At the onset of the COVID-19 pandemic, IBM Security X-Force created a threat intelligence task force dedicated to tracking down COVID-19 cyber threats against organizations that are keeping the vaccine supply chain moving. As part of these efforts, our team recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain. The cold chain is a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation.

Our analysis indicates that this calculated operation started in September 2020. The COVID-19 phishing campaign spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program, which we explain further in this blog. While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.

Some details from IBM Security X-Force’s analysis of this activity include:

  • The Cover Story — The adversary impersonated a business executive from Haier Biomedical, a credible and legitimate member company of the COVID-19 vaccine supply chain and qualified supplier for the CCEOP program. The company is purportedly the world’s only complete cold chain provider. Disguised as this employee, the adversary sent phishing emails to organizations believed to be providers of material support to meet transportation needs within the COVID-19 cold chain. We assess that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution.
  • The Targets — The targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.
  • The How — Spear-phishing emails were sent to select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain. We also identified instances where this activity extended organization-wide to include help and support pages of targeted organizations.

IBM Security X-Force has followed responsible disclosure protocols and notified the appropriate entities and authorities about this targeted operation.

Alert for the COVID-19 Supply Chain

IBM Security X-Force urges companies in the COVID-19 supply chain — from research of therapies, healthcare delivery to distribution of a vaccine — to be vigilant and remain on high alert during this time. Governments have already warned that foreign entities are likely to attempt to conduct cyber espionage to steal information about vaccines. Today, in conjunction with this blog, DHS CISA is issuing an alert encouraging organizations associated with the storage and transport of a vaccine to review this research and recommended best practices to remain vigilant.

Calculated Spoofing to Compromise the COVID-19 Cold Chain

IBM Security X-Force uncovered targets across multiple industries, governments and global partners that support the CCEOP program. The CCEOP was launched by Gavi, The Vaccine Alliance along with the United Nations Children Fund (UNICEF) and other partners in 2015. Its objective is to ultimately strengthen vaccine supply chains, optimize immunization equity and ensure an agile medical response to outbreaks of infectious diseases. Various classes of medication, and especially vaccines, require storage and transport in temperature-controlled environments to ensure their safe preservation.

The CCEOP initiative is naturally accelerating efforts to facilitate the distribution of a COVID-19 vaccine. A breach within any part of this global alliance could result in the exposure of numerous partner computing environments worldwide.

The spoofed phishing emails appear to originate from a business executive from Haier Biomedical, a Chinese company currently acting as a qualified supplier for the CCEOP program, in coordination with the World Health Organization (WHO), UNICEF and other U.N. agencies. It is highly likely that the adversary strategically chose to impersonate Haier Biomedical because it is purported to be the world’s only complete cold chain provider. Likewise, the Haier Biomedical employee who is purported to be sending these emails would likely be associated with Haier Biomedical’s cold chain distribution operations based on his role, which is listed in the email signature block.

It’s unclear from our analysis if the COVID-19 phishing campaign was successful. However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender’s authenticity.

Credential Harvesting for Wider Access

The subject of the phishing emails posed as requests for quotations (RFQ) related to the CCEOP program. The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file. This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement.

We assess that the purpose of this campaign may have been to harvest credentials to gain future unauthorized access. From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine. This includes information regarding infrastructure that governments intend to use to distribute a vaccine to the vendors that will be supplying it. However, beyond critical information pertaining to the COVID-19 vaccine, the adversary’s access could extend deeper into victim environments. Moving laterally through networks and remaining there in stealth would allow them to conduct cyber espionage and collect additional confidential information from the victim environments for future operations.

Figure 1: Phishing email sent to executives in organizations related to the COVID-19 vaccine supply chain.

Global Targeting

Given the specialization and global distribution of organizations targeted in this campaign, it’s highly likely that the adversary is intimately aware of critical components and participants of the cold chain.

  • European Commission’s Directorate-General for Taxation and Customs Union — The Directorate-General is responsible for promoting cooperation on customs and tax matters across the EU. It maintains direct ties to multiple national government networks and is associated with trade and regulation. Targeting this entity could serve as a single point of compromise impacting multiple high-value targets across the 27 member states of the European Union and beyond.
  • Energy Sector — Spear phishing targets included companies involved in manufacturing solar panels. One of the ways that vaccines are kept cold in countries where reliable power is not possible is by using vaccine refrigerators powered by solar panels. A compromise of such technologies could result in intellectual property theft or stealing and selling vaccine shipping containers in black markets across the globe. Targeting also included companies associated with petrochemicals. Among the key components of cold chain is the use of dry ice, which is a byproduct of petroleum production.
  • IT Sector — Amongst the targets were a South Korean software development firm and a German website development company. The latter supports multiple clients associated with pharmaceutical manufacturers, container transport, biotechnology and manufacturers of electrical components enabling sea, land and air navigation and communications.

Who is Likely Behind These Attacks?

While attribution is currently unknown, the precision targeting and nature of the specific targeted organizations potentially point to nation-state activity. Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets. Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.

Earlier in 2020, IBM Security X-Force uncovered activity surrounding the targeting of a global COVID-19 PPE supply chain. Similarly, as the global competition races for a vaccine, it is highly likely the cold chain is a compelling target that will be at the top of the lists of national collection requirements worldwide.

