During the course of ongoing research on coronavirus-related cyber activity, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a COVID-19 related phishing campaign targeting a German multinational corporation (MNC), associated with a German government-private sector task force to procure personal protective equipment (Task Force Schutzausrüstung). The group has been commissioned to use their international contacts and expertise to obtain personal protective equipment (PPE) such as face masks and medical gear, particularly from China-based supply and purchasing chains.

IBM X-Force IRIS’ research indicates that the threat actors behind this campaign targeted more than 100 high ranking executives in management and procurement roles within this organization and its third-party ecosystem. Overall, IBM X-Force IRIS observed approximately 40 organizations being targeted in this campaign. Given the extensive targeting observed of this supply chain, it’s likely that additional members of the task force could be targets of interest in this malicious campaign, requiring increased vigilance. IBM X-Force IRIS has notified CERT BUND about this activity to further ensure members are aware.

This discovery represents a precision-targeting campaign exploiting the race to secure essential PPE. Based on our analysis, attackers likely intended to compromise a single international company’s global procurement operations, along with their partner environments devoted to a new government-led purchasing and logistics structure.

Targeting New Medical Equipment Procurement Structures

On 30 March 2020, German government officials met with several top German MNCs to establish new ‘framework agreements’ to commission these nine companies to leverage their access to foreign markets to purchase and facilitate the delivery of PPE on behalf of various German Ministries.

Our research shows that, on this same date, suspicious activity from a Russia-based IP address toward the MNC began. Specifically, IBM X-Force IRIS discovered over 280 URLs tied to the suspicious Russia-based IP address 178[.]159[.]36[.]183, with more than a third including Base64 encoded email addresses belonging to suspected targets at the MNC and its third-party supply chain partners. Approximately half of the encoded email accounts belong to executives associated with operations, finance, and procurement within the targeted corporation. The remaining half belong to executives at third-party partners, including European and American companies associated with chemical manufacturing, aviation and transport, medical and pharmaceutical manufacturing, finance, oil and gas, and communications.

As of the time of publication, this campaign remains an ongoing operation.

Credential Harvesting

IBM X-Force IRIS discovered that the URLs redirect the target emailed to a fake, actor-controlled Microsoft login page designed to steal and exfiltrate user credentials to several different Yandex email accounts.

It is unclear how many of these phishing attacks were successful, however through credential harvesting, threat actors could gain access to the victims’ email accounts with the potential to collect or exfiltrate data of interest, and/or move laterally through the network to fulfill other actions on objectives.

Figure 1: Fake Login Page

Figure 2: Actor-owned email account embedded in the HTML

 Global Race for Resources

A global rush to obtain essential PPE for health care personnel has resulted in an unprecedented leap in prices and competition for now-critical medical resources. To secure vital supplies, nations across the globe have launched a bevy of national buying programs, emergency state export statutes, and contracting initiatives to acquire the essential equipment to address the rapid spread of coronavirus.

Given the worldwide spread of COVID-19 and fears of a pending second wave of infection, it is highly likely criminal and state-sponsored actors alike will seek to exploit global procurement and supply chains with the intention of either profiting from the crisis or supporting the acquisition activities of their host nation.

Preparation, Planning and Practice

In this extraordinary time, many organizations across the globe are being called upon to perform essential tasks to outfit, equip and support medical professionals on the frontlines of a global crisis. These companies are now part of an emerging high value target group whose reliance on digital technology to enable business practices provides a potential means of compromise to malicious cyber actors. Now, perhaps more than ever, businesses must have an actionable  Incident Response Plan in place to prevent, react and recover from a cyber emergency.

IOCs associated with this campaign are available via our Enterprise Intelligence Management platform.

This campaign also underscores the need for organizations to address the risks from phishing attacks. Phishing was the initial infection vector in nearly one-third of all cyber incidents we investigated last year. Please read our previously published blog “State of the Phish: IBM X-Force Reveals Current Phishing Attack Trends” to review ways to help mitigate this threat.

More from Threat Intelligence

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today