The emails impersonate a member company of the COVID-19 vaccine supply chain to harvest account credentials, says IBM Security X-Force.
A calculated cybercriminal operation is targeting companies in the coronavirus vaccine supply chain with phishing emails that appear to be designed to steal sensitive user credentials, IBM Security X-Force said in a report released Thursday. The targeted organizations are all associated with a COVID-19 cold chain, a component of the overall supply chain that ensures the safe storage of vaccines in cold environments during storage and transportation.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Spotted this past September, the phishing campaign deploys emails spoofing a business executive from Haier Biomedical, a legitimate member company of the COVID-19 vaccine supply chain and reportedly the world’s only complete cold chain provider.
Aimed at executives at companies in the energy, manufacturing, website creation, and internet security sectors, the emails seem designed to capture the victim’s credentials, possibly to gain network access and sensitive information related to the distribution of the COVID-19 vaccine.
“As we all await vaccines for COVID, it goes without saying that disruption to cold-chain supply operations would be disheartening,” Stephen Banda, senior manager for security solutions at security firm Lookout, told TechRepublic. “Unfortunately, the more expansive the supply chain, the greater the third-party risk to supply-chain operations. Manufacturers rely on a web of external workers, contractors, and service partners to maintain equipment, package products, manage waste, ensure worker safety, and much more.”
The phishing emails contain phony requests for quotations (RFQ) related to the Cold Chain Equipment Optimization Platform (CCEOP) program, an initiative launched in 2015 by Gavi–The Vaccine Alliance and other partners to strengthen vaccine supply chains and ensure a smooth medical response to outbreaks of infectious diseases. The email contains malicious HTML attachments that when opened prompt the user to enter their credentials to view a file.
After obtaining secure account credentials, the attackers could gain access into internal communications. Such communications can include the process and plans to distribute a COVID-19 vaccine, with details on the underlying infrastructure to be used by governments to distribute a vaccine as well as the methods used by vendors to supply it. Moving laterally through an infiltrated network could also give the criminals the ability to conduct cyber espionage and capture further confidential information for future operations.
Though the identify of the people behind this campaign is unknown, typical cybercriminals wouldn’t have the time or resources to pull off such a complex operation. Based on the nature of the attack, X-Force believes the true culprit to be a nation-state. Also unknown is whether the campaign has been successful. However, given the critical role that Haier Biomedical plays in vaccine transportation, the intended victims may be more likely to respond to the phishing emails without scrutinizing their legitimacy.
“Let’s first acknowledge there is no breach here that I can see,” Chris Morales, head of security analytics at security firm Vectra, told TechRepublic. “It is a high alert for a targeted phishing campaign against the COVID vaccine supply chain. As the cure for COVID is essentially the most valuable thing in the world in 2020, and attackers always go for what is of value, this was a sort of an inevitable scenario.”
Referencing X-Force’s report, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued its own advisory alerting organizations involved in Operation Warp Speed (OWS) to review the findings.
To help protect organizations from sophisticated phishing campaigns and other attacks, X-Force offers the following recommendations:
- Create and test incident response plans to strengthen your organization’s preparedness and readiness to respond in the event of an attack.
- Share and ingest threat intelligence. Threat-sharing initiatives and partnerships are essential to staying alert about the latest threats and attack tactics impacting your industry. IBM Security X-Force has been feeding this threat intelligence into the COVID-19 threat sharing enclave. At the onset of the pandemic, IBM made this enclave freely accessible to any organization in need of more eyes on cyber threats.
- Assess your third-party ecosystem and assess potential risks introduced by third-party partners. Confirm that you have robust monitoring, access controls, and security standards in place that third-party partners need to abide by.
- Apply a zero-trust approach to your security strategy. As environments continue to expand, managing privilege access becomes paramount to ensuring that users are only granted access to the data essential to their job.
- Use multifactor authentication (MFA) across your organization. MFA works as a fail-safe if a malicious actor has gained access to your credentials. As a last line of defense, MFA offers a second form of verification requirement to access an account.
- Conduct regular email security educational trainings so employees remain on alert about phishing tactics and are familiar with email security best practices.
- Use endpoint protection and response tools to more readily detect and prevent threats from spreading across the organization.
Lookout’s Banda also provided his own advice aimed at the mobile workforce.
“Cold-chain supply organizations need to adopt a heightened awareness and deeper understanding of phishing attacks,” Banda said. “The first lesson is that phishing is not just happening in email on your laptop or desktop. Attackers know that supply-chain operators depend on smartphones and tablets to monitor supply-chain operations and provide key inputs. They also know that users inherently trust their smartphones and tablets and that the smaller form factor makes it more difficult to spot a phishing attack.”
