In December 2020, IBM Security X-Force released a research blog disclosing that the COVID-19 cold chain — an integral part of delivering and storing COVID-19 vaccines at safe temperatures — was targeted by cyber adversaries. After that first report, we recently discovered an additional 50 files tied to spear-phishing emails that targeted 44 companies in 14 countries in Europe, North America, South America, Africa and Asia.

The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles, including:

The campaign impersonates an executive from Haier Biomedical, a major Chinese biomedical company that is purported to be the world’s only complete cold chain provider. The updated findings were made available via our Enterprise Intelligence Management platform TruSTAR in January 2021. In the same timeframe, X-Force reached out to relevant CERTS and global entities in concert with our responsible disclosure policy.

Email significance

Exploring the available emails, X-Force uncovered multiple features which likely signal the actor’s exceptional knowledge of the cold chain. While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat.

• The uncovered emails were sent between Sept. 7-9, several months in advance of the approval of any COVID-19 vaccine variant, which indicates the attacker was prepositioning in emerging global infrastructure.
• Both the email subject and contents discuss requests for quotes regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and contain references to specific products (a specific solar-powered vaccine refrigerator and ice-lined refrigerator) from Haier Biomedical’s product line to store and transport vaccines at the same temperatures of the COVID-19 vaccine.
•  The related HTML files mention organizations involved in the manufacturing of solar panels, as well as petrochemical production (dry ice as a primary byproduct), which directly aligns with the aforementioned products.
• The English language in the email aligns with the educational background of the sender spoofed in the signature block.

Overlapping infrastructure

Directly following our December publication, X-Force uncovered an additional spear-phishing email, remarkably similar to the original samples we found. The email was addressed to a German pharmaceutical and bioscience solutions company involved in vaccine production, among other specialties, who appears to be a client of one of the original targets we uncovered. This context to the initial targeted email prompted further investigation.

The connections between the previous and the new files we found feature overlapping command-and-control (C2) infrastructure, and appear to display the same blurred PDF with a login screen prepopulated with the user’s email address as the ID. Once a user ID and password are keyed in, the credentials are sent to a C2 server. X-Force assesses that this activity is aimed at obtaining user credentials for future or secondary attacks.

Most targeted industries

The potential targets, categorized into most targeted industries, may present various avenues into the overall COVID-19 supply chain. They include:

Transportation — X-Force research suggests at least eight unique organizations within the automotive, aviation, maritime and transport services sectors across Italy, Korea, Japan, Colombia and the United States may have been targeted.

Health care — Our findings indicate likely targets include organizations associated with biomedical research, medical manufacturing, pharmaceuticals and hygiene services and headquartered in the Czech Republic, Germany and U.S. The corporations specialize in a variety of disciplines including immunology, manufacturing of medical accessories, construction of surgical materials, the creation of pharmaceutical ingredients and online pharmacies distributing COVID-19 rapid tests.

Information technology & electronics — A total of six organizations across Bulgaria, France, Poland, Ukraine and the U.S. associated with web-hosting services, software development, IT operations and outsourcing and online platform providers were subject to activity. Collection against these organizations could provide actors with insight into key technical requirements concerning the cold chain and vaccine storage.

In addition to the sectors detailed above, notable clusters of uncovered email addresses were found to be associated with government organizations, as well as refrigeration and metal manufacturing technology. X-Force uncovered likely instances of activity directed against government ministries and departments in Europe, specifically supporting import/export of special goods, transport and public health and safety. All addressees are specific individuals of these organizations, including the precision targeting of (at the time of the campaign) a major central European country’s department head of prevention.

As reported in the X-Force Threat Intelligence Index 2021, industries that governments worldwide have heavily relied on for COVID-19 response efforts were at the epicenter of targeting during 2020, with attacks on manufacturing, energy and health care doubling from the previous year. This serves as yet another reminder that organizations and industries on the forefront of critical infrastructure and critical supply chains, such as the COVID-19 cold chain, are targets of high interest to adversaries.

What are attackers likely looking for?

With more than 350 logistics partners around the world, UNICEF and the COVID-19 vaccine cold chain will rely on seamless, multimodal transport systems to ensure that vaccines are transported in a timely and safe manner around the world. Attackers could be looking to infiltrate this extended supply chain to gain privileged insight into some of the following aspects:

• Privileged insight into national Advance Market Commitment (AMC) negotiations surrounding the national procurement of vaccines.
• Key timetables for distribution, information regarding expedited passage of COVID-19 vaccines through various nations and territories.
• Export controls and international property rights, government measures taken to facilitate the time-sensitive cargo including pre-arrival processing.
• Collection or duplication of electronic submission of documents for pre-arrival processing.
• Transit and World Trade Organization (WTO) trade facilitation agreements, clearance for transport crews and security of the cargo, border crossing regulations and physical inspections.
• Key technical requirements surrounding warehousing and energy/electrical component requirements for maintaining temperature-controlled environments during vaccine storage.

While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation.

A reminder to stay vigilant

The COVID-19 pandemic has created an unprecedented race between rival nations on an unequal economic plane. It is almost inevitable to see this type of adversarial activity in a threat landscape that is already extremely active on the nation-state attack front.

Any disruption to the requisite conditions, including freight, storage and logistics, could result in impotent or unsafe vaccines, leading to devastating effects on global health security. A better understanding of espionage efforts that could result in actions against the supply chain raises the importance of staying vigilant and aware of the related risks and ramifications. For recommendations on how to increase their cyber readiness, defenders can read our original research blog.

For more in-depth analysis surrounding this campaign, please access TRUSTAR.

Indicators of compromise

HTML Files

Domains