Email Spear Phishing Attacks Target COVID-19 Vaccine Supply Chains

As the U.S. was finalizing plans to distribute the first 2.9 million doses of the COVID-19 vaccine, cyber actors carried out a targeted attack on companies involved in the vaccine supply chain. A December 3 Cybersecurity & Infrastructure Security Agency (CISA) advisory warned that these actors sent phishing emails to executives in global organizations impersonating a biomedical company soliciting partnerships in cold storage for the vaccine.[1] Whether the attacks have succeeded so far couldn’t be determined.

In the ongoing attacks, detected by IBM Security X-Force, cybercriminals are using spear phishing, so called because the emails are directed to executives and employees of specific companies in the vaccine supply chain. The email phishing attacks started in September 2020 and appear to come from an employee of Haier Biomedical, a Chinese company that is qualified under the Cold Chain Equipment Optimization Platform to provide cold storage for vaccines.

The phishing emails were sent to organizations in government, solar panel manufacturing, dry ice production and IT companies supporting clients in manufacturing and distribution channels. Solar panels are used to power refrigerators necessary to keep the vaccine extremely cold.

The phishing email requests quotes for participation in the program, referring the recipient to a draft contract that is attached as an HTML document. To open the document, the recipient is asked to enter credentials. By harvesting those credentials, the cyberattackers could gain access to corporate networks to gather information about vaccine distribution and perhaps to sabotage operations.

Email Spear Phishers Appear to be Nation-State Actors

Given the sophistication of the attacks and targeting of executives and employees involved in vaccine storage and distribution, the attackers are most likely nation states, although IBM was unable to positively identify the source.

This incident follows on the heels of a March 2020 spear phishing attack on German companies to gain unauthorized access to PPE equipment.[2] IBM was able to trace that attack to Russian IP addresses. Prior research has often shown that the vast majority of successful data breaches begin with email spear phishing attacks.

This more recent attack signals the importance of “cybersecurity diligence at each step in the vaccine supply chain,” noted Josh Corman, Senior Advisor for CISA on matters relating to COVID and public safety, in emails to multiple media organizations.

Key Spear Phishing Defenses

Usually, the two main defenses against phishing emails are secure email gateways (SEGs) to detect and block those emails before they reach their targets and cybersecurity awareness training that educates employees to recognize and ignore emails that do make it through. But the phishing emails attacking the COVID-19 vaccine supply chain look very legitimate — they’re excellent brand impersonations that appear to be coming from a company that recipients might expect to contact them.

A further complication is that, with the attached HTML document, there are no web pages for security teams to discover and take down. The grammar in the email is weak but given that the spoofed biomedical company is based in China, email recipients may logically excuse this.

Nevertheless, there is more that companies can do to guard against attacks such as this:

• Train employees regularly on cybersecurity awareness. Warn them especially against entering credentials in response to emails.
• Deploy or upgrade your SEG. Make sure your gateway can effectively scan all file attachment types.
• Use multifactor authentication (MFA). Requiring a second method for authorization means that stolen credentials alone are not sufficient to gain access to company networks.
• Implement security practices with third-party partners. Although your company may have a strong detection and response plan, make sure that partner companies in the supply chain are similarly protected.
• Share information about attacks with partner companies. More information leads to better protections. For example, IBM Security X-Force maintains a repository of identified threats that is freely available to organizations.
• Trust no one. Give users only the minimum access they need to do their jobs.
• Create and test incident response plans. This is wise in anticipation of any attack.

The Bottom Line

With the critical importance of the COVID-19 vaccine in fighting a global pandemic, it is not surprising that vaccine manufacturing and distribution companies are coming under attack. These companies need to be keenly aware of email phishing attacks and develop a strong, layered internal defense as well as security partnerships with other companies in the supply chain.

[1] “IBM Releases Report on Cyber Actors Targeting the COVID-19 Vaccine Supply Chain,” U.S. Cybersecurity & Infrastructure Security Agency

[2] “German Task Force for COVID-19 Medical Equipment Targeted in Ongoing Phishing Campaign,” Security Intelligence