No sooner had the first positive news about Corona vaccines arrived than the cybercriminals were getting ready to take off: Corona vaccines as a hook for phishing attacks, espionage and sabotage of research results, attacks on supply chains and dubious offers of counterfeit vaccines on the darknet – the cybercriminals quickly instrumentalised the topic for themselves. How can they be stopped?
Corona has been a popular subject for phishing campaigns ever since the pandemic began. Ever since the first pharmaceutical companies reported their success in producing a vaccine, phishers simply adapted the subject lines of phishing emails to the current status quo. Now they are doing their criminal social engineering with the tag “vaccinations” or “vaccination dates”.
Direct attacks on vaccine manufacturers
In addition to these newly labeled phishing attacks, the number of direct attacks on vaccine manufacturers is also on the rise:
- In mid-November, a high-ranking Microsoft executive reported on a company blog about cyberattacks on seven well-known vaccine manufacturers in Canada, France, India, South Korea, and the United States. A hacker group from Russia and two from North Korea were named as the perpetrators of the attacks. All three groups are believed to be linked to government agencies.
In October, U.S. cybersecurity firm Crowdstrike reported attacks on Japanese vaccine labs. Here, the attacks reportedly came from China. - Back in July, intelligence agencies from the U.S., Canada and England issued a joint statement blaming Russian hackers for attacks on organizations involved in the development of Corona vaccines. According to the U.K.’s National Cyber Security Centre (NCSC), the hacker group “Cozy Bear” was targeting the “theft of valuable intellectual property,” which the NCSC said was “almost certainly” operating as part of Russian intelligence.
- Late last November, developers at British-Swedish vaccine maker AstraZeneca received bogus emails with lucrative job offers, peppered with digital attack tools that the hackers used to gain access to the group’s computers. Anonymous sources suspect their origin was North Korea.
- Last October, the Indian vaccine manufacturer Dr. Reddy’s offices in as many as five countries fell victim to a large-scale cyber attack. This time, no Russian state hackers were likely involved: Dr. Reddy’s was entrusted with tests for the Russian Corona vaccine Sputnik 5.
BSI: Cybercriminals exploit general uncertainty
The German Federal Office for Information Security (BSI) and the French security agency ANSSI also noted in a joint report on the cyber security situation in both countries that cyber criminals have reacted flexibly to the Corona pandemic and are specifically exploiting the general uncertainty among companies and the population. Healthcare systems in both countries face major challenges in combating the pandemic while effectively guarding against potential cyber-attacks, he said. That’s because hospitals, vaccine manufacturers and their supply chains are increasingly the focus of cybercriminals, he said. “Failures in these areas can have devastating consequences that we cannot afford, especially in the midst of a pandemic,” the BSI said. That’s why the federal agency is also in intensive talks with the German government about protecting vaccine logistics chains, he said.
Supply chains and cooling systems in their sights
After widespread attempts to spy on research results, hackers are increasingly targeting these supply chains (in this case, the cold chains) as well: They are trying to disrupt supply chains, shut down cold storage facilities or penetrate supply systems. An example from Israel shows that IoT systems in particular are quite vulnerable here: there, hackers tried to drastically increase the chlorine content of public drinking water. Imagine if the hackers had direct access to vaccine production and changed the respective proportions of the active ingredients. Even small changes to the formula could significantly affect efficacy. This could well end in a health catastrophe.
In addition to production, storage and the quite complex logistics also represent possible points of attack. Attackers could target the corresponding temperature control systems and manipulate the storage temperature. This would greatly reduce the effectiveness of the vaccines. Logistics also offer enormous attack surfaces, for example, for a ransomware attack on scheduling software that could cause delays in delivery and affect the vaccine distribution schedule. In addition, storage facilities could become inaccessible and transportation routes could fail.
Offers of counterfeit vaccines on the darknet
Offers of vaccines have also multiplied on the darknet, where doses of the Biontec/Pfizer vaccine have been offered for 250 euros per dose. Europol also observed a massive 400 percent increase in advertisements for Covid-19 vaccines. Prices also increased significantly again in January to between 400 and 1,000 euros per dose. In addition, single doses are now no longer sold on their own, but packages containing several doses of vaccine.
Continued high risk of targeted attacks
Accordingly, the BSI also assesses the threat situation of German pharmaceutical companies and vaccine manufacturers as high. BSI President Schönbohm told Deutsche Welle: “There is still a risk of targeted attacks against research institutions. Companies must also do their part, for example by making appropriate investments in information security.”
Companies can take some steps to provide immediate protection:
- Awareness training to protect against phishing.
- Secure data in the cloud
- Use secure VPN connections
- Secure the browser
- Protect data on all endpoints
- Multifactor authentication
Surely, many of your employees are also interested in an imminent vaccination appointment. So they might be even quicker to open an email that suggests it contains up-to-date information on the subject. For this reason, Perseus recommends all companies to sensitize their employees to this topic as soon as possible through appropriate training, e.g. with simulated phishing attacks.
Please do not hesitate to contact us: 030/95 999 80 80 (Mon – Fri 09:00-18:00 with the exception of public holidays) or by e-mail to info@perseus.de.