Crooks posing as COVID-19 'cold chain' company phished EU for vaccine intel, says IBM

Medical fridge firm finagling carries hallmarks of state-sponsored hack dogs


An unidentified group of malicious sorts impersonated a so-called "cold chain" company involved in COVID-19 vaccine distribution networks then targeted an EU governmental agency, according to IBM.

Infosec researchers from Big Blue's X-Force threat intelligence unit "uncovered targets across multiple industries, governments and global partners" involved in setting up the vaccine cold chain, it said in a blog post today.

"Our analysis indicates that this calculated operation started in September 2020," wrote IBM's Claire Zaboeva and Melissa Fryrych. "While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft."

The phishing campaign's operators reportedly posed as an executive from the Chinese arm of Haier Biomedical, a business IBM described as "a credible and legitimate member company of the COVID-19 vaccine supply chain and qualified supplier for the CCEOP program."

Generic illustration of the coronavirus

FYI Russia is totally hacking the West's labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies

READ MORE

CCEOP stands for Cold Chain Equipment Optimization Platform, an initiative to make sure there are enough fridges and refrigerated transport available between vaccine factories and vaccination sites. Some of the most recently announced vaccines need be stored and transported at temperatures between -20°C and -70°C to preserve the vaccine in a usable state before it is administered.

Spear-phishing emails were sent to other companies by the malicious people, targeting those working in sales, procurement, IT and finance departments – but also to the EU's Directorate-General for Tax and the Customs Union, which also sets rules on how vaccines cross the political bloc's borders.

According to IBM: "The Haier Biomedical employee who is purported to be sending these emails would likely be associated with Haier Biomedical's cold chain distribution operations based on his role, which is listed in the email signature block."

We have asked Haier's UK arm for comment and will update this article if we hear back from the firm.

"In times like these, knowledge is power – and so it inevitably becomes a big target," said Jake Moore, cybersecurity specialist at ESET. "Malicious actors from around the world will be attempting to steal any data possible, however trivial it may seem, on the most sought-after vaccines the world has seen in generations. The potential impact of these vaccines naturally attracts attention from bad actors wanting to monetize or disrupt the situation."

Earlier this year The Register reported how eavesdropping agency GCHQ claimed to be actively targeting Russian hackers who were trying to illicitly access UK coronavirus research. Back in summer we also reported how GCHQ offshoot the National Cyber Security Centre, along with the US NSA spy agency, had explicitly accused Russian agents of trying to break into Western research institutions.

Chris Ross, a Barracuda Networks veep, opined: "The purpose of today's concerted attack on the COVID vaccine supply 'cold chain' is likely to acquire leverage in a multimillion-pound ransomware attempt, to sell key data on the 'black market' to the highest international bidder, or, quite simply, to disrupt the UK's standing as the first country in the world to start vaccinating its citizens on a mass scale."

While IBM has not attributed the phishing campaign to any country or known hacking crew, it would be unusual for an intelligence-gathering campaign impersonating a Chinese company – even the Western divisions of a Chinese company – to originate from the West. ®


Keep Reading

Biting the hand that feeds IT © 1998–2021