A global phishing campaign targeting organisations working on the “cold chain” for Covid vaccines has been uncovered by researchers at IBM, who say it bears the marks of a nation-state attack.
From September 2020, organisations across six countries were sent emails purporting to be from Haier Biomedical, a member company of a long-running Unicef programme that aims to strengthen vaccine supply chains.
Those emails contained malicious attachments which, when opened, displayed a request for security credentials under the guise of being encrypted files.
IBM “urges companies in the Covid-19 supply chain – from research of therapies, healthcare delivery to distribution of a vaccine – to be vigilant and remain on high alert during this time,” said Claire Zaboeva, a threat analyst at the company’s X-Force cybersecurity division.
“Governments have already warned that foreign entities are likely to attempt to conduct cyber espionage to steal information about vaccines.”
Based on IBM’s findings, the Cybersecurity and Infrastructure Security Agency (Cisa) of the US Department of Homeland Security issued its own warning, encouraging “all organisations involved in vaccine storage and transport to harden attack surfaces, particularly in cold storage operation, and remain vigilant against all activity in this space,” said Josh Corman, Cisa’s chief strategist for healthcare.
Britain’s National Cyber Security Centre (NCSC) would not comment on the report directly, but said that it was engaged in “ongoing and proactive support” to vaccine “research, manufacturing and supply chains” in the fight against cyber-attacks.
The vaccine “cold chain” is the logistics network that allows for vaccines to be transported from their site of manufacture to primary care clinics around the world at the cold temperatures required for their efficacy.
It is particularly important for Pfizer’s Covid-19 vaccine, which on Wednesday became the first to be approved by the UK. That vaccine needs to be kept at temperatures as low as -80C for long-term storage, though it can spend up to a week at temperatures closer to a conventional fridge.
The phishing attack identified by IBM comes after it emerged that intelligence organisations had begun to notice that hostile-state hackers from countries such as Russia, China, Iran and North Korea have shifted their targeting of coronavirus secrets away from the vaccines themselves and towards trial results and methods of mass production.
A particular focus is how vaccines like the one from Pfizer and BioNTech can be manufactured and distributed, intelligence sources add, with hostile states seeking to steal vaccine secrets so they can potentially copy western processes for themselves.
Britain’s NCSC wants organisations to be vigilant, particularly over the type of “spearphishing” attack cited by IBM, in which employees of a company in the Covid supply chain are targeted with carefully crafted emails from an apparently plausible person, designed to persuade people to click on a malicious link disguised as a news story, a job offer or something similar.
In order to coordinate the huge logistical challenge of producing, shipping and administering the vaccine, Unicef and vaccination partnership Gavi, working through a programme launched in 2015 called the Cold Chain Equipment Optimisation Platform (CCEOP), have been bringing together private and public sector organisations from around the world to accelerate efforts.
It was CEEOP members, including the European commission’s Directorate-General for Taxation and Customs Union, and other global organisations headquartered in South Korea, Taiwan, Italy and elsewhere, who were targeted by the phishing campaign. The phishing emails, purportedly from China’s Haier Biomedical, “were sent to select executives in sales, procurement, information technology and finance positions”, according to Zaboeva.
Attribution of hacking campaigns is notoriously difficult but Zaboeva said a nation state may be behind the attacks. “The precision targeting and nature of the specific targeted organisations potentially point to nation-state activity.”
Information about Covid vaccine projects has come under attack from hackers before. Last month, Reuters reported that suspected North Korean hackers had tried to break into the systems of AstraZeneca, posing as recruiters trying to approach staff with fake job offers before sending them emails with malicious code.
The Pfizer-BioNTech vaccine, set to roll out in the UK from next week, was not a specific target of this incident.
Those affected and authorities have been notified of the operation.