A sophisticated, global phishing campaign has been targeting the credentials of organizations associated with the COVID-19 “cold-chain” – companies that ensure the safe preservation of vaccines by making sure they are stored and transported in temperature-controlled environments.
The phishing campaign started in September 2020 and has spanned across fix countries. The attack targeted organizations associated with a public–private global health partnership, called Gavi, the Vaccine Alliance, which is aiming to leverage such cold-chain companies in order to safely transport the COVID-19 vaccine to underdeveloped regions.
Both researchers with IBM Security X-Force, and the Cybersecurity Infrastructure Security Agency (CISA), warned of the attack in joint posts, Thursday. They said they believe the purpose of the campaign is to harvest email or network credentials, in order to gain future unauthorized access across targeted organizations.
“It’s unclear from our analysis if the COVID-19 phishing campaign was successful,” said Claire Zaboeva and Melissa Frydrych, with IBM X-Force. “However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender’s authenticity.”
Researchers said, though strong attribution could not be established for the campaign, the precision targeting of key global organizations point to potential nation-state activity.
“Gavi has strong policies and processes in place to prevent such phishing attacks and hacking attempts,” a Gavi, the Vaccine Alliance spokesperson told Threatpost. “We are working closely with our partners on security awareness to continue to strengthen these best practices.”
The Attack
Researchers said that attackers targeted multiple industries, governments and global partners that support a program launched by Gavi, The Vaccine Alliance in 2015. The program, called the Cold Chain Equipment Optimization Platform (CCEOP), aims to strengthen vaccine supply chains, improve worldwide immunization equity and bolster medical response to disease outbreaks. With the ongoing pandemic, in particular, the program is accelerating its efforts to facilitate the distribution of the COVID-19 vaccine.
“A breach within any part of this global alliance could result in the exposure of numerous partner computing environments worldwide,” researchers warned.
The attackers sent phishing emails that purported to come from a business executive from Haier Biomedical. The email sender uses a spoofed domain, haierbiomedical[.]com – while Haier Biomedical’s legitimate domain is www.haiermedical.com.
Haier is a Chinese company that’s currently a qualified supplier for the CCEOP program, signaling that attackers have done their homework and are sending highly targeted emails. The email’s subject posed as requests for quotations (RFQ) related to the CCEOP program, with the subject of the email is “RFQ – UNICEF CCEOP and Vaccine Project.”
The email contained malicious HTML attachments, which once opened, prompted recipients to enter their credentials to view the file.
“This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement,” said researchers.
Should cybercriminals manage to steal these credentials, it would have dangerous implications. The bad actors could use the credentials to gain insight into internal communications, as well as the background processes, methods and plans for COVID-19 vaccine distribution – including sensitive government information about the infrastructure used to distribute the vaccine. Attackers could also utilize the credentials to extend deeper into victim environments, researchers warned – allowing them to conduct further espionage.
Specifically targeted was the European Commission’s Directorate-General for Taxation and Customs Union, responsible for promoting cooperation on tax matters across the EU; several energy sector companies responsible for manufacturing solar panels; and IT companies, such as a South Korean software development firm and a German website development company (the latter supports clients associated with pharmaceutical manufacturers).
COVID-19 Vaccine Espionage
As companies – such as Moderna and Pfizer – continue to make progress in developing a coronavirus vaccine, cybercriminal attacks are becoming a greater concern.
Researchers with Kaspersky on Wednesday warned that in 2021, advanced persistent threat (APT) threat actors will ramp up efforts to target any pharma company that makes a significant breakthrough on coronavirus vaccines or therapeutics.
Earlier this year, the World Health Organization was targeted by the DarkHotel APT group, which looked to infiltrate its networks to steal information. And in October, COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories (the contractor for Russia’s “Sputinik V” COVID-19 vaccine) shut down its plants in Brazil, India, Russia, the U.K. and the U.S. following a cyberattack. Meanwhile, the Justice Department recently accused Chinese government-linked hackers of spying on Moderna, the Massachusetts biotech company.
In November, researchers warned that three nation-state cyberattack groups (Russia’s APT28 Fancy Bear, the Lazarus Group from North Korea and another North Korea-linked group dubbed Cerium) are actively attempting to hack companies involved in COVID-19 vaccine and treatment research.
“IBM Security X-Force urges companies in the COVID-19 supply chain — from research of therapies, healthcare delivery to distribution of a vaccine — to be vigilant and remain on high alert during this time,” said researchers. “Governments have already warned that foreign entities are likely to attempt to conduct cyber espionage to steal information about vaccines.”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.