IBM uncovers global email attack on Covid vaccine supply chain

IBM cyber security analysts on Thursday said they uncovered an email phishing scheme targeting global coronavirus vaccine supply chains, and urged cold-chain companies to remain “vigilant” and “on high alert.”

The company’s task force dedicated to tracking down Covid-19 cyber security threats said it discovered fraudulent emails impersonating a Chinese business executive at a credible cold-chain supply company. The emails, dating back to September, targeted organizations across six countries, including Italy, Germany, South Korea, Czech Republic, greater Europe and Taiwan, the company said.

“We assess that the purpose of this campaign may have been to harvest credentials to gain future unauthorized access,” IBM researchers Claire Zaboeva and Melissa Frydrych wrote in a report. “From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine.”

IBM said the attacks likely targeted organizations linked to Gavi, The Vaccine Alliance, which is working to supply low and middle-income economies with an affordable Covid-19 vaccine. The alliance, which is backed by The Bill and Melinda Gates Foundation, operates a program alongside UNICEF to strengthen immunization supply chains to ensure the drugs are distributed equitably.

“Gavi has strong policies and processes in place to prevent such phishing attacks and hacking attempts,” a spokesperson told CNBC on Thursday. “We are working closely with our partners on security awareness to continue to strengthen these best practices.”

Gavi did not detail whether the scheme accessed sensitive information regarding the vaccine distribution. IBM’s analysts said the phishing campaign has the “potential hallmarks of nation-state tradecraft,” though it wasn’t made clear which countries could be behind the emails. It also wasn’t clear whether the attacks were successful.

“A breach within any part of this global alliance could result in the exposure of numerous partner computing environments worldwide,” IBM analysts said.

Some of the Covid-19 vaccines, like those from companies like Pfizer and Moderna, require low storage temperatures that use special equipment from the cold-chain companies. The Food and Drug Administration could give the companies, which have now applied for an emergency authorization in the U.S., the green light to begin distributing their vaccines within the coming weeks.

Moderna has said its vaccine remains stable at 36 to 46 degrees Fahrenheit, the temperature of a standard home or medical refrigerator, for up to 30 days, while Pfizer’s vaccine requires a storage temperature of minus 94 degrees Fahrenheit.

“This is completely new territory for health care supply chains. And so this is a brand new logistical challenge in order to distribute this vaccine and get it to the right place and to do so while maintaining the integrity of the product,” Soumi Saha, a pharmacist and vice president of advocacy for Premier, a consulting firm that works with thousands of hospitals and nursing homes, told CNBC last month.

Some governments have already warned of an increasing number of cyber attacks related to Covid-19 attempting to steal sensitive information on the vaccines, IBM said. The company uncovered similar email attacks in June on the medical protective gear supply chain for health-care workers.

In April, the World Health Organization said it had seen a “dramatic increase” in the number of cyber attacks targeting the United Nations health agency. The organization said on April 23 that around 450 “active WHO email addresses and passwords were leaked online along with thousands belonging to others working on the novel coronavirus response.”

IBM said in its report Thursday that it “urges companies in the COVID-19 supply chain — from research of therapies, healthcare delivery to distribution of a vaccine — to be vigilant and remain on high alert during this time.”