During the course of ongoing research on coronavirus-related cyber activity, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a COVID-19 related phishing campaign targeting a German multinational corporation (MNC), associated with a German government-private sector task force to procure personal protective equipment (Task Force Schutzausrüstung). The group has been commissioned to use their international contacts and expertise to obtain personal protective equipment (PPE) such as face masks and medical gear, particularly from China-based supply and purchasing chains.

IBM X-Force IRIS’ research indicates that the threat actors behind this campaign targeted more than 100 high ranking executives in management and procurement roles within this organization and its third-party ecosystem. Overall, IBM X-Force IRIS observed approximately 40 organizations being targeted in this campaign. Given the extensive targeting observed of this supply chain, it’s likely that additional members of the task force could be targets of interest in this malicious campaign, requiring increased vigilance. IBM X-Force IRIS has notified CERT BUND about this activity to further ensure members are aware.

This discovery represents a precision-targeting campaign exploiting the race to secure essential PPE. Based on our analysis, attackers likely intended to compromise a single international company’s global procurement operations, along with their partner environments devoted to a new government-led purchasing and logistics structure.

Targeting New Medical Equipment Procurement Structures

On 30 March 2020, German government officials met with several top German MNCs to establish new ‘framework agreements’ to commission these nine companies to leverage their access to foreign markets to purchase and facilitate the delivery of PPE on behalf of various German Ministries.

Our research shows that, on this same date, suspicious activity from a Russia-based IP address toward the MNC began. Specifically, IBM X-Force IRIS discovered over 280 URLs tied to the suspicious Russia-based IP address 178[.]159[.]36[.]183, with more than a third including Base64 encoded email addresses belonging to suspected targets at the MNC and its third-party supply chain partners. Approximately half of the encoded email accounts belong to executives associated with operations, finance, and procurement within the targeted corporation. The remaining half belong to executives at third-party partners, including European and American companies associated with chemical manufacturing, aviation and transport, medical and pharmaceutical manufacturing, finance, oil and gas, and communications.

As of the time of publication, this campaign remains an ongoing operation.

Credential Harvesting

IBM X-Force IRIS discovered that the URLs redirect the target emailed to a fake, actor-controlled Microsoft login page designed to steal and exfiltrate user credentials to several different Yandex email accounts.

It is unclear how many of these phishing attacks were successful, however through credential harvesting, threat actors could gain access to the victims’ email accounts with the potential to collect or exfiltrate data of interest, and/or move laterally through the network to fulfill other actions on objectives.

Figure 1: Fake Login Page

Figure 2: Actor-owned email account embedded in the HTML

 Global Race for Resources

A global rush to obtain essential PPE for health care personnel has resulted in an unprecedented leap in prices and competition for now-critical medical resources. To secure vital supplies, nations across the globe have launched a bevy of national buying programs, emergency state export statutes, and contracting initiatives to acquire the essential equipment to address the rapid spread of coronavirus.

Given the worldwide spread of COVID-19 and fears of a pending second wave of infection, it is highly likely criminal and state-sponsored actors alike will seek to exploit global procurement and supply chains with the intention of either profiting from the crisis or supporting the acquisition activities of their host nation.

Preparation, Planning and Practice

In this extraordinary time, many organizations across the globe are being called upon to perform essential tasks to outfit, equip and support medical professionals on the frontlines of a global crisis. These companies are now part of an emerging high value target group whose reliance on digital technology to enable business practices provides a potential means of compromise to malicious cyber actors. Now, perhaps more than ever, businesses must have an actionable  Incident Response Plan in place to prevent, react and recover from a cyber emergency.

IOCs associated with this campaign are available via our Enterprise Intelligence Management platform.

This campaign also underscores the need for organizations to address the risks from phishing attacks. Phishing was the initial infection vector in nearly one-third of all cyber incidents we investigated last year. Please read our previously published blog “State of the Phish: IBM X-Force Reveals Current Phishing Attack Trends” to review ways to help mitigate this threat.

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today