Cybersecurity analysts at IBM are urging cold-chain companies to be "on high alert" after discovering a spear-phishing scheme that targets global COVID-19 vaccine supply chains.
IBM Security X-Force created a threat intelligence task force dedicated to tracking down COVID-19 cyber-threats back when the current coronavirus outbreak exploded into a full-blown pandemic.
Today the team announced that they had detected a global phishing campaign targeting organizations associated with the task of keeping coronavirus vaccines safely preserved at the correct temperature during storage and transportation.
The malicious campaign was launched in September 2020, striking at organizations in six different countries. Targeted organizations are likely associated with Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program.
While IBM's team was unable to definitively say who was behind the campaign, researchers observed the lack of an obvious cash-out from the scheme and said the precision targeting of executives and key global organizations "hold the potential hallmarks of nation-state tradecraft."
Threat actors impersonated a business executive from Chinese company Haier Biomedical that is purportedly the only complete cold chain provider in the entire world. Haier, which is based in Qingdao, is a qualified supplier for the CCEOP program and a member company of the COVID-19 vaccine supply chain.
"Disguised as this employee, the adversary sent phishing emails to organizations believed to be providers of material support to meet transportation needs within the COVID-19 cold chain," wrote researchers.
"We assess that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution."
The campaign struck at global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan. Targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation, and software and internet security solutions sectors.
Spear-phishing emails were sent to hand-picked executives in sales, procurement, information technology, and finance positions using subjects regarding quotations (RFQ) related to the CCEOP program.
Commenting on who might be responsible for the campaign, Sam Curry, chief security officer at Cybereason, told Infosecurity Magazine: “The list of candidates goes beyond the usual suspects and the truly suspect actors are those who don’t care about the long term relationships with the US and the civilized world.
“Word to the wise: denying anyone access to the vaccine will be remembered.”