Hackers are targeting Covid-19 vaccine distribution chain, IBM warns

Threat actors sending phishing emails in the name of a senior executive from a legitimate Chinese cold chain provider Haier Biomedical

An advanced group of hackers has been targeting organisations involved in the distribution of Covid-19 vaccines, IBM security researchers have warned.

In a blog post published on Wednesday, IBM X-Force IRIS team revealed that this specific cyber-espionage campaign has been running since September 2020, and spanning six regions: Italy, Germany, Czech Republic, greater Europe, South Korea and Taiwan.

"At the onset of the Covid-19 pandemic, IBM Security X-Force created a threat intelligence task force dedicated to tracking down Covid-19 cyber threats against organisations that are keeping the vaccine supply chain moving," said Claire Zaboeva, Senior Strategic Cyber Threat Analyst at IBM.

"As part of these efforts, our team recently uncovered a global phishing campaign targeting organisations associated with a Covid-19 cold chain."

The "cold chain" is the process required to keep vaccines at extremely low temperatures as their manufacturers transport them to distant locations. For example, Pfizer recommends that their coronavirus vaccine be stored at minus 70 degrees Celsius in order to remain effective.

According to the researchers, hackers behind the campaign have been using specially crafted emails with malicious code in efforts to collect confidential information about various aspects of the cold supply chain. It appears that they are interested in understanding the infrastructure that governments intend to use to distribute vaccines.

The phishing emails used in the campaign specifically targeted organisations associated with the Cold Chain Equipment Optimisation Platform (CCEOP) of Gavi, the international vaccine alliance. Gavi's partners include the World Bank, UNICEF and the World Health Organisation, which help Gavi in distributing vaccines to some of the poorest countries across the world.

The IBM team say the phishing emails were sent in the name of a senior executive with a legitimate Chinese cold chain provider Haier Biomedical, which specialises in vaccine transport and storage.

The identity of the hackers behind this campaign is unclear, although IBM noted that the sophistication of their techniques suggest that a nation state could be responsible for the campaign.

IBM said that it has notified law-enforcement agencies as well as organisations targeted in the campaign.

On Wednesday, the US's Cybersecurity and Infrastructure Security Agency published an alert, advising organisations involved in storage and transport of vaccines to be watchful of phishing messages and to review the IBM X-Force report for more information, including indicators of compromise.

In May, a joint alert from the CISA and Britain's National Cyber Security Centre (NCSC) also urged healthcare organisations to strengthen their cyber security measures to block attempts from threat actors looking to steal confidential information on Covid-19.

The agencies said that they had seen a large number of cyber incidents in the US and UK, in which advanced persistence threat groups actively targeted organisations involved in both national and international responses to coronavirus pandemic.

The alert warned that hackers were specifically employing "password spraying" tactics in hopes of gaining access to user accounts through commonly used passwords.

In another alert issued in July, NCSC revealed that Russia-backed advanced persistent threat group APT29 was targeting British labs in efforts to "steal valuable intellectual property" on Covid-19 vaccines.