The hackers took measures to hide their tracks, and the cyber-sleuths did not name which state might be behind the campaign.
The IBM team said it was not known why the hackers were trying to penetrate the systems. It suggested that the intruders might want to steal information, glean details about technology or contracts, create confusion and distrust, or disrupt the vaccine supply chains.
The hackers probably sought “advanced insight into the purchase and movement of a vaccine that can impact life and the global economy,” the IBM team said.
Because there was “no clear path to a cash-out” as there is in a ransomware attack, there was an increased likelihood of a state actor’s being involved, IBM said. However, the IBM investigators cautioned, it was still possible that criminals could be looking for ways to illegally obtain “a hot black-market commodity” such as an initially scarce vaccine.
The new generation of RNA vaccines, including the product from Pfizer-BioNTech that Britain approved Wednesday for emergency use, requires sub-Antarctic temperatures for storage and transport. But more traditional vaccines, such as a candidate being tested by Oxford University and its partner AstraZeneca, also must be kept refrigerated.
The hackers targeted organizations linked to Gavi, a public-private vaccine alliance that supplies vaccines to poor countries. The alliance works closely with the World Health Organization, donor countries, the global pharmaceutical industry and the Bill and Melinda Gates Foundation.
IBM said one of the targets was the vaccine alliance’s Cold Chain Equipment Optimization Platform.
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday alerted organizations involved with the storage and transport of vaccines to be on the lookout for the type of phishing operations described in the IBM advisory.
The cybersecurity agency encouraged all organizations involved in the Trump administration’s Operation Warp Speed to be especially alert for challenges to their cold-chain systems.
In a blog post that was distributed to cybersecurity agencies, IBM said an intruder impersonated a business executive at Haier Biomedical, a legitimate Chinese company active in the vaccine supply chain and specializing in the refrigeration of medical products. The impersonator sent emails to “executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain.”
It is unclear whether any of the phishing attempts succeeded.
In her post, Claire Zaboeva, a senior strategic cyberthreat analyst at IBM, wrote: “The targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan.”
This is not the first attempt by hackers to penetrate secure networks protecting vaccines.
Those hackers, who belong to a unit known variously as APT29, “the Dukes” or “Cozy Bear,” were targeting vaccine research-and-development organizations in the three countries, the officials said in a joint statement. The unit is one of the two Russian spy groups that penetrated Democratic Party computers in the lead-up to the 2016 U.S. presidential election.
Microsoft last month reported “mostly unsuccessful attempts” by state-backed Russian and North Korean hackers to steal data from pharmaceutical companies and vaccine developers, according to the Associated Press.