Researchers from IBM X-Force warned of threat actors actively targeting organizations associated with the COVID-19 vaccine cold chain. The experts uncovered a large scale spear-phishing campaign that has been ongoing since September 2020. Threat actors are impersonating a biomedical company, Haier Biomedical, and are sending out spear-phishing messages to executives and global organizations involved in vaccine storage and transport. Haier Biomedical is a legitimate member company of the COVID-19 vaccine supply chain, it is also a qualified supplier for the CCEOP program.
Organizations involved in the cold chain play a crucial role in the distribution of the forthcoming COVID-19 vaccines because the shipment must maintain the vaccine at temperatures of minus 70 degrees Celsius for the one made by Pfizer and minus 20 Celsius for the Moderna one.
“The COVID-19 phishing campaign spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program“reads the analysis published by IBM.
“Spear-phishing emails were sent to select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain. We also identified instances where this activity extended organization-wide to include help and support pages of targeted organizations.”
One of the targets of this campaign is the European Commission’s Directorate-General for Taxation and Customs Union, other organizations targeted by threat actors operate in the energy, manufacturing organizations, and IT.
The phishing campaign hit global organizations with headquarters in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan. The attackers aim at harvesting account credentials to use in further attacks against the same organizations.
DHS CISA also issued an alert warning organizations working on the COVID-19 cold chain of targeted attacks carried out by nation-state actors.
“Impersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.” reads the alert published by DHSCISA.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages Operation Warp Speed (OWS) organizations and organizations involved in vaccine storage and transport to review the IBM X-Force report Attackers Are Targeting the COVID-19 Vaccine Cold Chain.”
The TTPs observed in this campaign and the nature of the target suggest the involvement of a nation-state actor.
“While attribution is currently unknown, the precision targeting and nature of the specific targeted organizations potentially point to nation-state activity. Without a clear path to a cash-out, cyber-criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets.” continues the report published by IBM X-Force.
“Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
(SecurityAffairs – hacking, cold chain)