Targeting global companies, the attackers are likely seeking confidential data on the distribution and storage of the coronavirus vaccines, says IBM Security X-Force.
Cybercriminals have been expanding a phishing campaign designed to steal critical information from companies involved with COVID-19 vaccines, security group IBM Security X-Force said on Thursday. In a new report, X-Force said it recently discovered a series of phishing emails targeting 44 companies across 14 countries, all involved in the coronavirus vaccine cold chain, an aspect of the overall supply chain that ensures the safety of vaccines transported and stored in cold environments. The latest findings reference an initial report from X-Force in December in which it first detailed the tactics of this particular campaign.
SEE: Coronavirus and its impact on the enterprise (TechRepublic Premium)
Seen last September, the phishing campaign deploys emails spoofing a business executive from Haier Biomedical, a legitimate member company of the COVID-19 vaccine supply chain and reportedly the world’s only complete cold chain provider. Aimed at executives in the energy, manufacturing, website creation and internet security sectors, the emails seem designed to capture the victim’s credentials, potentially to gain network access and steal sensitive information related to the COVID-19 vaccines.
The expanded attack is targeting important organizations involved in the transportation, warehousing, storage and distribution of the vaccines. Using a spear-phishing approach, the emails are being sent to key executives and personnel, including CEOs and presidents, global sales officers, purchasing officers, sales representatives, purchasing managers, system administrators, human resource officers and heads of supply and logistics.
The emails discovered by X-Force were sent between Sept. 7 and 8 in advance of any actual vaccine approvals. This tactic shows that the attackers were preparing for the eventual distribution of these critical vaccines.
SEE: Phony COVID-19 vaccine certificates are now selling on the Dark Web (TechRepublic)
Trying to arouse interest, the emails contain requests for quotes regarding the Cold Chain Equipment Optimization Platform program. The messages try to sound legitimate with references to specific Haier Biomedical products that store and transport vaccines in cold temperatures, including a solar-powered vaccine refrigerator and an ice-lined refrigerator.
In one example, a phishing email was sent to a German pharmaceutical and bioscience company involved in vaccine production, and one who seems to be a customer of one of the original targets. The message serves up a PDF with a login screen already populated with the user’s email address. Once the recipient confirms the ID and enters a password, those credentials are sent to the attacker’s command-and-control (C2) infrastructure, a tipoff that the information will be used for future attacks.
In its report, X-Force said that the attackers may be seeking to exploit the vaccine cold chain to gain insight into the following areas:
- The National Advance Market Commitment negotiations surrounding the procurement of vaccines.
- Key timetables for the expedited distribution of COVID-19 vaccines across different nations and territories.
- Export controls, international property rights and government measures taken to ease the pre-arrival processing of the vaccines.
- The electronic submission of documents for pre-arrival processing.
- World Trade Organization agreements, clearance for transport crews and the security of the vaccines for border crossings and physical inspections.
- Technical requirements for the warehousing and electrical requirements for maintaining temperature-controlled environments to store the vaccines.
To delve into the motivations behind these attacks against the COVID-19 cold chain, Mike Puglia, chief strategy officer for security software provider Kaseya, provided answers to some key questions.
Lance Whitney: Why are cybercriminals interested in disrupting the COVID-19 vaccine supply chain?
Mike Puglia: Cybercriminals are motivated to disrupt the vaccine supply chain for the same reason that motivates most cybercrime: money. Cybercrime gangs are likely to see this as a golden opportunity to score a big payout from a company that’s part of the chain, like a pharma or logistics company.
SEE: Machine learning can help keep the global supply chain moving (TechRepublic)
Lance Whitney: Are there aspects of the vaccine supply chain that are most vulnerable? If so, what are the largest vulnerabilities?
Mike Puglia: Transportation is likely the most vulnerable part of the vaccine supply chain, so that’s probably where they’ll be concentrating their efforts. Supply chain attacks have been increasing in every sector, from logistics to infrastructure.
Cybercriminals have been working overtime to exploit every facet of the world’s COVID-19 journey. First attacking hospitals to disrupt systems, then research institutions to steal data, then it was the pharmaceutical companies’ turn through the vaccine development cycle.
Lance Whitney: How do we expect bad actors to exploit these vulnerabilities?
Mike Puglia: Expect ransomware. The top threat of 2020 has been phishing, because it’s the most common delivery system for ransomware. Whether these bad actors are from general cybercrime gangs or nation-state hacking groups, ransomware will be their vehicle of choice for both stealing data and disrupting operations. It’s cheap, easy, effective and scores big payouts for them.
Lance Whitney: What can organizations that are part of the vaccine supply chain do to prevent a cyberattack? What can they do to mitigate the damage if they are attacked?
Mike Puglia: Organizations can make a few smart moves right now to add immediate protection. Start using multi-factor authentication, add automated anti-phishing email security and increase phishing resistance training. Businesses also need to take a close look at their backup and disaster recovery solutions to ensure that their organization has a multilayered approach that includes frequent testing so that data can be properly restored in case of an attack.
All the above mitigations provide strong protection for every organization against a core risk in supply chain attacks—spear phishing. Multi-factor authentication makes it significantly harder for cybercriminals to use a phished password or credential stuffing attack to penetrate security while email security automation and phishing resistance training ensure individuals are not engaging with phishing emails. Additionally, if an organization is attacked, robust backup solutions ensure that data is protected and easily restored to reduce downtime.