The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines.
Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain.
At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide.
Phishing emails have been sent to executives in sales, procurement, information technology, and finance who are likely to be involved in efforts to support the vaccine cold chain. Targeted organizations are believed to be providers of material support to meet the transportation needs within the COVID-19 cold chain.
The phishing emails appear to have been sent by an executive at Haier Biomedical, a Chinese qualified supplier of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only complete cold chain provider in the world, so it is an ideal target for impersonation in the campaign.
The emails intercepted by IBM X-Force researchers had malicious HTML attachments that open locally and prompt the recipients to enter their credentials in order to open the file. The captured credentials can then be used to intercept internal communications about the process, methods, and plans to distribute COVID-19 vaccines. Once credentials are obtained, the attackers can move laterally through networks, conduct cyber espionage, and steal additional information for use in further attacks.
IBM reports that the phishing campaign spans 6 countries and, so far, 10 global organizations are known to have been targeted, as well as the European Commission’s Directorate-General for Taxation and Customs Union. Targeted organizations span several industry sectors including energy, manufacturing, software, and information technology. The researchers were unable to confirm the extent to which the campaign has been successful.
Based on the precision targeting of executives in specific global organizations involved in vaccine storage and transport and the lack of a clear path to cash out, the campaign is likely being conducted by a nation state threat actor. IBM X-Force suggests that cybercriminal organizations would be unlikely to invest the time, money, and resources into such a campaign targeting so many global organizations.
IBM X-Force recommends organizations involved in the cold storage and transport chain should take steps to mitigate the risks from phishing including creating and testing incident response plans, sharing and ingesting threat intelligence, assessing their third-party ecosystems, applying a zero-trust approach to security, using multi-factor authentication across the organization, using endpoint protection and response tools, and conducting regular email security awareness training.
In addition to the threat from phishing, organizations involved in the cold storage chain should take steps to protect against ransomware attacks as they will be a likely target over the coming weeks and months. In November, the U.S. based cold storage company Americold Realty Trust was the victim of a cyberattack suspected to have involved the use of ransomware. The company was reportedly negotiating with Chicago Rockford international Airport to assist with the distribution of COVID-19 vaccines.