A "global phishing campaign" is underway, targeting companies involved with the refrigerated supply chain infrastructure needed for COVID-19 vaccine distribution, a new report from IBM X-Force shows.

The report, which has been amplified by the federal Cybersecurity and Infrastructure Security Agency (whose director was ousted by President Trump just weeks ago), says unknown bad cyber actors are launching phishing and spear phishing emails to company executives and other organizations involved in the sub-zero storage and transport – or "cold chain" – needed for distribution of vaccines developed by AstraZeneca, Moderna, Pfizer and others.

CISA says organizations involved in the Operation Warp Speed program and other parts of the distribution supply chain, should read the detailed IBM report, which lays out a long list of indicators of compromise, and suggests next steps to depend against the threat.

"Our analysis indicates that this calculated operation started in September 2020," IBM senior strategic cyber threat analyst Claire Zaboeva and Melissa Frydrych, threat-hunt researcher at IBM, write in the Security Intelligence report.

The phishing campaign spanned six countries and targeted organizations linked with the Cold Chain Equipment Optimization Platform program of Gavi, the Vaccine Alliance, they write.

"While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations [holds] the potential hallmarks of nation-state tradecraft."

They note that the perpetrator impersonated an exec from Haier Biomedical, "a credible and legitimate member company of the COVID-19 vaccine supply chain and qualified supplier for the CCEOP program." 

In that guise, they "sent phishing emails to organizations believed to be providers of material support to meet transportation needs within the COVID-19 cold chain" to targets in Germany, Italy, South Korea, the Czech Republic, greater Europe and Taiwan – including tech developers serving the pharma industry, the European Commission’s Directorate General for Taxation and Customs Union, and others.

"We assess that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution."

The suggestion that these are nation-state actors arises because the phishing campaign offers no "clear path to a cash-out," said Zaboeva and Frydrych. "Cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets."

They added that, while knowledge about vaccine transport plans may be of enormous value on the black market, "advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target."

The IBM X-Force report offers a substantial and detailed list of malicious HTML files and other potential indicators of compromise. 

In the meantime, Zaboeva and Frydrych offered a list of common-sense defense mechanisms that organizations along the vaccine supply chain should take:

• Create and test incident response plans.
• Share and ingest threat intelligence.
• Assess your third-party ecosystem.
• Apply a zero-trust approach to your security strategy.
• Use multifactor authentication across your organization.
• Conduct regular email security educational trainings.
• Use endpoint protection and response.

"Governments have already warned that foreign entities are likely to attempt to conduct cyber espionage to steal information about vaccines," they said. "IBM Security X-Force urges companies in the COVID-19 supply chain – from research of therapies, healthcare delivery to distribution of a vaccine – to be vigilant and remain on high alert during this time."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.