COVID-19 Vaccine Cold Chain Still Targeted by Threat Groups

An up-to-date IBM Security X-Force report reveals that advanced persistent threat groups still target the COVID-19 vaccine cold chain all over the world. X-Force analysts published a December 2020 report warning about cyber criminals’ campaign on the COVID-19 cold chain to get access to vaccine data. There remains a big risk to the supply and storage of the COVID vaccine.

There are currently around 350 logistics partners active in the cold chain to make certain that vaccines are distributed and stored in cold environments. Since the initial published report concerning cold chain phishing attacks, the IBM X-Force researchers have found other 50 email message records associated with spear-phishing campaigns and recorded 44 institutions in 14 countries throughout Africa, Asia, the Americas and Europe.

The targeted organizations offer services such as the transport, warehousing, storage, and delivery of COVID-19 vaccines. The majority of targeted institutions are associated with healthcare, transport, IT and electronic devices including companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene suppliers.

Threat actors, viewed as backed by nation-states, have expanded their campaigns and are employing spear-phishing email for stealing account records of CEOs, global sales representatives, purchasing managers, Human Resource officials, administrators of plant engineering and others to obtain privileged information of national Advance Market Commitment (AMC) talks connected to the buying of vaccines, schedules for delivery, information on the transit of vaccines through countries and territories, World Trade Organization (WTO) trade facilitation agreements, export rules and international property rights, technical vaccine information, and other sensitive facts.

The threat group liable for this threat campaign seems to have a full understanding of the vaccine cold chain. The email communications used in the spear-phishing campaign look like coming from an account manager from Haier Biomedical, a Chinese biomedical company that is the number one cold chain provider worldwide.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products for instance an ice-lined fridge and solar-powered vaccine fridge from Haier Biomedical. The email communications furthermore explore firms linked to petrochemical production and the manufacturing of solar panels that fits in with those merchandises, and the language used in the message indicates the educational background of the sender that is falsified in the signature.

The emails have malicious HTML attachments that are accessed locally, which the user accesses by first providing their login credentials. In the event that credentials are provided, they are obtained and duplicated in the attacker’s command and control server.

The researchers stated that even though prior reporting revealed direct targeting of supranational organizations, the energy and IT sectors in six nations around the world, it is thought that this development is based on the identified attack pattern, and the campaign is still a purposive and calculated threat.

Considering the vaccine nationalism and global competition for vaccine access, attacks that impact the cold chain were inescapable. Though researchers did not associate the campaign with any criminal gang, there is a good chance that this operation is supported by a nation-state.

If the cold chain is disturbed it could bring about slowdowns in moving the vaccines or can impact the circumstances required to securely transfer and store vaccines, which can make the vaccines hazardous or not effective. IBM outlined the Indicators of Compromise in its document 
to help organizations in keeping the COVID-19 cold chain safe against attacks.