Cyber attackers have targeted the cold supply chain needed to deliver Covid-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation state.
The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.
According to the report by IBM’s threat intelligence task force, which advises companies and the public sector on cyber security, they targeted organisations associated with a cold chain platform run by the Gavi vaccine alliance, a public-private partnership for developing immunisation for poorer countries.
Many of the Covid-19 vaccines need to be kept cold to keep them from spoiling. The earliest vaccines have particularly stringent requirements: Pfizer and BioNTech’s vaccine must be kept between minus 70C and minus 80C, while Moderna’s jab needs to be transported at minus 20C.
The attackers pretended to be an executive at a Chinese supplier of ultra-cold refrigeration, to mount a phishing campaign trying to obtain usernames and passwords, the report said.
Nick Rossmann, IBM’s global lead for threat intelligence, said he believed the hackers were either looking to disrupt the vaccine delivery process or steal intellectual property.
“One side of it is cyber espionage: How do you get vaccines out? How is the manufacturing process working for refrigeration? How are you managing the entire logistics chain?” he said. “There’s also potential for disruption, being able to launch attacks that disrupt vaccines, and their distribution to undermine trust in them around the world.”
He added that it was vital to treat the vaccine supply chain as “a new type of global critical infrastructure” to help them secure the products that could help end the pandemic.
“These refrigeration companies are not going to have the same security tools that advanced financial institutions have,” he said.
The news prompted the US cyber agency on Wednesday to issue a formal alert to other groups involved in the cold supply chain.
Claire Zaboeva, senior strategic cyber threat analyst at IBM, said it could be the “tip of an iceberg” in a larger global campaign, as the hackers try to find holes in security and jump between companies and governments involved in the mass vaccination programmes.
“It was an extremely well-researched and well-placed campaign. And that does potentially point to a very competent person or team,” she said.
Both the US and the UK warned earlier this year that state-sponsored hackers in China and Russia had been targeting pharmaceutical and academic research groups developing coronavirus treatments and vaccines, in what has been dubbed an “intellectual property war”. In July, the US charged two Chinese hackers who allegedly targeted American companies carrying out coronavirus research with the theft of trade secrets.
Separately, the Wall Street Journal reported that North Korea had co-ordinated attacks against six vaccine developers including Johnson & Johnson and Novavax in the US, the UK’s AstraZeneca, and several South Korean groups.
The IBM report described a hacking campaign that spanned six countries, aimed at the European Commission’s customs and taxation unit, and organisations in energy, manufacturing and technology. The campaign started in September and the task force discovered the threat in October.
The IBM researchers do not know if the hackers were successful at gaining entry to the networks.
“Today’s report highlights the importance of cyber security diligence at each step in the vaccine supply chain,” said Josh Corman, the Cybersecurity and Infrastructure Security Agency’s chief strategist for healthcare. He urged vaccine storage and transport groups to “harden attack surfaces . . . and remain vigilant against all activity in this space”.
The FBI has been notified of the attacks. The Gavi vaccine alliance said it had “strong policies and processes in place to prevent such phishing attacks and hacking attempts” and that it would continue to strengthen its security.
Additional reporting by Kadhim Shubber in Washington DC