A global spear-phishing campaign has been targeting organizations associated with the distribution of COVID-19 vaccines since September 2020, according to new research.
Attributing the operation to a nation-state actor, IBM Security X-Force researchers said the attacks took aim at the vaccine cold chain, companies responsible for storing and delivering the COVID-19 vaccine at safe temperatures.
The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert, urging Operation Warp Speed (OWS) organizations and companies involved in vaccine storage and transport to review the indicators of compromise (IoCs) and beef up their defenses.
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
It is unclear whether any of the phishing attempts were successful, but the company said it has notified appropriate entities and authorities about this targeted attack.
The phishing emails, dating to September, targeted organizations in Italy, Germany, South Korea, the Czech Republic, greater Europe, and Taiwan, including the European Commission's Directorate-General for Taxation and Customs Union, unnamed solar panel manufacturers, a South Korean software development firm, and a German website development company.
IBM said the attacks likely targeted organizations linked to the Gavi vaccine alliance with the goal of harvesting user credentials to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution.
To lend the emails an air of credibility, the operators behind the operation crafted lures that masqueraded as requests for quotations for participation in a vaccine program. The attackers also impersonated a business executive from Haier Biomedical, a legitimate China-based cold chain provider, in an attempt to convince the recipients to open the inbound emails without questioning the sender's authenticity.
"The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file," IBM researchers Claire Zaboeva and Melissa Frydrych said.
Although the researchers could not establish the identities of the threat actor, the ultimate objective, it appears, is to harvest the usernames and passwords and abuse them to steal intellectual property and move laterally across the victim environments for subsequent espionage campaigns.
COVID-19 Vaccine Research Emerges a Lucrative Target
COVID-19 vaccine research and development has been a target of sustained cyberattacks since the start of the year.
Back in June, IBM disclosed details of a similar phishing campaign targeting a German entity connected with procuring personal protective equipment (PPE) from China-based supply and purchasing chains.
The cyberassaults led the US Department of Justice to charge two Chinese nationals for stealing sensitive data, including from companies developing COVID-19 vaccines, testing technology, and treatments, while operating both for private financial gain and on behalf of China's Ministry of State Security.
In November, Microsoft said it detected cyberattacks from three nation-state agents in Russia (Fancy Bear aka Strontium) and North Korea (Hidden Cobra and Cerium) directed against pharmaceutical companies located in Canada, France, India, South Korea, and the US that are involved in COVID-19 vaccines in various stages of clinical trials.
Then last week, it emerged that suspected North Korean hackers have targeted British drugmaker AstraZeneca by posing as recruiters on networking site LinkedIn and WhatsApp to approach its employees with fake job offers and tricking them into opening what were purported to be job description documents to gain access to their systems and install malware.