Cyber attackers have targeted the cold supply chain needed to deliver COVID-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation-state.
The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.
According to the report by IBM’s threat intelligence task force, which advises companies and the public sector on cyber security, they targeted organizations associated with a cold chain platform run by the Gavi vaccine alliance, a public-private partnership for developing immunization for poorer countries.
Many of the COVID-19 vaccines have to be kept cold to keep them from spoiling. Pfizer and BioNTech’s vaccine must be kept between minus 70C and minus 80C, while Moderna’s shot needs to be transported at minus 20C.
The attackers pretended to be an executive at a Chinese supplier of ultra-cold refrigeration to mount a phishing campaign trying to obtain usernames and passwords, the report said.
Nick Rossmann, IBM’s global lead for threat intelligence, said he believed the hackers were either looking to disrupt the vaccine delivery process or steal intellectual property.
“One side of it is cyber espionage: How do you get vaccines out? How is the manufacturing process working for refrigeration? How are you managing the entire logistics chain?” he said. “There’s also potential for disruption, being able to launch attacks that disrupt vaccines, and their distribution to undermine trust in them around the world.”
He added that it was vital to treat the vaccine supply chain as “a new type of global critical infrastructure” to help them secure the products that could help end the pandemic.
“These refrigeration companies are not going to have the same security tools that advanced financial institutions have,” he said.
The news prompted the US cyber agency on Wednesday to issue a formal alert to other groups involved in the cold supply chain.
Claire Zaboeva, senior strategic cyber threat analyst at IBM, said it could be the “tip of an iceberg” in a larger global campaign, as the hackers try to find holes in security and jump between companies and governments involved in the mass vaccination programs.
“It was an extremely well-researched and well-placed campaign. And that does potentially point to a very competent person or team,” she said.
The IBM report described a hacking campaign that spanned six countries, aimed at the European Commission’s customs and taxation unit, and organizations in energy, manufacturing and technology. The campaign started in September and the task force discovered the threat in October.
The IBM researchers do not know if the hackers were successful at gaining entry to the networks.
“Today’s report highlights the importance of cyber security diligence at each step in the vaccine supply chain,” said Josh Corman, the Cybersecurity and Infrastructure Security Agency’s chief strategist for healthcare.
The FBI has been notified of the attacks. The Gavi vaccine alliance said it had “strong policies and processes in place to prevent such phishing attacks and hacking attempts” and that it would continue to strengthen its security.
The European Commission said it was aware of the campaign and had taken “necessary steps” to mitigate the attack. It added that it takes cyber security seriously and investigates every incident.
Additional reporting by Kadhim Shubber in Washington DC.