Following our recent post around "Hacking the vaccine: Protecting public health from cyber attacks", and the announcement that the UK has been the first country to approve the COVID-19 vaccine, IBM have uncovered a global phishing campaign aimed at the cold supply chain for the delivery of the vaccine. Attribution is currently unknown but the precision targeting characteristics point to nation-state activity.
The analysis indicates that the operation started in September 2020, as forewarned by PwC in their report. The threat actors were able to span six countries, targeting organisations most likely associated with Gavi, The Vaccine Alliance's Cold Chain Equipment Optimisation Platform (CCEOP) programme. The threat actors infiltrated the supply chain by posing as a business executive from Haier Biomedical, a "credible and legitimate member company of the COVID-19 vaccine supply chain", and purportedly the world's only complete cold chain provider. The level of specificity in this attack, and their knowledge of the supply chain (including the unique key players), exemplifies the uptick in big game hunting and the increasingly strategic, well researched and targeted nature of campaigns.
Disguised as the Haier Biomedical executive, the threat actors were able to send spear fishing emails to key players at multiple transportation nodes in the chain, with a view to harvesting credentials and gaining unauthorised access to these networks and the sensitive information contained therein. Although not yet confirmed, the value of biomedical information and intellectual property of this kind, particularly relating to COVID-19, increases the risk of a malicious attack and, should such be successful, the likely price of any ransom demanded by future threat actors.
At the present time, IBM's research is unclear on the success of the attack but given the unprecedented speed at which the vaccine is being produced and transported globally through the supply chain, there is an increased probability "the intended targets may engage with the inbound emails without questioning the sender's authenticity"; particularly the unique role of Haier Biomedical within the particular cold chain required for transportation of the COVID-19 vaccine.
It is highly likely that the adversary strategically chose to impersonate Haier Biomedical because it is purported to be the world’s only complete cold chain provider. Likewise, the Haier Biomedical employee who is purported to be sending these emails would likely be associated with Haier Biomedical’s cold chain distribution operations based on his role, which is listed in the email signature block.