in security.  

Organizations are dealing with more third-party suppliers, clients, and partners in the digital domain than ever before, giving cyber-attackers a wider goal for landing targeted scams. Businesses must take a zero-trust approach to security, with every digital communication and connection verified before being engaged with. 

Effective staff training is also key: “Implementing an immediate and comprehensive security training session combined with a rigorous refresh of company and employee passwords and usernames must be undertaken immediately in an attempt to flush out and block any existing or future attacks,” said Ross.  

“Backing up key data via a sophisticated third-party cloud backup provider is also essential in protecting organizations from any future ransomware attack attempts.”