Hackers Targeting COVID-19 Vaccine Supply Chain Via Phishing Campaigns
DHS CISA highlighted a new IBM X-Force report showing cybercriminals are targeting the COVID-19 vaccine supply chain with phishing and spear-phishing attacks.
By - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert, urging COVID-19 vaccine supply chain organizations to review a new IBM X-Force report highlighting widespread phishing and spear-phishing campaigns targeting these health sector entities.
IBM X-Force established a COVID-19 cyber threat task force at the onset of the pandemic, designed to track cyber threats impacting these critical organizations.
In September, the team first discovered a global phishing campaign targeting COVID-19 cold storage supply chain members across six countries with likely ties to Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program.
CCEOP was founded in 2015 by GAVI, UNICEF, and other global partners and is designed to optimize immunization equity and improve the global medical response to disease outbreaks. The initiative is currently assisting with efforts around COVID-19 vaccine distribution and a breach within this alliance could expose any entity connected to CCEOP.
Targeted companies included those in the energy, manufacturing, website creation and software and internet security solutions sectors.
READ MORE: AstraZeneca Targeted by Nation-State Actors Via Phishing Attacks, Malware
In these attacks, hackers impersonated an executive from Haier Biomedical, a China-based firm that is a qualified supplier for the CCEOP program and a legitimate member of the COVID-19 vaccine supply chain.
The spear-phishing emails were sent to enterprise leadership members in the information technology, sales, procurement, and finance departments, as those members would likely be involved in efforts to support the vaccine cold chain.
IBM X-Force also observed instances of phishing emails sent across the entire enterprise “to include help and support pages of targeted organizations.”
The subject line poses as requests for quotations tied to the CCEOP program, while the message body contains malicious HTML attachments that open locally on the device and prompt victims to enter their user credentials to view the file.
This phishing message allows the attacks to avoid the need for setting up phishing domains online, which are readily discovered and removed by law enforcement and security researchers.
READ MORE: Nation-State Hacking Campaigns Targeting COVID-19 Research Firms
“Disguised as this employee, the adversary sent phishing emails to organizations believed to be providers of material support to meet transportation needs within the COVID-19 cold chain,” researchers explained.
“We assess that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution,” they added.
If an attacker successfully obtains credentials of the employee, they could gain access to internal communications and the COVID-19 vaccine distribution processes, methods, and plans, as well as information on the infrastructure and vendors governments intend to use for vaccine distribution.
With credentials, a hacker could also gain a foothold onto the network to move laterally through connected networks for stealthy cyber espionage efforts, including obtaining confidential data from the victim’s environment.
Researchers were unable to confirm the success rate of the phishing campaign. But given the role of Haier Biomedical in global vaccine transport and distribution efforts, there’s a heightened probability that intended recipients may engage with these malicious emails without questioning their authenticity.
READ MORE: The Risk of Nation-State Hackers, Government-Controlled Health Data
Nation-state actors are most likely behind these attacks given the precision targeting of global organizations and leading executives, but the researchers could not conclusively make that attribution.
However, it’s likely the attackers are intimately aware of the critical components and participants of the COVID-19 cold chain, given the specialization of this global attack.
“Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets,” researchers explained.
“Likewise, insight into the transport of a vaccine may present a hot black-market commodity,” they added. “However, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
As such, IBM X-Force recommended all organizations within the COVID-19 supply chain, including research firms, healthcare delivery organizations, and vaccine distributors to remain on high alert for these types of phishing threats.
These organizations should be sure to create and test their incident response plans to ensure readiness in case of a successful attack, along with performing an assessment of the third-party ecosystem to ensure users are only given access to data essential to performing their duties.
Multi-factor authentication should be implemented across all applicable endpoints, which acts as a fail-safe when hackers obtain user credentials due to the requirement of a second form of verification. Previous Microsoft research found MFA blocks 99.9 percent of all automated attacks. Endpoint protection and response could also provide better detection and prevention of attack proliferation.
IBM X-Force also encouraged these entities to participate in threat-sharing initiatives and partnerships, which are critical for staying up-to-date on the latest threat and attack information.
As global efforts around COVID-19 vaccine development and distribution have increased across the globe, nation-state actors have expanded their hacking efforts to gain access to this valuable information.
In recent weeks, AstraZenca was reportedly targeted by a wave of attacks, while researchers and federal agencies have warned of a spike in ransomware attacks on healthcare entities, nation-state activity against researchers, and a host of other nation-state tactics.
Previous guidance from the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) can further support healthcare organizations with ensuring their tactical crisis response amid the crisis.
