A global spear-phishing campaign has been targeting organizations related to the distribution of COVID-19 vaccines since September 2020, consistent with new research.
Attributing the operation to a nation-state actor, IBM Security X-Force researchers said the attacks took aim at the vaccine cold chain, companies liable for storing and delivering the COVID-19 vaccine at safe temperatures.
The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert, urging Operation Warp Speed (OWS) organizations and corporations involved in vaccine storage and transport to examine the indications of compromise (IoCs) and strengthen their defenses.
It is unclear whether any of the phishing attempts were successful, but the corporation said it’s notified appropriate entities and authorities about this targeted attack.
The phishing emails, dating to September, targeted organizations in Italy, Germany, South Korea, the Czech Republic, greater Europe, and Taiwan, including the ecu Commission’s Directorate-General for Taxation and union, unnamed solar array manufacturers, a South Korean software development firm, and a German website development company.
IBM said the attacks likely targeted organizations linked to the Gavi vaccine alliance with the goal of harvesting user credentials to realize future unauthorized access to corporate networks and sensitive information concerning the COVID-19 vaccine distribution.
The attackers also impersonated a corporate executive from Haier Biomedical, a legitimate China-based cold chain provider, in an effort to convince the recipients to open the inbound emails hook line and sink the sender’s authenticity.
“The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to look at the file,” IBM researchers Claire Zaboeva and Melissa Frydrych said.
Although the researchers couldn’t establish the identities of the threat actor, the last word objective, it appears, is to reap the usernames, and passwords, and abuse them to steal property and move across the victim environments for subsequent spy campaigns.
COVID-19 Vaccine Research Emerges a Lucrative Target
COVID-19 vaccine research and development has been a target of sustained cyberattacks since the beginning of the year.
Back in June, IBM disclosed details of an identical phishing campaign targeting a German entity connected with procuring personal protective equipment (PPE) from China-based supply and buying chains.
The cyberassaults led the US Department of Justice to charge two Chinese nationals for stealing sensitive data, including from companies developing COVID-19 vaccines, testing technology, and coverings, while operating both for personal gain, and on behalf of China’s Ministry of State Security.
In November, Microsoft said it detected cyberattacks from three nation-state agents in Russia (Fancy Bear aka Strontium) and North Korea (Hidden Cobra and Cerium) directed against pharmaceutical companies located in Canada, France, India, South Korea, and therefore, the US that are involved in COVID-19 vaccines in various stages of clinical trials.
Then last week, it emerged that suspected North Korean hackers have targeted British drugmaker AstraZeneca by posing as recruiters on networking site LinkedIn and WhatsApp to approach its employees with fake job offers and tricking them into opening what were alleged to be description documents to realize access to their systems and install malware.