During the course of ongoing research on coronavirus-related cyber activity, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a COVID-19 related phishing campaign targeting a German multinational corporation (MNC), associated with a German government-private sector task force to procure personal protective equipment (Task Force Schutzausrüstung). The group has been commissioned to use their international contacts and expertise to obtain personal protective equipment (PPE) such as face masks and medical gear, particularly from China-based supply and purchasing chains.

IBM X-Force IRIS’ research indicates that the threat actors behind this campaign targeted more than 100 high ranking executives in management and procurement roles within this organization and its third-party ecosystem. Overall, IBM X-Force IRIS observed approximately 40 organizations being targeted in this campaign. Given the extensive targeting observed of this supply chain, it’s likely that additional members of the task force could be targets of interest in this malicious campaign, requiring increased vigilance. IBM X-Force IRIS has notified CERT BUND about this activity to further ensure members are aware.

This discovery represents a precision-targeting campaign exploiting the race to secure essential PPE. Based on our analysis, attackers likely intended to compromise a single international company’s global procurement operations, along with their partner environments devoted to a new government-led purchasing and logistics structure.

Targeting New Medical Equipment Procurement Structures

On 30 March 2020, German government officials met with several top German MNCs to establish new ‘framework agreements’ to commission these nine companies to leverage their access to foreign markets to purchase and facilitate the delivery of PPE on behalf of various German Ministries.

Our research shows that, on this same date, suspicious activity from a Russia-based IP address toward the MNC began. Specifically, IBM X-Force IRIS discovered over 280 URLs tied to the suspicious Russia-based IP address 178[.]159[.]36[.]183, with more than a third including Base64 encoded email addresses belonging to suspected targets at the MNC and its third-party supply chain partners. Approximately half of the encoded email accounts belong to executives associated with operations, finance, and procurement within the targeted corporation. The remaining half belong to executives at third-party partners, including European and American companies associated with chemical manufacturing, aviation and transport, medical and pharmaceutical manufacturing, finance, oil and gas, and communications.

As of the time of publication, this campaign remains an ongoing operation.

Credential Harvesting

IBM X-Force IRIS discovered that the URLs redirect the target emailed to a fake, actor-controlled Microsoft login page designed to steal and exfiltrate user credentials to several different Yandex email accounts.

It is unclear how many of these phishing attacks were successful, however through credential harvesting, threat actors could gain access to the victims’ email accounts with the potential to collect or exfiltrate data of interest, and/or move laterally through the network to fulfill other actions on objectives.

Figure 1: Fake Login Page

Figure 2: Actor-owned email account embedded in the HTML

 Global Race for Resources

A global rush to obtain essential PPE for health care personnel has resulted in an unprecedented leap in prices and competition for now-critical medical resources. To secure vital supplies, nations across the globe have launched a bevy of national buying programs, emergency state export statutes, and contracting initiatives to acquire the essential equipment to address the rapid spread of coronavirus.

Given the worldwide spread of COVID-19 and fears of a pending second wave of infection, it is highly likely criminal and state-sponsored actors alike will seek to exploit global procurement and supply chains with the intention of either profiting from the crisis or supporting the acquisition activities of their host nation.

Preparation, Planning and Practice

In this extraordinary time, many organizations across the globe are being called upon to perform essential tasks to outfit, equip and support medical professionals on the frontlines of a global crisis. These companies are now part of an emerging high value target group whose reliance on digital technology to enable business practices provides a potential means of compromise to malicious cyber actors. Now, perhaps more than ever, businesses must have an actionable  Incident Response Plan in place to prevent, react and recover from a cyber emergency.

IOCs associated with this campaign are available via our Enterprise Intelligence Management platform.

This campaign also underscores the need for organizations to address the risks from phishing attacks. Phishing was the initial infection vector in nearly one-third of all cyber incidents we investigated last year. Please read our previously published blog “State of the Phish: IBM X-Force Reveals Current Phishing Attack Trends” to review ways to help mitigate this threat.

More from Threat Intelligence

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today