Researchers at IBM’s X-Force have identified a phishing campaign targeting the COVID-19 vaccine “cold chain” (the part of the supply chain focused on “the safe preservation of vaccines in temperature-controlled environments during their storage and transportation”).
The phishing emails appeared to be requests for quotations (RFQs) related to the cold chain, and contained malicious HTML attachments that would open credential-harvesting phishing pages.
“Our analysis indicates that this calculated operation started in September 2020,” the researchers write. “The COVID-19 phishing campaign spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program, which we explain further in this blog. While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.”
The operation appears to have been highly targeted, since the attackers knew exactly who to impersonate.
“The spoofed phishing emails appear to originate from a business executive from Haier Biomedical, a Chinese company currently acting as a qualified supplier for the CCEOP program, in coordination with the World Health Organization (WHO), UNICEF and other U.N. agencies,” X-Force says.
“It is highly likely that the adversary strategically chose to impersonate Haier Biomedical because it is purported to be the world’s only complete cold chain provider. Likewise, the Haier Biomedical employee who is purported to be sending these emails would likely be associated with Haier Biomedical’s cold chain distribution operations based on his role, which is listed in the email signature block..”
The researchers conclude that the immediate goal of the campaign was likely espionage related to the vaccine, but the access gained could also be intended for use in future campaigns.
“We assess that the purpose of this campaign may have been to harvest credentials to gain future unauthorized access,” they write. “From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine.
This includes information regarding infrastructure that governments intend to use to distribute a vaccine to the vendors that will be supplying it. However, beyond critical information pertaining to the COVID-19 vaccine, the adversary’s access could extend deeper into victim environments.
Moving laterally through networks and remaining there in stealth would allow them to conduct cyber espionage and collect additional confidential information from the victim environments for future operations.”
New-school security awareness training can help your employees thwart both sophisticated and amateur social engineering attempts. IBM SecurityIntelligence has the story: