The recent news that IBM has found evidence that hackers are targeting the Covid-19 supply chain will come as no surprise to those involved in cybersecurity.

IBM says it has uncovered a global phishing campaign targeting organisations associated with a Covid-19 cold chain.  They believe the campaign started in September 2020, and it involved sending out phishing emails targeting organisations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program.

The ‘cold chain’ is a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation.

Key facts

  • The emails impersonated a business executive from Haier Biomedical, a credible and legitimate member company of the Covid-19 vaccine supply chain and qualified supplier for the CCEOP program.
  • The targets included global organisations headquartered in Germany, Italy, South Korea, Czech Republic, and Taiwan.
  • Phishing emails were sent to select executives in sales, procurement, information technology, and finance positions, likely involved in company efforts to support a vaccine cold chain.
  • IBM Security X-Force followed responsible disclosure protocols and notified the appropriate entities and authorities about this targeted operation.
  • It’s unclear from IBMs analysis if the Covid-19 phishing campaign was successful.

Precision targeting

This cyberattack was a spear phishing attack – where attackers try to craft a message to appeal to a specific individual (think of a fisherman with a spear aiming for one particular fish).

Along with precision targeting, spear phishing campaigns contain a large element of research. Attackers will use information found easily online, such as LinkedIn, social media profiles, and company web sites to create a credible email that can be difficult to spot without close inspection.

The hackers went to “an exceptional amount of effort,” according to IBM analyst Claire Zaboeva, who helped draft the report. “Hackers researched the correct make, model, and pricing of various Haier refrigeration units,” she added.

Nearly 90% of organisations around the world experienced spear phishing attempts in 2019, according to the 2020 Verizon Data Breach Investigations Report.

Indeed, the role that Haier Biomedical currently plays in vaccine transport, and their potential role in vaccine distribution, increases the probability the intended targets will open the attached documents requesting a quotation relating to CCEOP, without questioning the sender’s authenticity.

Dr Duncan Hodges, Senior Lecturer in Cyberspace Operations, at Cranfield University says: “It is this precision targeting and well-crafted email content that makes spear phishing campaigns so effective. They look like emails the target is likely to receive and this makes them difficult to identify as malicious, whether by technology deployed to help defend an organisation or by the target themselves. The emails will be well-grounded in research so that there’s nothing in them that leaps out as unusual.

“In this instance, these emails had an added hook, they requested a quotation and the content was phrased along the lines of ‘this is an opportunity for you to potentially get business from us’. They’ve been clever about how they’ve phrased that power dynamic – it’s in the email receiver’s interest to open the attachment and to try and send a quotation or reply.”

Intelligence gathering

Like recent phishing attacks targeting vaccine research, this attack is likely to be more about intelligence gathering than trying to disrupt research or the supply chain - using the stolen access they could gain insight into the processes, methods, and plans for distributing the vaccine.

Hackers linked to states such as Russia, China, Iran, North Korea, and so on, have previously been accused by governments of targeting vaccine research, and recently Cybercriminals have been aggressively targeting healthcare organisations, such as hospitals, during the pandemic.

Over a fifth of all breaches involved phishing, according to the 2020 Verizon Data Breach Investigations Report. For cyber-espionage attacks, these types of attacks rely heavily on combining social and/or malware vectors, using phishing in 81% of the incidents.

While attribution could not be established for this Covid-19 campaign, the precision targeting of executives and key global organisations hold the potential hallmarks of nation state tradecraft, according to IBM.

Dr Hodges agrees: “The precision targeting and intelligence gathering requirement indicates a degree of involvement from a nation state. The precision targeting demonstrated in these campaigns is their Modus Operandi. It is normal standard practice, to carefully craft the initial hook in the email so that it isn’t coming from a random person which would raise suspicions that it was a phishing attack.

Cyber threat hunting

Cyber threats are intrinsically linked to global forces, so it is no surprise that organisations involved in the Covid-19 vaccine research, production and logistics have been targeted. The attack was discovered by IBM’s threat intelligence task force that is dedicated to tracking down Covid-19 cyber threats against organisations that are keeping the vaccine supply chain moving.

“Cyber threat hunting is the practice of proactively searching for threats,” explains Dr Hodges. “It’s a kind of hypothesis-driven proactive approach to defence. So rather than waiting for your appliances to tell you something bad has happened, it’s about saying, ‘I think in the future I will see these types of attacks targeting my company to get this sort of information and using data to defend the company. The data can come from threat intelligence, behaviour analytics, automation detection, and machine learning and automated analytics.

“With hackers continuing to innovate and develop their methods to maximise their impact, cyber threat hunting is becoming increasingly important as organisations and governments seek to stay ahead of the latest cyber threat and respond rapidly to attacks. It’s an essential part of a defence strategy - whether you’re trying to protect against eCrime or nation state activity.”

Need to know more?

Cranfield’s Cyber Defence and Information Assurance MSc has been designed to develop professionals who can lead in a cyber-environment, to effectively exploit the threats and opportunities of cyberspace at the organisational level. The course focuses on understanding and articulating the executive-level responses to serious present and emerging threats in the information domain.

Two elements of the MSc are available as short courses, the first is Cyber Attack: Threats and Opportunities which aims to develop an understanding of the threats to an organisation by considering the tools, techniques and procedures that attackers use to compromise an organisations security. The second is Critical Networks and Cyber-Physical Systems which considers the cyber threats to our critical national infrastructure (such as healthcare, power, etc.) in addition to those threats to the security of smart devices such as smart homes and smart vehicles.