In recent days, the U.S. has been finalizing plans to distribute the first 2.9 million doses of the COVID-19 vaccine. In the meantime, cyber actors carried out a targeted attack on companies involved in the vaccine supply chain. On December 3rd, Cybersecurity & Infrastructure Security Agency (CISA) advisory warned that these actors sent spear phishing emails to executives in global organizations impersonating a biomedical company soliciting partnerships in cold storage for the vaccine. Whether or not the attacks have succeeded so far has not yet been confirmed.
In the ongoing attacks, detected by IBM Security X-Force, cybercriminals seem to be using spear phishing. The emails are directed to executives and employees of specific companies in the vaccine supply chain. The email phishing attacks started in September 2020 and appear to come from an employee of Haier Biomedical – a Chinese company – qualified under the Cold Chain Equipment Optimization Platform to provide cold storage for vaccines.
Key Points for spear phishing and phishing emails:
- Spear phishing attacks are most likely originating from nation states.
- The attacks are being waged against companies in the COVID-19 vaccine supply chain.
- The phishing emails containing the phishing link appear to be sent from an actual Chinese company that provides cold storage for vaccines.
- Every company in the supply chain is urged to act diligently to build layered email security defenses against these attacks.
The phishing emails were sent to different organizations who support clients in manufacturing and distribution channels. These organizations consist of governments, solar panel manufacturing, dry ice production and IT companies. Solar panels are used to power refrigerators necessary to keep the vaccine extremely cold.
The phishing email requests “quotes” for participation in the program, referring the recipient to a draft contract that is attached as an HTML document. To open the document, the recipient is asked to enter credentials. By harvesting those credentials, the cyber attackers could gain access to corporate networks to gather information about vaccine distribution and perhaps sabotage operations.
Email Spear Phishers Appear to be Nation-State Actors
Given the sophistication of the attacks and targeting of executives and employees involved in vaccine storage and distribution, the attackers are most likely nation states. Although IBM was unable to positively identify the source.
This incident follows on the heels of a March 2020 spear phishing attack on German companies to gain unauthorized access to PPE equipment. IBM was able to trace that attack to Russian IP addresses. Prior research has often shown that the vast majority of successful data breaches begin with email spear phishing attacks.
This more recent attack signals the importance of “cybersecurity diligence at each step in the vaccine supply chain,” noted Josh Corman, Senior Advisor for CISA on matters relating to COVID and public safety, in emails to multiple media organizations.
Key Spear Phishing Defenses
Usually, the two main defenses against phishing emails are secure email gateways (SEGs) to detect and block those emails before they reach their targets, and cybersecurity awareness training that educates employees to recognize and ignore emails that do make it through. But the phishing emails attacking the COVID-19 vaccine supply chain look very legitimate. They are excellent brand impersonations that appear to be coming from a company that recipients might expect be contacted from.
A further complication comes with the attached HTML document, there are no web pages for security teams to discover and take down. The grammar in the email is weak but given that the spoofed biomedical company is based in China, email recipients may logically excuse this.
There is more that companies can do to guard against attacks such as this:
- Train employees regularly on cybersecurity awareness. Warn them especially against entering credentials in response to emails.
- Deploy or upgrade your SEG. Make sure your gateway can effectively scan all file attachment types.
- Use multi-factor authentication (MFA). Requiring a second method for authorization means that stolen credentials alone are not sufficient to gain access to company networks.
- Implement security practices with third-party partners. Although your company may have a strong detection and response plan. Make sure that partner companies in the supply chain are similarly protected.
- Share information about attacks with partner companies. More information leads to better protections. For example, IBM Security X-Force maintains a repository of identified threats that is freely available to organizations.
- Trust no one. Give users only the minimum access they need to do their jobs.
- Create and test incident response plans. This is wise in anticipation of any attack.
With the critical importance of the COVID-19 vaccine in fighting a global pandemic, it is not surprising that vaccine manufacturing and distribution companies are being victims of attacks. These companies need to be aware of email phishing attacks and develop a strong, layered internal defense. The same concern applies to security partnerships with other companies in the supply chain.