A number of cyber attacks are underway targeting companies and government organizations that will distribute coronavirus vaccines around the world, IBM’s cybersecurity division has determined. However, it is unclear whether the goal is to steal the technology used to cool the vaccines while in transit or not sabotage the movements.
The results are alarming enough that the Department of Homeland Security plans to issue its own warning Thursday to Operation Warp Speed, the Trump administration’s efforts to develop and distribute coronavirus vaccines, federal officials said.
Both IBM researchers and the department’s Cybersecurity and Infrastructure Security Agency said the attacks were aimed at stealing network data from executives and officials of global organizations involved in the cooling process required to protect the vaccine doses, or what the industry calls the cold chain.
Josh Corman, a coronavirus strategist with the Cybersecurity Agency, said in a statement that the IBM report was a reminder of the need for “cybersecurity due diligence at every step in the vaccine supply chain.” He called on organizations “to be involved in the storage and transport of vaccines in order to harden attack surfaces, especially in cold store operations”.
The cyberattackers “were working to gain access to the shipping, storage, refrigeration and delivery of the vaccine,” said Nick Rossmann, head of IBM’s global threat intelligence team. “We believe whoever is behind this wanted to understand the entire cold chain process.”
Many of the approaches came in the form of “spear phishing” emails posing as the executive of a large Chinese company, Haier Biomedical, which is a legitimate participant in the distribution chain. The email says “We’d like to place an order with your company” and contains a draft contract containing malware that the attackers can use to gain access to the network.
Researchers at IBM Security X-Force, the company’s cybersecurity arm, believed the attacks were sophisticated enough to indicate a government-sponsored initiative, not a fraudulent criminal operation aimed solely at making money. But they couldn’t identify which country might be behind them.
External experts said they doubted it was China that was accused of stealing vaccine information from universities, hospitals, and medical researchers because it would be different from Chinese hackers impersonating executives of a large Chinese company.
If they are correct, the prime suspects would be hackers in Russia and North Korea, both accused by the United States of carrying out attacks to steal information about the process of making and distributing vaccines. Sometimes it is difficult to tell the difference between official hacking operations for the Russian or North Korean government and those carried out for private reasons.
The motive is also unclear. The attackers may simply be trying to steal technology to transport large quantities of vaccine over long distances at extremely low temperatures, which would be a classic form of intellectual property theft.
However, some cybersecurity experts suspect something more nefarious: efforts to disrupt the spread, or ransomware, where the vaccines are essentially held hostage by hackers who have broken into and locked the system that runs the distribution network – and who are demanding You make a large payment to unlock it.
“There’s no intelligence benefit to spying on a refrigerator,” said James Lewis, who directs cybersecurity programs at the Center for Strategic and International Studies in Washington. “My suspicion is that they are preparing for a ransomware game. However, we won’t know how to use these stolen credentials until after vaccine distribution begins. “
The IBM researchers reported on their efforts in an interview before the company released its results. They said the attackers sent out various requests for pricing and product information, some allegedly on behalf of Gavi, the Vaccine Alliance, a public-private partnership that helps developing countries provide vaccines.
Many of the destinations were in Asia, but some were in Europe, including the European Commission’s Directorate-General for Taxation and Customs Union. IBM noted that the organization has “direct links to several national government networks,” which shows that the attackers had a sophisticated understanding of how to identify targets that could bring them to many countries.
But other organizations were also affected, from Taiwan and South Korea to Germany and Italy. Some were involved in the solar-powered cooling systems for the vaccine.
The attackers’ emails were directed to companies that provide key components of the cold chain process. These include ice-lined vaccine boxes and solar panels to power refrigerated vaccine containers – a key feature in poor countries where electricity can be scarce.
The researchers said the efforts appeared to be aimed at stealing credentials that could ultimately have led the attackers to a wealth of information, including vaccine distribution schedules, lists of vaccine recipients, and shipping doses.
IBM was unable to determine whether the attacks were successful, the company said. The researchers said the attackers targeted a Gavi program launched in 2015 before the coronavirus emerged to improve cold chain equipment for vaccines in dozen of countries.
UNICEF, which plans to distribute vaccines to poorer countries, appears to have been another target. Najwa Mekki, a spokeswoman for the organization, said IBM researchers had alerted officials to the threat to the cold chain system. “We have notified our utility networks and made the relevant teams aware of the need to increase vigilance.”
So far, there is no evidence that the attackers targeted Pfizer or Moderna, whose vaccines are expected to be the first to be approved for use in the US emergency. A Pfizer spokeswoman said Wednesday that the company’s cold rooms were designed by safety-conscious experts and specifically tailored to the specific needs of the Pfizer vaccine, which must be stored in extremely cold temperatures.
Comments are closed.