IBM: Cybercriminals Could Disrupt COVID-19 Vaccine Supply Chain

Cybercriminals are targeting the COVID-19 vaccine supply chain, and if successful they could destroy cargo loads of the life-saving vaccines.

That’s according to IBM Security X-Force’s latest threat research. It discovered a campaign against the COVID-19 vaccine cold chain.

Pfizer and Moderna have announced promising results from their COVID-19 vaccine trials. Therefore, countries are initiating the process of distributing vaccines. However, these vaccines rely on temperature-controlled environments, also known as the cold chain, for distribution.

IBM Security X-Force discovered a targeted operation against the COVID-19 vaccine cold chain that supports the Gavi Alliance and UNICEF’s’ efforts to safely transport a vaccine to underdeveloped regions. Moreover, these regions rely on external aid to store their medicines in temperature-control environments.

The COVID-19 vaccine campaign has the components of a state-sponsored attack.

IBM’s Claire Zaboeva

Claire Zaboeva is senior cyber threat analyst with IBM Security X-Force.

“The COVID-19 cold chain represents a new kind of global critical infrastructure,” she said. “If damaged or disrupted, it is possible cargo loads of life-saving vaccines could be destroyed.”

Malicious actors sought to harvest credentials to likely gain illegal access to targeted environments, Zaboeva said. Should they gain presence on the system, they may carry out a multitude of attacks. Those include collecting sensitive or critical information, to even conducting disruptive or destructive attacks.

“The compromise of any of the targeted organizations, which maintain direct ties to multiple national government networks associated with trade and regulation, may serve as a single point of compromise impacting multiple downstream targets,” she said.

According to IBM Security X-Force’s research:

• Attackers impersonated Haier Biomedical to conduct spear-phishing attacks against global organizations that provide material support to the cold chain. Haier reportedly is the world’s only complete cold chain provider.
• Attackers targeted global organizations in at least six countries, including the European Commission’s Directorate-General for Taxation and Customs Union, petrochemicals, solar panel companies and more organizations across other industries.
• Attackers attempted credential harvesting to access sensitive information pertaining to COVID-19 vaccine transport and distribution.

“All security providers worldwide will need to collaborate in defending this emerging infrastructure,” Zaboeva said. “Likewise, at the corporate level, companies need to cultivate a culture of cyber awareness, one that includes an active security posture that has a practiced incident response plan in place.”

Zaboeva offers the following suggestions for targeted organizations:

• Trust but verify. Now is the time to scrutinize everything from your partners. Pick up the phone and call them to confirm emails or unsolicited attachments are really from them.
• Limit employee access to sensitive information. Only provide access to those who need it for their roles.
• Use multifactor authentication (MFA) across your organization. This is an extra layer of defense that stops a bad guy from getting in even if they do succeed in getting your username, email and password.

It’s very possible this is just the start of attacks on the COVID-19 vaccine supply chain as initial distribution nears, Zaboeva said.

“Given global demand for a life-saving vaccine, it is highly likely advanced insight into the secure cold chain transport underpinning the worldwide distribution of vaccines represents a continuing high-value target for both state-sponsored threats and independent cybercriminals,” she said.

RiskIQ: Universities Increasingly Under Attack

Twenty universities globally have been subject to phishing campaigns since July, according to RiskIQ‘s “Shadow Academy” report.

The attacks are similar to the Iranian company Mabna Institute. It illegally gains access to non-Iranian scientific resources through computer intrusions.

RiskIQ has named the actors identified during this research as “Shadow Academy.”

Among the key findings:

• The credential-harvesting URLs focused mainly on popular services like Amazon, Instagram and online banking.
• A Louisiana State University (LSU)-themed student portal login page was the first identified target.
• Library-themed attacks targeted 37%.
• General access or student portal attacks targeted 63%.
• Financial aid-themed attacks targeted 11%.

Many college campuses began releasing timelines for traditional on-campus operations in July, RiskIQ said. Research suggests that Shadow Academy actors timed the development of malicious infrastructure to take advantage of back-to-school chaos.

Universities have been a historically lucrative attack landscape for attackers such as Silent Librarian and w4coders. They knowingly take advantage of overwhelmed IT staff during the start of the school year.

Cory Kennedy is a threat researcher for RiskIQ. He said the attackers are typically attempting credential theft.

“Targeting students with Netflix phishing campaigns may…