IBM Uncovers Global Email Attack on COVID Vaccine Supply Chain
The company’s task force dedicated to tracking down COVID-19 cyber security threats said it discovered fraudulent emails impersonating a Chinese business executive at a credible cold-chain supply company. The emails, dating back to September, targeted organizations across six countries, including Italy, Germany, South Korea, Czech Republic, greater Europe and Taiwan, the company said.
A number of cybersecurity leaders weighed-in on this discovery:
Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software:
"The Intellectual Property relating to mass market pharmaceuticals has tremendous value and so is a significant prize for a cybercriminal and in the case of COVID19 vaccines gets to Nation State level hacking.
Phishing is still a key vector in any hacking or APT attack so all staff need to be extra vigilant but it’s an added reminder at a corporate level of the need to stringently operate all security controls, including system hardening, network segregation and disciplined change control. Average times for breach detection are still routinely up around 160 days while an attack is typically successful within hours or days so real-time breach detection is more important than ever.
The current thinking around the cyber resilience philosophy is to assume that a breach may be successful at some time in the future. Encryption of data wherever possible and secure, segregated backups of data are sensible precautions to mitigate the damage from data theft or a ransomware attack."
Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:
"As we all await vaccines for COVID, it goes without saying that disruption to cold-chain supply operations would be disheartening. Unfortunately, the more expansive the supply chain, the greater the third-party risk to supply-chain operations. Manufacturers rely on a web of external workers, contractors, and service partners to maintain equipment, package products, manage waste, ensure worker safety, and much more.
With phishing attacks being the most effective means of penetrating an organization’s digital security, cybercriminals often masquerade as employees or third-parties who have authority over supply-chain operations.
Cold-chain supply organizations need to adopt a heightened awareness and deeper understanding of phishing attacks. The first lesson is that phishing is not just happening in email on your laptop or desktop. Smartphones and tablets are the new battleground as mobile phishing attacks leverage multiple channels including SMS, social messaging, apps, and of course email. Attackers know that supply-chain operators depend on smartphones and tablets to monitor supply-chain operations and provide key inputs. They also know that users inherently trust their smartphones and tablets and that the smaller form factor makes it more difficult to spot a phishing attack.
Not surprisingly, Lookout mobile phishing detections increased 37.1% during the first few months of the pandemic."
Ken Liao, VP of Cybersecurity Strategy, Abnormal Security, a San Francisco-based company that stops targeted phishing, business email compromise and account takeover attacks that have never been seen before:
“If there is one lesson for cybersecurity professionals to take from the pandemic, it’s that no one is untouchable when it comes to cyber attacks from malicious actors. We’ve seen threat actors target schools, charities, and even hospitals in an attempt to monetize a global tragedy, so it shouldn’t be a surprise that they’re now targeting the people and organizations responsible for vaccine distribution. In times of crisis, it’s particularly important for employees to be vigilant and ensure that anything they open or click on is from a trusted source. At the same time, employers need to have detection capabilities that can protect against email threats by identifying abnormal signals.”
Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education:
"It’s fascinating that the DHS would release news on ongoing/emerging cyberattacks, because that indicates that they’d like as many people as possible to be aware of threats and to respond accordingly.
“Responding accordingly” means being hyper-vigilant for requests that are unexpected or out-of-sequence, for heightened urgency, etc. … all the things we in InfoSec have been teaching employees for years, only now they are extra important because of the high stakes for a successful vaccine rollout. What we’d hope to see is that anyone involved in the supply and distribution chain would intensify their scrutiny of communications.
The advice to anyone, especially to senior people within the widely distributed vaccine network, is to verify, verify, verify, before you put any information at risk.
As for attribution, I think you have to ask who has an interest in either capturing IP about the vaccine or in disrupting the success of vaccine distribution? As the New York Times report (https://www.nytimes.com/2020/12/03/us/politics/vaccine-cyberattacks.html) indicated, that could be attributed to a number of different parties (but generally the usual subjects: China, North Korea, Russia). Iran may be particularly motivated right now, given the recent attack on their nuclear scientist, but they are not generally considered to have this kind of capacity.
Or, it could be someone on the lookout for a ransomware opportunity: wouldn’t someone in the vaccine supply chain be motivated to pay a ransom with the level of public attention on this right now? Again, I have to emphasize that this is speculative."
Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:
"Let’s first acknowledge there is no breach here that I can see. It is a high alert for a targeted phishing campaign against the COVID vaccine supply chain.
As the cure for COVID is essentially the most valuable thing in the world in 2020, and attackers always go for what is of value, this was a sort of an inevitable scenario.
Targeted phishing attacks continue to be the easiest way for attackers to circumvent traditional security, and gaining access to credentials is a highly effective way of continuing an attacks. Knowing about threats targeting an organization (phishing) and stopping it are two different things. The attackers only need to succeed once in this scenario.
Companies need to assume the breach and focus on responding quickly should something occur. It is why our customers pivoted to monitoring internal behaviors such as the misuse of privileged access and movement of critical data to suspicious locations.
We have already had insight into targeted attacks into the COVID vaccine supply chain. These were attacks that did bypass the perimeter but did not lead to a breach of data as they detected and stopped them first.
Here is a short example from our latest Office 365 spotlight report."