How Hackers Targeted The Covid-19 Vaccine Supply Chain; Vaccine Sold in Darkweb

As pharmaceuticals across the world race towards a vaccine, cybercrime continues to thrive in the underbelly of the Internet. In forums on the dark web, criminals continue to trade enormous repositories of critical medical data gathered through unauthorized means. As COVID-19 continues to dominate headlines, confidential vaccine research data generates enough monetization opportunities for cybercriminals. In addition to the COVID-19 databases containing confidential PII being leaked on the Internet, one of the critical security concerns is the immense cold chain logistics of the vaccine.  

Recently, IBM warned against cybercriminals targeting the distribution network of Covid-19 vaccines through a campaign that is believed to have started in September 2020. The hacker activity uncovered by IBM has shed light on a global phishing campaign specifically designed to target members of the Cold Chain Equipment Optimisation Platform (CCEOP) and with signs of being a state-sponsored incident. As per a report by the Guardian, organizations across six countries were sent emails containing malicious attachments.  These emails purported to be from Haier Biomedical, a UNICEF program member for strengthening vaccine supply chains. Incidents such as these underline the pressing need for cybersecurity rigour at every stage in the COVID-19 vaccine supply chain.  

More recently, Cyble research observed a few additional indicators and emails with the subject posing as a Draft of Contract related to the CCEOP and Vaccine Program. This phishing email masquerades as a credible email communication from Haier Biomedical and is targeted at Kraeber & Co., as shown in the image below. 

On opening the malicious HTML attachment, the user is prompted to submit login credentials for viewing PDF content, as depicted in the figure below. Our research indicates a malicious ActiveX component that automatically runs in the background as soon as the user enables the document security control. This type of ‘Precision Targeting’ involves advanced phishing attacks that are difficult to detect and takedown by security organizations. 

The attached HTML page has a malicious ActiveX function that is used to send the harvested credentials to the hacker’s server using a simple POST request, as shown below. 

The victims’ harvested credentials may be used to gain unauthorized access and conduct further cyber espionage activities. The cyber adversary may use the credentials to gain access to the targeted infrastructure and steal confidential information related to the COVID-19 vaccine research and delivery. These sophisticated phishing campaigns may also lead to further damages such as potential data breaches and undetected supply chain attacks. 

As countries prepare for the availability and effective distribution of the vaccine in the near future, there is a raising need for cyber defences at every step of the vaccine supply chain. With cyberattacks on the vaccine cold chain emerging from all corners, organizations are expected to ensure preparedness for addressing the potential challenges that may arise in the future. 

Furthermore, our researchers noted that the vaccine is now being sold in various darkweb marketplaces. Considering the limited supply of these vaccines, it is expected that they will be traded. It should be noted that the medical and health risks related to any alleged medicine or vaccine can be dangerous and lethal. We DO NOT recommend users to make any direct or indirect purchases.

Advertisement on Darkweb

Security Measures: 

This phishing campaign is a clear indication that threat actors are shifting their focus on the complex logistical network associated with the R&D and distribution of the vaccine value chain. To counter the impact of cyberattacks targeted towards the COVID-19 vaccine supply chain, here are a few security measures that organizations can adopt.  

  • Validating third-parties and ensuring that they have the necessary level of cyber defences 
  • Never clicking on unverified/unidentified links 
  • Refraining from opening email attachments before validating their authenticity 
  • Using security software and keeping it updated 
  • Training employees on cybersecurity through cyber literacy programs 
  • Periodically conducting third-party/suppliers risk assessment 

Indicators of Compromise (IOCs) 
 

SHA256 Hashes 
18D368E5EE1BBB9B7311E353CFD5475D772E8DF6C4AA1C79B41800F07059B761 
3F0CA8BF1382ACB68E303F2135ED01C595122927DEF9A40E70C0AA8CBDDF7130 
E735ABD2DA75D8782A3828BC31B2C99930058CEBCF73B093D8C7A4139BF06C93  
07DBE854A34E61349ADCC97DD3E2EB5A9158E02568BAE3E2AAE3859AEEB5B8A9 

C2 URLs 

hxxps://roud3servers[.]tk/next[.]php 

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io. 

Leave a Comment

Your email address will not be published.

%d bloggers like this: