Phishing ploy targets vaccine distribution effort
BOSTON— IBMsecurity researchers say they have detected a cyberespionage effort using targeted phishing emails to try to collect vital information on the World Health Organization’s initiative for distributing COVID-19 vaccine to developing countries.
The researchers said they could not be sure who was behindthecampaign, which began in September, or if it was successful. But the precision targeting and careful efforts to leave no tracks bore “the potential hallmarks of nation-state tradecraft,” they said in a blog post Thursday.
The campaign’s targets, in countries including Germany, Italy, SouthKorea and Taiwan, are likely associated with the development of the “cold chain” needed to ensure coronavirus vaccines get the nonstop sterile refrigeration they need to be effective for the nearly 3 billion people who live where temperature-controlled storage is insufficient, IBM said.
“Think of it as the bloodline that will be supplying the most vital vaccines globally,” saidIBManalyst Claire Zaboeva.
The U.S. Cybersecurity and Infrastructure Security Agency later issued an advisory encouraging Operation Warp Speed, the Trump administration’s vaccine program, and other organizations involved in vaccine storage and transport, to review IBM’s findings.
Whoever is behind the operation could be motivated by a desire to learn how the vaccines are best able to be shipped and stored— the entire refrigeration process — in order to copy it, said Nick Rossmann, the IBM team’s global threat intelligence lead. Or they might want to be able to undermine a vaccine’s legitimacy
or launch a disruptive or destructive attack, he added.
In the ploy, executives with groups likely associated with the initiative knownasCOVAX— created by the Gavi Vaccine Alliance, the World Health Organization and other U.N. agencies — were sent spoofed emails appearing to come from an executive of Haier Biomedical, aChinese company considered the world’s main cold-chain supplier, the analyst said.
The phishing emails posed as requests for price quotations and bore malicious attachments that prompted recipients to enter credentials that could have been used to harvest sensitive information about partners vital to thevaccinedelivery platform.
Targets included the European Commission’s Directorate-General for Taxa
tion and Customs Union and companies that make solar panels for powering portable vaccine refrigerators. Other targets were petrochemical companies, likely because they produce dry ice, which is used in the cold chain, Zaboeva said.
The EU agency has been busy revising new import and export regimes for coronavirus vaccines and would be a gold mine for hackers seeking stepping stones into partnering organizations, she said.
COVAX has struggled to raise enoughmoneyto compete for vaccine contracts against the world’s wealthiest nations in the race to secure doses as fast as they can be produced. But the UN and Gavi have invested millions in cold- chain equipment across Africa and Asia. The investment, in the works well before the pandemic, was accelerated
to prepare for an eventual global rollout of coronavirus vaccines.
Whoever was behind the phishing operation likely sought “advanced insight into thepurchaseandmovement of a vaccine that can impact life and the global economy,” the blog post said. Coronavirus vaccines will be one of the world’s most sought-after products as they are distributed, so theft may also be a danger.
In the U.S., the FBI has been working with other federal agencies and private industry to protect vaccine development and delivery, Tonya Ugoretz, the agency’s deputy assistant director for cyber readiness and intelligence, said Thursday at the online Aspen Cyber Summit.
The aim is toward off not just cyberthreats but also more traditional humancentric espionage by adversaries whomay seek to steal intellectual property for financial gain, to benefit another country or to “undermine confidence in U.S. efforts to provide an effective vaccine,” she said.
On the same panel, Marene Allison, the chief information security officer (CISO) at Johnson & Johnson, said that while she was confident that major pharmaceutical companies like hersdeveloping coronavirus vaccines have strong defenses in place against hackers, some third parties involved in the process may not.
There have been reports that Johnson& Johnson has been targeted by North Korean hackers, but Allison said that doesn’t mean the attempts have been successful.
“I and all CISOs in health care are seeing attempted penetrations by nation-state actors, not justNorthKorea, every single minute of every single day,” she said.
Last month, Microsoft said it had detected mostly unsuccessful attempts by state-backed Russian and North Korean hackers to steal data from leading pharmaceutical companies and vaccine researchers. It gave no information on how many succeeded or how serious those breaches were. Chinese state-backed hackers have also targeted vaccine makers, the U.S. government said in announcing criminal charges in July.
Microsoft said most of the targets — located in Canada, France, India, South Korea and theUnited States — were researching vaccines and COVID-19 treatments. It did not name the targets.
On Wednesday, Britain became the first to country to authorize a rigorously tested COVID-19 vaccine, the one developed by American drugmaker Pfizer and Germany’s BioNTech.
Other countries aren’t far behind: Regulators not only in the U.S. but in the EuropeanUnion andCanadaalso are vetting the Pfizer vaccine along with a shot by Moderna Inc. British and Canadian regulators are also considering a vaccine by AstraZeneca and Oxford University.