Hackers are putting on their winter coats for this new scam.
According to researchers at IBM’s X-Force, a new phishing campaign targeting the COVID-19 vaccine “cold chain” (the part of the supply chain focused on “the safe preservation of vaccines in temperature-controlled environments during their storage and transportation”) is out in the wild.
Healthcare, distribution and government agencies beware! The phishing emails are disguised as requests for quotations (RFQs) related to the cold chain, and contain malicious HTML attachments that will open credential-harvesting phishing pages.
“Our analysis indicates that this calculated operation started in September 2020,” the researchers write. “The COVID-19 phishing campaign spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program, which we explain further in this blog. While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.”
The operation appears to have been highly targeted, since the attackers knew exactly who to impersonate.
“The spoofed phishing emails appear to originate from a business executive from Haier Biomedical, a Chinese company currently acting as a qualified supplier for the CCEOP program, in coordination with the World Health Organization (WHO), UNICEF and other U.N. agencies,” X-Force says.
“It is highly likely that the adversary strategically chose to impersonate Haier Biomedical because it is purported to be the world’s only complete cold chain provider. Likewise, the Haier Biomedical employee who is purported to be sending these emails would likely be associated with Haier Biomedical’s cold chain distribution operations based on his role, which is listed in the email signature block..”
The researchers believe the immediate goal of the campaign is likely espionage related to the vaccine, but the access gained could also be intended for use in future campaigns.
“We assess that the purpose of this campaign may have been to harvest credentials to gain future unauthorized access,” they write. “From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine.
This includes information regarding infrastructure that governments intend to use to distribute a vaccine to the vendors that will be supplying it. However, beyond critical information pertaining to the COVID-19 vaccine, the adversary’s access could extend deeper into victim environments.
Moving laterally through networks and remaining there in stealth would allow them to conduct cyber espionage and collect additional confidential information from the victim environments for future operations.”
If you need assistance with your business cybersecurity contact DarkHound at [email protected]