IBM X-Force has released a report on malicious cyber actors targeting the COVID-19 cold chain—an integral part of delivering and storing a vaccine at safe temperatures. Impersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.

According to IBM X-Force, the adversary impersonated a business executive from Haier Biomedical, a credible and legitimate member company of the COVID-19 vaccine supply chain and qualified supplier for the CCEOP program. The company is purportedly the world’s only complete cold chain provider. Disguised as this employee, the adversary sent phishing emails to organizations believed to be providers of material support to meet transportation needs within the COVID-19 cold chain. IBM X-Force researches assessed that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution.

The global targets, says IBM, are headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan, including the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. 

Researchers observed spear-phishing emails that were sent to select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain, as well as instances where this activity extended organization-wide to include help and support pages of targeted organizations.

IBM Security X-Force is urging companies in the COVID-19 supply chain — from research of therapies, healthcare delivery to distribution of a vaccine — to be vigilant and remain on high alert during this time. The Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert, encouraging Operation Warp Speed (OWS) organizations and organizations involved in vaccine storage and transport to review the IBM X-Force report Attackers Are Targeting the COVID-19 Vaccine Cold Chain for more information, including indicators of compromise. For tips on avoiding social engineering and phishing attacks, see CISA Insights: Enhance Email & Web Security.

Carl Wearn, Head of E-Crime, Mimecast, says, "The news that the COVID vaccines are ready to be shipped to patients is fantastic for everyone. Yet, it is also cause for caution: as we focus on the positive news, many people are likely to be eager for information in relation to obtaining it, and this can be exploited by threat actors, less vigilant about the emails they receive. This is a perfect setup for hackers to succeed in their malicious campaigns to harvest confidential data. The COVID pandemic has been a perfect playing ground for hackers to refine their campaigns: we’ve seen a slew of cyberattacks targeting large healthcare companies since the start of the pandemic, and we’re now seeing hackers shift their attention to a new target - the lesser known businesses involved in manufacturing, packaging and delivering the vaccine to patients. These businesses sit at the heart of the vaccine chain, which puts them in a challenging position in case an attack is successful. Supply chains could be disrupted, patient data could be compromised and confidential IP belonging to research labs could be held ransom. This is a lot of pressure on companies that aren’t used to dealing with such attacks."

Wearn adds, "If we are to release this critical vaccine to the people who need it most, every actor involved in the development, manufacturing, delivery and administration of the treatment must follow cybersecurity best practices: watch out for any sign that an email may not be legitimate, only click on verified links and inform the legitimate source of any fraudulent email. This will enable the vaccine to move from the lab to the patient faster, improve the safety of the entire industry and protect the information that is crucial for the development of further treatments for the COVID pandemic."

Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, notes, "Phishing continues to be a key vector in any hacking or APT attack so all staff need to be extra vigilant but it’s an added reminder at a corporate level of the need to stringently operate all security controls, including system hardening, network segregation and disciplined change control. Average times for breach detection are still routinely up around 160 days while an attack is typically successful within hours or days. Therefore, real-time breach detection is more important than ever."

"It’s fascinating that the DHS would release news on ongoing/emerging cyberattacks, because that indicates that they’d like as many people as possible to be aware of threats and to respond accordingly," says Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education. “Responding accordingly” means being hyper-vigilant for requests that are unexpected or out-of-sequence, for heightened urgency, etc. … all the things we in InfoSec have been teaching employees for years, only now they are extra important because of the high stakes for a successful vaccine rollout. What we’d hope to see is that anyone involved in the supply and distribution chain would intensify their scrutiny of communications. My advice to anyone, especially to senior people within the widely distributed vaccine network, is to verify, verify, verify, before you put any information at risk."