Phishing Campaign Targets COVID-19 'Cold Chain'CISA Calls Attention to New IBM Report on Supply Chain Risks
The Cybersecurity Infrastructure and Security Agency, citing a new report by IBM, is warning organizations involved in COVID-19 vaccine production and distribution of a global phishing campaign targeting the cold storage and transport supply chain. Many vaccines in development must be kept at low temperatures before being administered.
In a Thursday alert, CISA points to a new IBM Security X-Force report describing the COVID-19 "cold chain" phishing campaign that aims to harvest account credentials.
IBM says the campaign, which started in September, spans six countries and targets organizations and agencies that support the Cold Chain Equipment Optimization Platform program. That program was launched in 2015 by the United Nations Children's Fund and other partners to distribute vaccines.
"A breach within any part of this global alliance could result in the exposure of numerous partner computing environments worldwide," the IBM report notes.
The campaign's phishing emails are designed to appear as though they come from an executive at Haier Biomedical, a Chinese company acting as a qualified supplier for the Cold Chain Equipment Optimization Platform program, IBM notes.
"It is highly likely that the adversary strategically chose to impersonate Haier Biomedical because it is purported to be the world's only complete cold chain provider," IBM says.
"It's unclear from our analysis if the COVID-19 phishing campaign was successful. However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender's authenticity," IBM writes.
The phishing emails feature a request for price quotations for service contracts related to the CCEOP program, IBM writes.
"The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file. This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement," according to the IBM report.
IBM says the phishing campaign is designed to harvest credentials that could be used to gain unauthorized access to systems. "From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine," IBM writes.
"Moving laterally through networks and remaining there in stealth would allow them to conduct cyber espionage and collect additional confidential information from the victim environments for future operations."
The IBM report and CISA warning come on the heels of a cyberattack reported in November by Atlanta-based cold storage company Americold Realty Trust, which reportedly had been negotiating with Chicago Rockford International Airport to help in the cold storage distribution of COVID-19 vaccines (see: Cold Storage Firm Reports Cybersecurity Incident).
"Anything related to COVID-19, be it vaccine research or elements of the supply chain, is likely to be extremely valuable and a potential target for both state and nonstate actors."
—Brett Callow, Emsisoft
Melissa Frydrych, threat hunt researcher at IBM Security X-Force, says the phishing campaign IBM uncovered apparently preceded the Americold attack. "We don't have any evidence based on our research to suggest the two were associated," she says.
IBM discovered about 10 versions of phishing emails involved in the campaign, she says. "However, we found more than double the number of unique HTML files, possibly indicating that there are that many more undiscovered phishes."
Approximately 10 organizations spanning six countries were targeted in the campaign, along with some supranational entities, including the European Commission's Taxation and Customs Union, she notes.
"This is a wake-up call for everyone in the supply chain," Frydrych says.
The Health Information Sharing and Analysis Center is working with partners in the federal government, including CISA, on mitigating COVID-19 supply chain threats, says Errol Weiss, Health-ISAC's CSO.
"CISA helped Health-ISAC obtain a pre-public release of the IBM X-Force advisory, which was then shared privately with our Health-ISAC membership last week," he notes. "The early look at the alert gave our members a chance to review logs for any prior attack activity and also update their defenses based on the indicators of compromise that were shared."
IBM's report outlines several actions organizations can take to mitigate phishing risks, including:
- Create and test incident response plans;
- Share and ingest threat intelligence;
- Implement a "zero trust" security strategy;
- Use multifactor authentication across the enterprise;
- Use endpoint protection and response tools.
The Healthcare and Public Health Sector Coordinating Council recently issued a supply chain security guidance document, an intellectual property protection guide and recommendations for tactical crisis response and continuity to help organizations such as those involved in COVID-19 vaccines and response (see: Healthcare Supply Chain Security: Updated Guidance).
"We are in regular coordination with HHS, CISA and the Operation Warp Speed [vaccine development] team about ongoing threats to vaccine development and its supply chain," notes Greg Garcia, the council's executive director for cybersecurity. "We are working to identify those critical functions in the healthcare value chain - including those that fall outside the immediate healthcare sector - for which we need to enhance security coordination."
Threats to Grow
In the meantime, the cyberthreats facing COVID-19 vaccine makers and the supply chain will continue to grow, predicts Brett Callow, a threat analyst with the security firm Emsisoft.
"Anything related to COVID-19, be it vaccine research or elements of the supply chain, is likely to be extremely valuable and a potential target for both state and nonstate actors," he says.
"Stolen information could provide a country with a head start in reopening its economy. Hobbling cold storage facilities at a time when those facilities are most needed could enable cybercriminals to extract an enormous ransom - especially as any delay in distribution could result in a loss of life," he notes.
"The vaccine supply chain, including the cold chain, is obviously critical to the distribution process and it's absolutely critical that it be secured. That it will come under further attack seems inevitable."