Written by T. Piccirilli
This December, global hackers have found a dangerous new target: the COVID vaccine “cold chain”. IBM security researchers are reporting that sophisticated hacking groups have begun carrying out phishing campaigns targeting the vital “cold chain” that will oversee the storage and transport of a potential COVID vaccine. In a blog post distributed to cybersecurity agencies, IBM reported that a malicious actor impersonated a business executive at Haier Biomedical, a Chinese company active in the vaccine supply chain. The impersonator sent emails to executives in sales, procurement, information technology, and finance. Claire Zabovea, a senior strategic cyberthreat analyst at IBM, created an expanded list of targets including the European Commission’s Directorate-General for Taxation and Customs Union, as well organizations within the energy, manufacturing, website creation, and the software and internet security solutions sectors.
The IBM team said it was not known why the hackers were trying to penetrate the systems but suggested the hackers may be trying to steal information, learn details of technologies and contracts, or creating confusion and distrust while disrupting supply chains. Although the IBM report would not speculate on who was behind the attacks, outside of suggesting these were state-sponsored hackers, The Wall Street Journal reported a string of North Korean hacks that targeted drug makers, including Johnson & Johnson and Novamax, AstraZeneca, Genexine, Shin Poong Pharmaceutical, and Celltrion. The two attacks should not necessarily be considered linked, but it is worth noting that in November Microsoft warned of intensified efforts by both North-Korean and Russian hackers to target vaccine manufacturers and researchers.
While hacks on potential vaccine manufacturers likely have an obvious research motivation, the cybersecurity breaches on members of the “cold chain” are disturbing. IBM’s speculation that these hacks may be motivated by a desire to cause confusion and distrust is in line with previous efforts to increase racial and political tension in the United States. Given that the perceived seriousness of COVID has a clear correlation with political divides in the United States, an argument can be made that this effort is a continuation of those political efforts from earlier. Even if this is not the intended effect, any doubts cast over the vaccine’s effectiveness represents a major public health concern. As of November 2020, only 58% of surveyed American’s indicated they would take an FDA-approved COVID vaccine if available. Though this is a climb from the 50% who responded ‘yes’ in September, this is still indicative of the fragility of American comfortability with a vaccine. Even if the 58% holds, that number is far from the target; for the vaccine to achieve herd immunity the World Health Organization estimates that 90-95% of the population will need it.
So far, the results of these hacks remain unclear. Microsoft’s November report described the hacks as “mostly unsuccessful attempts”, leaving a good amount of room for interpretation. Even moderate hacking success would likely allow both North Korean and Russian hackers to double down on previous attack patterns. Just this summer, North Korea targeted more than 5 million individuals with a COVID-based phishing scam, while Russia used social media bots to spread fake election information. In both cases, a little bit of pharmaceutical data could be leveraged to make wild and inaccurate claims, or create more believable phishing scams.
There is a worst-case scenario worth discussing; IBM mentioned the disruption of the supply chain as a possible attack motivation. The “cold chain” refers specifically to the companies involved in the storage and cooling of potential vaccines, the Pfizer vaccine for instance must be stored below -70 degrees Celsius in order to ensure its effectiveness. A disruption to the cooling systems could render a group of vaccines useless. While it is unclear what the mechanism for such an attack would be, a takeover of a vaccine cooling system would allow hacking groups to hold the vaccines hostage, allowing ransomware to take on a physical form.
It remains to be seen whether a vaccine hostage scenario is possible, but it is worth considering as governments and organizations begin thinking about distribution requirements for a potential vaccine. Glenn Koepke, a senior vice president at FourKites, provided a more likely scenario stating that “The risk is shutting down transaction processing”. A shutdown of transaction processing will likely lead to part order delays and confusion slowing down a potential vaccine rollout. Knowing this possibility in advance, companies involved in the cold chain can begin taking steps to either fortify their cybersecurity or prepare offline solutions. All of this is easier said than done, as Koepke points out, “We’re in a digital era. The idea of going to fax just doesn’t exist.”
While 2020 has been a difficult year for cybersecurity, one positive development has been increasing transparency among government agencies about what threats are out there. There is reason to hope that with this knowledge of the potential threats, and the high stakes of a vaccine, businesses and governments will work together to ensure the safety and security of the cold chain. As businesses and citizens continue to feel the adverse effects of the coronavirus pandemic, now more than ever cybersecurity impacts lives. Now is the time for reviewing cybersecurity best practices, making sure communication and leadership are up to par, and doubling down on existing efforts.