2020 has demonstrated several times over that no target is beneath the world’s cyber criminals; this time it’s a coordinated phishing attack on the global vaccine supply chain. The IBM Security X Force uncovered the campaign, which has thus far targeted a number of different organizations in different countries throughout Europe and Asia.
The attackers appear to be posing as a Chinese executive representing a legitimate cold-chain supply company, and the attack looks to collect organizational login credentials.
Phishing attacks on charitable vaccine effort
The phishing attacks seem to be specifically targeting the cold-chain logistics industry, which specializes in shipping large volumes of items that require constant refrigeration. The two leading coronavirus vaccine candidates at present both need to be refrigerated at all times as they are being distributed; Moderna’s vaccine needs to be kept between 36 and 46 degrees Fahrenheit while Pfizer’s vaccine must be kept well below freezing at -94 degrees.
Distributing hundreds of millions of doses of vaccine at these temperatures will be no small logistical feat, and the pharmaceutical and medical industries are currently scrambling to come up with viable solutions. This has created an opening for attackers as numerous unfamiliar parties coordinate efforts for the first time. IBM believes the attackers are either trying to sabotage the distribution or to simply steal the technology used in the storage and transportation of the vaccines.
The phishing attack on the vaccine supply chain bears some similarity to a campaign against German protective medical equipment suppliers that IBM uncovered in early June. That attack focused on compromising high-ranking management and procurement officials in the supply chain between Germany and manufacturers in China.
The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) amplified the IBM findings by issuing a warning late last week, adding that the phishing attack emails are in the form of requests for quotations for participation in a vaccine program. The phishing emails received thus far have come from someone impersonating an executive from China’s Haier Biomedical, and have an attached document that installs malware when opened.
Some of the emails have posed as a request on behalf of Gavi, The Vaccine Alliance. This non-profit initiative is backed by the World Health Organization, World Bank, UNICEF and Bill & Melinda Gates Foundation and is expected to play a key role in distributing the vaccine in developing countries around the world.
Based on the sophistication of the phishing attacks, the IBM researchers believe that the attempts on the vaccine supply chain are coming from some sort of government-backed group rather than a profit-driven criminal organization. However, they do not yet have enough evidence to name a suspect. The process of elimination would seem to indicate Russia and North Korea as focal points, however, since it is very unlikely that a state-backed Chinese hacking team would impersonate an executive at a Chinese company.
Though the motives are also still unclear, the worst-case scenario would be that the attackers are trying to establish a footing among the companies in the vaccine supply chain to gain future unauthorized access. They would then look to execute ransomware on these systems at a time that disrupts vaccine distribution, perhaps looking to collect a large payment in return.
Level of risk to the vaccine supply chain?
The targets in Asia included companies in South Korea and Taiwan. European organizations in Germany, Italy, the Czech Republic and Belgium were also targeted, including the European Commission’s Directorate General for Taxation and Customs Union. Companies around the world that play a role in the vaccine supply chain should be prepared for future phishing attacks, however. Component manufacturers seem to be among the biggest of the targets thus far: for example, manufacturers and distributors of ice-lined boxes and solar panels used to power refrigeration systems in trucks.
IBM is not sure at this time if any of the phishing attacks worked. Stephen Banda, Senior Manager of Security Solutions at Lookout, believes that not only will the attacks continue but that the scope will also grow: “Cold-chain supply organizations need to adopt a heightened awareness and deeper understanding of phishing attacks. The first lesson is that phishing is not just happening in email on your laptop or desktop. Smartphones and tablets are the new battleground as mobile phishing attacks leverage multiple channels including SMS, social messaging, apps, and of course email. Attackers know that supply-chain operators depend on smartphones and tablets to monitor supply-chain operations and provide key inputs. They also know that users inherently trust their smartphones and tablets and that the smaller form factor makes it more difficult to spot a phishing attack.”
In terms of defense measures, Tom Patterson (Chief Trust Officer of Unisys) believes that it is imperative that all vaccine supply chain companies move swiftly due to the incredibly high value of the COVID-19 vaccine: “Refrigerator companies, drug stores, trucking companies, and hospitals need to now be at the same level of cyber defense as the Pentagon … Defensive action needs to be taken now. The velocity and voracity of these healthcare-related attacks are increasing.” Mathew Newfield, CISO of Unisys, follows that with some practical advice regarding the expected types of phishing attacks: “The potential success of these spear-phishing attacks should be alarming given the results of the 2020 Unisys Security Index showing that only 1 out of 3 Americans are concerned about cybersecurity. Organizations of all sizes need to ensure they are properly training their staff (at all levels) on how to spot a potential phishing, vishing or smishing attack and what to do if they come across one. Attackers are not just targeting corporate email addresses, but also personal email addresses, so organizations need to ensure they have policies in place to warn employees not to re-use corporate passwords in their personal lives. Attackers know that if they get access to someone’s personal email, there is a high likelihood they can use the information to get into their corporate accounts as well.”
In addition to those measures, CISA added some of its own recommendations for targeted organizations in the vaccine supply chain: creating and testing incident response plans, forging threat-sharing initiatives and partnerships with other companies in the vaccine supply chain, reviewing the third-party ecosystem, applying a zero-trust security strategy across the network, mandating that employees use multi-factor authentication (MFA) to access the company network and implementing endpoint protection and response tools.