Threat actors are targeting executives of a German multinational corporation part of a government-private sector task force that is involved in the supply of personal protective equipment (PPE).
Researchers from the IBM X-Force Incident Response and Intelligence Services (IRIS) reported that attackers launched a COVID-19-themed spear-phishing campaign to steal the user credentials of over 100 senior executives. According to the experts, hackers targeted approximately 40 organizations as part of this campaign
The task force was created by the German government to ensure the procurement from foreign markets of PPE, including face masks and medical gear.
The campaign started on March 30, when representatives of the German government met large German companies and tasked them to support German Ministries to acquire PPE.
“IBM X-Force IRIS’ research indicates that the threat actors behind this campaign targeted more than 100 high ranking executives in management and procurement roles within this organization and its third-party ecosystem.” reads the report published by IBM X-Force IRIS.
The spear-phishing messages include links that point to phishing landing pages camouflaged as Microsoft login forms used by attackers to steal victims’ credentials. Once the attackers have obtained the login credentials they are sent to via email to several Yandex email accounts.
Hackers targeted FIEGE, German railway company Deutsche Bahn, BASF, Bayer, Daimler, DHL, Lufthansa, Otto, and Volkswagen
The phishing messages originating from a Russia-based IP address 178[.]159[.]36[.]183, the experts noticed that over 280 URLs tied to this IP were involved in the campaign.
“with more than a third including Base64 encoded email addresses belonging to suspected targets at the MNC and its third-party supply chain partners. Approximately half of the encoded email accounts belong to executives associated with operations, finance, and procurement within the targeted corporation.” continues the analysis. “The remaining half belong to executives at third-party partners, including European and American companies associated with chemical manufacturing, aviation and transport, medical and pharmaceutical manufacturing, finance, oil and gas, and communications.”
The campaign is still ongoing, hackers will likely target other high ranking executives that are members of the task force.
At the time it is not clear how many accounts were hacked by the threat actors.
“This discovery represents a precision-targeting campaign exploiting the race to secure essential PPE,” IBM concludes.
“Given the worldwide spread of COVID-19 and fears of a pending second wave of infection, it is highly likely criminal and state-sponsored actors alike will seek to exploit global procurement and supply chains with the intention of either profiting from the crisis or supporting the acquisition activities of their host nation.”
(SecurityAffairs – COVID-19, phishing)