Hackers are now targeting the companies overseeing the COVID-19 vaccine “cold chain” supply process as part of a sophisticated campaign likely linked to a nation-state, tech giant IBM has warned.
Just a week after it was revealed North Korea-linked hackers had posed as recruiters on LinkedIn to target the developers of a COVID-19 vaccine, IBM has said it’s discovered hackers are now targeting the companies involved with the vaccine supply chain.
In a blog post, IBM senior strategic cyber threat analyst Claire Zaboeva said its threat intelligence taskforce, IBM Security X-Force, had uncovered a “global phishing campaign” focused on businesses helping with the COVID-19 vaccine “cold chain”, the technologies needed to keep the doses at a cold enough temperature so it doesn’t spoil.
The campaign, which started in September, targeted organisations associated with the Vaccine Alliance’s Cold Chain Equipment Optimisation Platform program, by impersonating business executives from the world’s only complete cold chain provider, Haier Biomedical.
Impersonating an employee, the hackers sent phishing emails to a range of organisations assisting with this cold chain, in an apparent attempt to harvest credentials and gain access to their networks.
Organisations targeted included those operating in the energy, manufacturing, website creation and software and internet security solutions sector, and based in Germany, Italy, South Korea, the Czech Republic, greater Europe and Taiwan.
The hackers sent spear-phishing emails to senior executives at these companies, but IBM said it is unclear whether they were successful or not.
“However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender’s authenticity,” Zaboeva said.
The emails requested quotations for various cold chain program equipment, and contained malicious HTML attachments that opened locally, and then asked the recipient to enter their credentials.
This meant the hackers didn’t have to set up websites, making it more difficult for them to be tracked.
These credentials could give the hackers access to the company networks, allowing them to move “laterally through networks and remaining there in stealth”, which would allow them to “conduct cyber espionage and collect additional confidential information from the victim environments for future operations”.
The hackers had researched the make, model and pricing of various refrigeration units Zaboeva said.
“Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic,” Zaboeva said.
This “precision targeting” and the nature of the targets mean it is likely that a nation-state was involved, IBM said.
“While firm attribution could not be established for this campaign, the precision targeting of executives and key global organisations hold the potential hallmarks of nation-state tradecraft,” the company said.
Malicious cyber actors have been targeting companies involved with the COVID-19 response for several months.
Last month it was revealed by Reuters that North Korea-linked hackers had posed as recruiters on LinkedIn and WhatsApp to attempt to infiltrate the networks of AstraZeneca, a firm developing a COVID-19 vaccine.
The hackers unsuccessfully approached a “broad set of people” with fake job offers, sending emails with malicious software to AstraZeneca employees.