Researchers at International Business Machines Corp. have uncovered a global phishing campaign targeting the distribution of COVID-19 vaccines.

The campaign consists of “spear phishing” emails seeking to gain credentials of employees at companies currently in the process of shipping coronavirus vaccines.

IBM Security Intelligence explained in a blog post today that the operation targeted the COVID-19 vaccine cold chain, a component of the vaccine supply chain that ensures the safe preservation of vaccines in a temperature-controlled environment during their storage and transportation. It started in September.

The phishing campaign spans six countries and is targeting organizations associated with Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform. Gavi is a public-private global health partnership that has the goal of increasing access to immunization in poor countries.

In this case, those behind the phishing campaign impersonated a business executive from Qingdao Haier Biomedical Co. Ltd., a legitimate member company of the COVID-19 vaccine supply chain to target employees at he various organizations. The phishing emails attempted to harvest credentials to gain access to networks with a likelihood of later gaining access to sensitive information concerning COVID-19 vaccine distribution.

Targets included the European Commission’s Directorate-General for Taxation and Customs Union and organizations within the energy, manufacturing, website creation and software and internet security solutions sectors in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.

“To ease the path to discovery and distribution, especially during COVID-19, many pharmaceutical and biotechnology companies are creating global initiatives and consortiums to share best practices and resources,” Ali Haughton, global healthcare strategist at identity management firm Sailpoint Technologies Inc., told SiliconANGLE. “Increasingly, this interconnected, global web of people, technologies and data sources has embraced cloud and digital technologies to seamlessly collaborate. However, expanded remote and team collaborations during the pandemic have brought upon a different type of threat – a digital one involving security gaps and massive data breaches.”

Stephen Banda, senior manager, security solutions at mobile security provider Lookout Inc., noted that the more expansive the supply chain, the greater the third-party risk to supply-chain operations. “Manufacturers rely on a web of external workers, contractors, and service partners to maintain equipment, package products, manage waste, ensure worker safety, and much more,” he said.

The cold chain attack also attracted the attention of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency, which warned that organizations involved in vaccine storage and transport should review the IBM X-Force report.

“It’s fascinating that the DHS would release news on ongoing/emerging cyberattacks because that indicates that they’d like as many people as possible to be aware of threats and to respond accordingly,” said Tom Pendergast, chief learning officer at digital security awareness training firm MediaPro Holdings LLC. “The advice to anyone, especially to senior people within the widely distributed vaccine network, is to verify, verify, verify before you put any information at risk.”

The first country to approve the distribution of a COVID-19 vaccine is the U.K., with the Pfizer/BioNTech coronavirus vaccine going into distribution as soon as next week.

Photo: Pixnio