A series of cyberattacks is underway aimed at the companies and government organizations that will be distributing coronavirus vaccines around the world, IBM’s cybersecurity division has found, though it is unclear whether the goal is to steal the technology for keeping the vaccines refrigerated in transit or to sabotage the movements.
The findings were alarming enough that the Department of Homeland Security issued its own warning on Thursday about the threat.
Both the IBM researchers and the department’s Cybersecurity and Infrastructure Security Agency said the attacks appear intended to steal the network log-in credentials of corporate executives and officials at global organizations involved in the refrigeration process necessary to protect vaccine doses.
Josh Corman, a coronavirus strategist at the cybersecurity agency, said in a statement that the IBM report was a reminder of the need for “cybersecurity diligence at each step in the vaccine supply chain.” He urged organizations “involved in vaccine storage and transport to harden attack surfaces, particularly in cold storage operation.”
Researchers for IBM Security X-Force, the company’s cybersecurity arm, said they believed that the attacks were sophisticated enough that they pointed to a government-sponsored initiative, not a rogue criminal operation aimed purely at monetary gain. But they could not identify which country might be behind them.
No matter who conducted the attacks, they underscore how everything about coronavirus vaccines — how to make them, test them and move them — has become vital information around the globe. A year ago, nations including Russia and China were focusing their covert efforts on stealing secrets about hypersonic missiles and artificial intelligence advances; six months ago, intelligence agencies shifted their focus to obtaining, or defending, proprietary vaccine research.
With several vaccines on the verge of moving from clinical trials into wider use, the IBM discovery suggests that the main target of state-employed hackers is now the infrastructure of delivering the vaccines to billions of people around the globe.
The cyberattackers “were working to get access to how the vaccine is shipped, stored, kept cold and delivered,” said Nick Rossmann, who leads IBM’s global threat intelligence team. “We think whoever is behind this wanted to be able to understand the entire cold chain process.”
There is no indication so far that the attackers were aiming at Pfizer or Moderna, whose vaccines are expected to be the first ones approved for emergency use in the United States. A spokeswoman for Pfizer said Wednesday that the company’s cold storage equipment was designed by security-conscious experts and custom-built to match the specific requirements of Pfizer’s vaccine, which must be stored at extremely cold temperatures.
Many of the approaches came in the form of “spear phishing” emails that impersonated an executive at a major Chinese company, Haier Biomedical, which is a legitimate participant in the distribution chain. The email says “we want to place an order with your company,” and includes a draft contract containing malware that would give the attackers access to the network.
Outside experts said they doubted the attacks came from China, which has been accused of trying to steal vaccine information from universities, hospitals and medical researchers, because it would be unlike Chinese hackers to impersonate executives at a major Chinese firm.
If they are correct, the lead suspects would be hackers in Russia and North Korea, both of which have also been accused by the United States of conducting attacks to steal information about the process of manufacturing and distributing vaccines. Sometimes it is hard to tell the difference between official hacking operations for the Russian or North Korean governments and those run for private gain.
The motive is also unclear. The attackers may simply be looking to steal technology to move large amounts of vaccine across long distances at extraordinarily low temperatures, which would constitute a classic form of intellectual property theft.
But some cybersecurity experts say they suspect something more nefarious: efforts to interfere with the distribution, or ransomware, in which the vaccines would be essentially held hostage by hackers who have gotten into the system that runs the distribution network and locked it up — and who demand a large payment to unlock it.
“There is no intelligence advantage in spying on a refrigerator,” said James Lewis, who runs the cybersecurity programs at the Center for Strategic and International Studies in Washington. “My suspicion is that they are setting up for a ransomware play. But we won’t know how these stolen credentials will be used until after the vaccine distribution begins.”
The IBM researchers provided an account of their efforts in an interview before the company posted its findings. They said the attackers sent out various requests for price and product information, some purportedly on behalf of Gavi, the Vaccine Alliance, a public-private partnership that helps provide vaccines to developing countries.
Many of the targets were in Asia, but some were European, including the European Commission’s Directorate General for Taxation and Customs Union. IBM noted that the organization has “direct ties to multiple national government networks,” showing that the attackers had a sophisticated understanding of how to identify targets that could get them into many nations.
But other organizations were also targeted, like Taiwan, South Korea, Germany and Italy. Some were involved in the solar panel-driven cooling systems for the vaccine.
The attackers’ emails were addressed to companies that provide key components of the cold chain process. Those include ice-lined boxes for vaccines and the solar panels that can power refrigerated vaccine containers — an important feature in poor countries where electricity can be scarce.
The researchers said the effort seemed aimed at stealing credentials that could have ultimately led the attackers to a trove of information, including timetables for vaccine distribution, lists of vaccine recipients and where doses are being shipped.
IBM could not determine whether the attacks were successful, the company said. The researchers said the attackers targeted one Gavi program started in 2015, before the advent of the coronavirus, to upgrade cold chain equipment for vaccines in dozen of nations.
UNICEF, which is planning vaccine delivery for poorer countries, appears to have been another target. Najwa Mekki, a spokeswoman for the organization, said the IBM researchers alerted officials to the threat to the cold chain system, and “we notified our supply networks and alerted relevant teams to the need to increase vigilance.”
We also have offices in Chihuahua, Mexico.