Cyber criminals target COVID-19 vaccine supply chains

Read time 3min 10sec

Cyber criminals are targeting companies and government organisations distributing COVID-19 vaccines.

This is according to IBM Security X-Force, which created a threat intelligence task force dedicated to tracking down COVID-19 cyber threats against organisations that are keeping the vaccine supply chain moving.

“As part of these efforts, our team recently uncovered a global phishing campaign targeting organisations associated with a COVID-19 cold chain,” says IBM.

It explains the cold chain is a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation.

“Our analysis indicates this calculated operation started in September 2020. The COVID-19 phishing campaign spanned across six countries and targeted organisations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimisation Platform programme,” IBM notes.

“While firm attribution could not be established for this campaign, the precision targeting of executives and key global organisations holds the potential hallmarks of nation-state tradecraft.”

The US government has also issued a statement saying that by impersonating a biomedical company, cyber actors are sending phishing and spear-phishing e-mails to executives and global organisations involved in vaccine storage and transport to harvest account credentials.

The e-mails pose as requests for quotations for participation in a vaccine programme, it notes.

“We assess that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorised access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution,” IBM says.

It points out that the targets included the European Commission’s directorate-general for Taxation and Customs Union, as well as organisations within the energy, manufacturing, Web site creation and software and Internet security solutions sectors. These are global organisations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.

IBM adds that spear-phishing e-mails were sent to select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain.

“We also identified instances where this activity extended organisation-wide to include help and support pages of targeted organisations.”

IBM Security X-Force urges companies in the COVID-19 supply chain – from research of therapies and healthcare delivery, to distribution of a vaccine − to be vigilant and remain on high alert during this time.

However, there is no indication so far that the attackers were aiming at Pfizer or Moderna, whose vaccines are expected soon.

“While pharma companies, health systems and government organisations focus on a vaccine, bad actors are attempting to exploit any weaknesses in a strained system, potentially for monetary gains,” comments Vince Padua, CITO at IT firm Axway.

“IBM researchers have already discovered that unknown attackers are targeting network credentials of officials involved with vaccine refrigeration processes (cold chain) and will continue to target the healthcare and public health sectors that have their guard down while they focus on getting vaccines distributed quickly.

“Cyber security teams need to focus on authorisation and authentication on the front-end and recognise that all applications are built on APIs [application programming interfaces]. These APIs should be protected by the latest security protocols and standards. If an API is implemented as an afterthought, it can become an exposure.”

Padua adds that fighting cyber threats requires a multi-vector strategy that includes API utilisation and protection.

“An ‘API-first’ approach to protection starts with developing consistent and reusable APIs that shield the valuable systems behind them, and provide more flexibility to adjust for the ‘warp speed’ needed.”

See also