Watch CBS News

Hackers are attacking the COVID-19 vaccine supply chain

Hackers targeted vaccine supply chain
Hackers targeted COVID-19 vaccine supply chain 06:30

Hackers have targeted companies that distribute the COVID-19 vaccine to a degree previously unreported, according to research from IBM Security.

Starting last year, attackers attempted to access sensitive information about the vaccine's "cold chain" distribution system. IBM Security said the phishing attack targeted 44 companies in 14 countries across Europe, North America, South America and Asia. It is unclear if the hackers were successful in breaching systems. The hacking victims include high-ranking executives at a petrochemical firm, a solar energy manufacturer, several IT companies and a department at the European Commission. 

The cyberattack was first discovered in late 2020. Researchers initially believed the hacking campaign targeted the GAVI alliance, a coalition of governments and companies that help developing countries distribute vaccines. At the time, it was unclear if the campaign was successful, according to IBM's global lead for threat intelligence, Nick Rossmann.

But the new IBM research shows the operation's scope was larger than previously thought, requiring significant "premeditated planning," Rossmann said. "This was a very well-calibrated, complex and precise campaign."

Although his team cannot conclusively attribute the cyberattack to a particular actor, Rossmann said "this operation has the hallmarks of nation-state activity. We're dealing with an adversary [that] has an acute understanding of [the vaccine] supply chain."

The ability to disrupt or destroy vaccine supplies amount to a form of saber-rattling, Rossmann said.

"We're far from over the COVID-19 crisis, and while the U.S. has turned the corner with its vaccination progress, many other countries continue to face significant challenges. As countries struggle to get access to vaccines, this type of adversarial activity illustrates a race for influence over the vaccine market," he said.

The targets

A range of health care firms were major targets of the hacking scheme. That includes biomedical research organizations, medical equipment manufacturers; pharmaceutical firms, surgical material makers, immunology experts and pharmacies distributing COVID-19 rapid tests.

Logistics and transportation were also heavily targeted in the cyberattack, including eight companies in the automotive, aviation, maritime and transport services sectors across Italy, Korea, Japan, Colombia and the U.S.

"Logistics firms are a particularly ripe target," Rossmann said. "They are moving the vaccine in different places around the world. You can imagine that a refrigeration company probably doesn't have the same security as one of the largest banks in the world." 

This hacking group was capable of surreptitiously mining large amounts of data about how the vaccine is shipped, or even shutting down the company's operational systems. "Potentially [hackers] could spoil the vaccine batches that they have in refrigeration units," he said.

The tactics

The attack was carried out in multiple stages. The hackers used highly customized spear-phishing emails to target companies in the cold chain. Phishing hacks are emails or text messages that appear to be sent from a legitimate source and are intended to steal a victim's username and password. Most phishing attacks, like spam, are imprecise and sent to thousands of recipients. 

The cold chain hackers posed as an employee of Haier Biomedical. IBM Security

The cold chain hackers devised a clever cover story: They impersonated an employee of Haier Biomedical, one of the world's most respected cold chain providers and a client of one of the first targets.

Those targets were CEOs, product managers, sales managers and finance executives who anticipated an email requesting approval. The phishing message they received was so well-crafted that at least some of its recipients fell for the scam, Rossman said.

"The quote generally looked very good! And when you clicked on this email, a PDF popped up with a, 'Hey, can you please write your username, your password,' not typical for a PDF you would get from a supplier," Rossmann said.

Once inside the network, the hackers were able to steal important credential information, move to other parts of the network and send additional phishing messages by posing as executives from the company. 

Harvested credentials are also often used to gain future unauthorized access to corporate networks and sensitive information. Researchers eventually discovered an additional 50 similar messages targeting the cold chain companies.

COVID-19 presented a huge opportunity for a wide spectrum of cybercriminals and malicious actors. The Department of Health and Human Services last month issued a phishing alert, warning: "Fraudsters are offering COVID-19 tests, HHS grants, and Medicare prescription cards in exchange for personal details, including Medicare information."

Email scams in particular are surging, according to the cyber defense firm Barracuda. A Verizon report last year found that phishing was responsible for almost 70% of data breaches. 

"This threat is very real"

"Cold chain companies are a piece of critical infrastructure and they're under attack," Rossmann said, noting that damaging these firms poses a major risk to public safety and national security. 

The hackers' attempt to disrupt or destroy vaccine supplies was likely intended to undermine trust in the treatments, he said. If even a small percentage of COVID-19 vaccine doses were damaged, it could weaken trust in the entire system. 

"This threat is very real, and our goal is to make sure anyone involved in any aspect of the supply chain is on high alert," Rossman said. "In the United States, Canada and Europe, where there is already doubt [about vaccine safety], sowing mistrust is a part of the arsenal of what some of these adversaries do."

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.