The IBM team said the “precision targeting of executives and key global organizations hold the potential hallmarks of a nation-state tradecraft.”
The hackers took measures to hide their tracks, and the cyber-sleuths did not name which state might be behind the campaign.
The IBM team said it was not known why the hackers were trying to penetrate the systems. It suggested the intruders might either want to steal information, glean details about technology or contracts, create confusion and distrust, or to disrupt the vaccine supply chains themselves.
The hackers likely sought “advanced insight into the purchase and movement of a vaccine that can impact life and the global economy,” the IBM team said.
As there was “no clear path to a cash-out,” as there is a ransomware attack, it increased the likelihood of a state actor, though the IBM sleuths cautioned it was still possible that criminals could be looking for ways to illegally obtain “a hot black-market commodity,” such as an initially scarce vaccine.
The new generation of RNA vaccines, such as the Pfizer product approved for emergency use by Britain on Wednesday, require sub-Antarctic temperatures for storage and transport. But even more traditional vaccines, such as the candidate being tested by Oxford University and its partner AstraZeneca, must be kept refrigerated.
The hackers targeted organizations linked to Gavi, a public-private vaccine alliance that seeks to supply vaccines to poor countries. The alliance works closely with the World Health Organization, donor countries, the global pharmaceutical industry and the Bill & Melinda Gates Foundation.
IBM said one of the targets was the vaccine alliance’s Cold Chain Equipment Optimization Platform.
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday alerted organizations involved with the storage and transport of vaccines to be on the lookout for the type of phishing operations described in IBM advisory.
The cybersecurity agency encouraged all organizations in involved in the Trump administration’s Operation Warp Speed to be especially alert to challenges to their cold chain systems.
In a blog post, which was distributed to cybersecurity agencies, IBM said an intruder impersonated a business executive at Haier Biomedical, a legitimate Chinese company active in vaccine supply chain, which specializes in refrigeration of medical products. The impersonator sent emails to “executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain.”
It’s unclear if any of the phishing attempts were successful.
In her post, Claire Zaboeva, Senior Strategic Cyber Threat Analyst at IBM, wrote, “The targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.”
This is not the first attempt by hackers to gain entry into secure networks protecting vaccines.
Hackers linked to a Russian intelligence service tried to steal information from researchers working to produce coronavirus vaccines in the United States, Britain and Canada, security officials in those countries reported in July.
The hackers, who belong to a unit known variously as APT29, “the Dukes” or “Cozy Bear,” were targeting vaccine research and development organizations in the three countries, the officials said in a joint statement. The unit is one of the two Russian spy groups that penetrated the Democratic Party’s computers in the lead-up to the 2016 presidential election.
Microsoft last month reported “mostly unsuccessful attempts” by state-backed Russian and North Korean hackers to steal data from pharmaceutical companies and vaccine developers, according to The Associated Press.