Recommendations to Defenders

IBM Security X-Force stands ready to host the COVID-19 supply chain community on our Enterprise Intelligence Management platform, where they can share threat information and take action on the latest threat intelligence. The following are recommendations for organizations to increase their cyber readiness amidst the developments outlined in this blog:

  • Create and test incident response plans to strengthen your organization’s preparedness and readiness to respond in the event of an attack.
  • Share and ingest threat intelligence. Threat-sharing initiatives and partnerships are essential to staying alert about the latest threats and attack tactics impacting your industry. IBM Security X-Force has been feeding this threat intelligence into the COVID-19 threat sharing enclave. At the onset of the pandemic, IBM made this enclave freely accessible to any organization in need of more eyes on cyber threats.
  • Assess your third-party ecosystem and assess potential risks introduced by third-party partners. Confirm you have robust monitoring, access controls and security standards in place that third-party partners need to abide by.
  • Apply a zero-trust approach to your security strategy. As environments continue to expand, managing privilege access becomes paramount to ensuring that users are only granted access to the data that is essential to their job.
  • Use Multifactor Authentication (MFA) across your organization. MFA works as a fail-safe if a malicious actor has gained access to your credentials. As a last line of defense, MFA offers a second form of verification requirement in order to access an account.
  • Conduct regular email security educational trainings so employees remain on alert about phishing tactics and are familiar with email security best practices.
  • Use Endpoint Protection and Response tools to more readily detect and prevent threats from spreading across the organization.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034 Learn more about X-Force’s threat intelligence and incident response services.

Indicators of Compromise (IOCs)

Malicious HTML Files: RFQ – UNICEF CCEOP and Vaccine Project – Copy (#).html

SHA256 Hashes
d32b4793e4d99bb2f9d4961a52aee44bbdba223699075ed40f6a6081e9f1e6b4
ace86e8f5d031968d0c9319081a69fa66ce798e25ec6bbd23720ee570651aa04
7f53eca4a3e083ad28c8d02862bc84c00c3c73a9d8b7082b7995f150713d4c51
e3de643f3acebf1696a2b275f4ab1d0bacb5a8ba466ee8edbaaffaaa44cd2f10
a8c42db5ccddbde5b17ce3545189329a33acfdd4a8b9aff0c7e4294709b60af6
07dbe854a34e61349adcc97dd3e2eb5a9158e02568bae3e2aae3859aeeb5b8a9
7898d4596b6125129698866dbfa1a71d069aee3fd84ecb43343c3bf377a7abe2
7fc47e4fdce42b032b8ad0438cb5c76ed42a36d8c6a3e16d42dd0b69f49f33bd
83f8934fadccbaaa8119cd542382fbb9b97dfd196ef787b746ccaaf11f1d444e
6126052b0b200e04ce83a3fa470efee6ba82882674ebcc46c326b0a6c7fbfab4
75768be2e98b8010256f519a19a2a47d8983686389b2eeab300aca063b229be5
b98984a7bf669518b074ef1c8fc4240e4ad6f4a2ccc80a7940a0b56150809e37
33c44f32de3153d7705371c4a0c8d695a4e4eb22b4c4f2f3bda519631efb09af
a90056d8d0853f54dec3c8738fbcea6185f87aae6102cff2c0e1def49ccde977
68f4e8b58367ae1d0f8c392b43f459b1d942faf979953233a104cd74944b88f4
0ec6a1a0b353c672307220fe69ca4c3be6e516505e1f16b5bb8f3b55adaa0c0e
61e7f48f41414d3c945b7317023ca27e5d3f011b0a2e16354641748cc0f9df8e
0ac984f340a2903228b17e28c3a0f4507f5fc780bfe6505f196d2b92feccfab8
9143c2499a1cb2fb4e86ba6f9552f752358d8c8b635376aa619305431a3eec50
49468e2cbaab71a1035f45ef1d4a7cd791e2d5c2bbbfc9d29249d64f40be9aa4
8dc052382d626a2b1fb9181bdc276858386098e1919276c682a0a2b397dab80b
61bae857955c5cabf20119a918a0ebd83cbe9a34ebc6ee628144d225ab0867df
93643badb18f8dccba1eae3d0a44e8a91d4646cb4d1d4b61e234bf7edc58969c
c22ec0725f45221e477c9966a32b8faadd3e320c278043e57252903be89664cc
d5cd18bd27b7525d5e240d5dca555844ec721f8f4be224b91c047b827b7e5529
3e6b7d3055b50c2fd65231d1f757e3f0a6a1dbd803601d2e4223ace4d2bc1198
d32b4793e4d99bb2f9d4961a52aee44bbdba223699075ed40f6a6081e9f1e6b4
28511c50efe2fc02f7a437864e48f8c2983637507c2f8d8773e32ed9a420c895
Scroll to view full table

 C2 URLs

hxxps://e-mailer.cf/next[.]php

hxxps://e-mailer.ga/next[.]php

hxxps://nwa-oma2.ml/next[.]php

hxxps://routermanager.ga/next[.]php

hxxps://routermanager.gq/next[.]php

hxxps://routermanager.ml/next[.]php

hxxps://routermanagers.cf/next[.]php

hxxps://routermanagers.ga/next[.]php

hxxps://routermanagers.gq/next[.]php

hxxps://routermanagers.ml/next[.]php

hxxps://serverrouter.cf/next[.]php

hxxps://serverrouter.ga/next[.]php

hxxps://serversrouter.cf/next[.]php

hxxps://serversrouter.gq/next[.]php

hxxps://nwa-oma.ml/next[.]php

Sender Email Addresses

yongbinxu@haierbiomedical[.]com

DNS SOA Addresses

rahim[@]protonmail[.]com

kilode[@]cock.li.

Additional Related URLs

hxxps://mailerdeamon[.]cf

hxxps://mailerdeamon[.]ga

hxxps://mailerdeamon[.]gq

hxxps://mailerdeamon[.]ml

hxxps://mailerdeamon[.]tk

hxxps://routermanager[.]tk

hxxps://routermanagers[.]tk

hxxps://serverrouter[.]tk

Register for the webinar: “New Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain”

More from X-Force

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today