The EU’s tax agency and other organizations involved in the cold-chain shipping of COVID-19 vaccines received phishing emails purporting to be from a key provider, according to an IBM report.
On December 3 IBM said in the report that it had set up a “threat intelligence” task force to track down cyberthreats against organizations participating in the vaccine cold chain, which ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation.
The phishing campaign, which started in September, has targeted organizations in six countries that are “likely associated” with Gavi, the Vaccine Alliance’s cold-chain equipment optimization platform (CCEOP) program, IBM said. “While firm attribution could not be established for this campaign, the precision targeting of executives and key global organizations holds the potential hallmarks of nation-state tradecraft,” the task force said.
The hackers impersonated a business executive from Haier Biomedical, a Chinese company that IBM identified as “a credible and legitimate member company of the COVID-19 vaccine supply chain and qualified supplier for the CCEOP program, [which] is purportedly the world’s only complete cold chain provider.”
IBM said the apparent motive of the phishing campaign is “to harvest credentials,” possibly to gain unauthorized access to corporate networks and sensitive information regarding the distribution of COVID-19 vaccines.
The European Commission’s Directorate-General for Taxation and Customs Union (DG TAXUD) was the only organization named as a target in the IBM report. DG TAXUD maintains direct ties to national government networks and is involved in trade and regulation. Other organizations that received the emails are in the energy, manufacturing, website creation and software, and internet security sectors. The global organizations are headquartered in the Czech Republic, Germany, Italy, South Korea, Taiwan, and “greater Europe,” IBM said.
The report says it is unclear whether the phishing campaign has been successful. “However, the established role that Haier Biomedical currently plays in vaccine transport and their likely role in COVID-19 vaccine distribution increases the probability [that] the intended targets may engage with the inbound emails without questioning the sender’s authenticity,” IBM said. “Targeting this entity could serve as a single point of compromise impacting multiple high-value targets across the 27 member states of the European Union and beyond.”
In October DG TAXUD extended until April 2021 its temporary suspension of customs duties and VAT on imported medical equipment from non-EU countries and proposed new taxation and customs measures to support more access to medical equipment. The VAT exemption was scheduled to expire October 31. The commission has also proposed that hospitals and medical practitioners be exempted from VAT on vaccines and testing kits used to treat and prevent the spread of COVID-19.
Haier Biomedical did not respond by press time to a request for comment about the phishing campaign. A spokesperson for the EU office for digital economy, research, and innovation said the commission is aware of the issue. “We have taken the necessary steps to mitigate the attack and are closely following and analyzing the situation,” he said.
An EU source said there has been no indication that the commission’s IT security systems would have failed to block the malicious links or attachments. “However, an analysis of the incident is ongoing,” said the source, who asked not to be named.
James A. Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies in Washington, was quoted by the New York Times December 3 as saying the phishing campaign might be a prelude to a ransomware demand. “But we won’t know how these stolen credentials will be used until after the vaccine distribution begins,” Lewis said.
On December 1 regulators in the United Kingdom authorized the use of a vaccine developed jointly by Pfizer Inc. and BioNTech SE. It is the first approval of a COVID-19 vaccine by a western country for purposes other than testing. Moderna Inc. is awaiting approval from both U.K. and U.S. authorities for a vaccine based on similar technology. While both require low-temperature storage, the Pfizer-BioNTech vaccine must be kept at minus 70 degrees Celsius, as compared with the minus 20 degrees Celsius recommended for Moderna’s vaccine.