Hackers Targeting Companies Involved in Covid-19 Vaccine Distribution

Hackers Targeting Companies Involved in Covid-19 Vaccine Distribution (thehackernews.com)

A global spear-phishing campaign has been targeting organizations associated with the distribution of COVID-19 vaccines since September 2020, according to new research.

Attributing the operation to a nation-state actor, IBM Security X-Force researchers said the attacks took aim at the vaccine cold chain, companies responsible for storing and delivering the COVID-19 vaccine at safe temperatures.

The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert, urging Operation Warp Speed (OWS) organizations and companies involved in vaccine storage and transport to review the indicators of compromise (IoCs) and beef up their defenses.

It is unclear whether any of the phishing attempts were successful, but the company said it has notified appropriate entities and authorities about this targeted attack.

The phishing emails, dating to September, targeted organizations in Italy, Germany, South Korea, the Czech Republic, greater Europe, and Taiwan, including the European Commission’s Directorate-General for Taxation and Customs Union, unnamed solar panel manufacturers, a South Korean software development firm, and a German website development company.

IBM said the attacks likely targeted organizations linked to the Gavi vaccine alliance with the goal of harvesting user credentials to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution.

To lend the emails an air of credibility, the operators behind the operation crafted lures that masqueraded as requests for quotations for participation in a vaccine program. The attackers also impersonated a business executive from Haier Biomedical, a legitimate China-based cold chain provider, in an attempt to convince the recipients to open the inbound emails without questioning the sender’s authenticity.

“The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file,” IBM researchers Claire Zaboeva and Melissa Frydrych said.

Although the researchers could not establish the identities of the threat actor, the ultimate objective, it appears, is to harvest the usernames and passwords and abuse them to steal intellectual property and move laterally across the victim environments for subsequent espionage campaigns.