In September, 2020, our IBM X-Force IRIS security analysis group began tracking strange phishing attacks targeting suppliers of HVAC equipment and services. Looking deeper, we determined that targeting with phishing attacks the “cold chain”hat would likely distribute vaccines for COVID-19.
The activity started well before the success of the Moderna and Pfizer vaccines were announced. Both vaccines require storage in low temperatures, with the Pfizer vaccine requiring storage at minus 70 degrees Celsius. This level requires health care institutions to purchase expensive super-cold freezers most do not have or handle the vaccine in customized containers filled with dry ice.
The proactive thinking of the attacker showed significant sophistication. From this, we determined that the phishing attacks were likely the work of state actors or cybercriminal gangs. The attacks used thoughtful social engineering, spoofing leading executives from a company called Haier Medical in requesting RFPs from executives at COVID cold chain companies.
Based on this information, we completed a FAIR™ assessment of the risk to the COVID cold chain. The assessment was concerning. Because of the pressure to distribute vaccines and the urgency and shortage of production, this COVID cold chain is a desirable target that could be leveraged for many types of gains:
- Illicit intelligence to steal shipments and resell them on the black market
- Applying ransomware attacks and extracting large payments from nation-state actors
- Conducting geopolitical warfare or attacks to undermine longer-term government position and credibility by hindering vaccine distribution
With a FAIR approach, we were able to quickly alert and communicate the severity of the risk to the highest levels of our customers in industry, research, and government. This is an outlier. As means of comparison, there was a wave of fake websites generated, and phishing attacks focused on COVID earlier this year. Those attacks sought to fuel credential stuffing and PII harvesting but were not nearly as targeted or focused as the COVID cold-chain attacks. So, communicating the difference between even similar threat types is paramount in supplying proper protection.
Conclusion: Quantification, Communication, Remediation, Validation
Taking this a step further, we would recommend organizations in the COVID cold chain mount a comprehensive threat analysis program. We did this for our exposed customers using Breach-and-Attack Simulation (BAS). We focused on phishing attacks, potential lateral traversals, and all other likely resulting secondary attack types that we have seen targeted at healthcare organizations or other COVID-facing organizations.
Based on our efforts, we have made many remediation recommendations to clients and then used BAS to validate that the remediations would block the indicated attack types in production environments.
In the future, we plan to automate remediation steps based on FAIR quantification results and continuously tune our threat intelligence and vulnerability management engines to reflect better coordination between quantification (FAIR) and remediation BAS).
Only with this type of rigorous approach can organizations keep up with the rapid pace of innovation and change of cybercriminals. With better communication tools, we can enhance the response speed and general security metabolism of organizations facing ever greater risk.