Recently, the world learned about a cyber-espionage attempt focused on the international vaccine supply chain. The threat was leveled as a precisely targeted phishing campaign against the companies involved in the “cold chain” used for preserving and controlling the strict storage temperatures of Pfizer’s COVID-19 vaccine in transit.
By Samantha (Sam) Humphries, Head of EMEA Marketing & Security Strategy, Exabeam
While the identity of the attackers remains unclear, the methods used in the cyber offensive are thought to be indicative of a nation-state. It is no coincidence that governments around the world, including the U.S. and the U.K., had previously warned of adversarial countries targeting aspects of vaccine research.
This particular cyber assault is believed to have started in September, and to increase the likelihood that target recipients would engage with the phishing emails, the attackers successfully mimicked an executive from a Chinese company involved in the cold chain equipment optimization platform (CCEOP) supply chain. Since vaccinations have already begun, it is important to note that the Pfizer-BioNTech vaccine was not the direct focus of the phishing campaign. The emails were sent to organizations that are providing transportation for the medicine, and those messages contained malicious code and asked for users’ login credentials.
The more things change, the more they stay the same
You might think that this far into the digital revolution, most people are already familiar with the look and feel of an electronic scam attempt. However, you would be wrong. Typically, the emails show no sign of being malicious, making them hard to spot. In combination with people’s naïveté to phishing risks, the hook is baited. In fact, when people fall for these attacks each year, it often leads to compromise not just of their personal data, but their company’s networks, too.
According to the 2019 Symantec Internet Security Threat Report, phishing emails are used by almost two-thirds (65 percent) of all known groups carrying out targeted cyberattacks. The same report indicated that intelligence gathering was the primary motive of 96 percent of targeted phishing attacks. In the case of the cold chain attacks, the breach may have allowed the mischief-makers to gain a familiarity of the infrastructure that was intended for vaccine distribution.
To err is human
Security teams can prevent phishing scams from succeeding in the mission to either deposit malware or exfiltrate data logs – or both! A well-informed workforce is a good first line of defense, specially trained eagle eyes that can spot phishing schemes before an email is even opened. However, even security-savvy employees can fall victim to mistakes and their own humanity, allowing malware to slip into the network via a single click, and data to be stolen. To help staff in the fight against digital adversaries, enterprises, particularly those involved in this critical vaccine supply chain, should consider the following defensive methods:
Open sesame: Security access rules
While the simple phrase “open sesame” worked to gain access to the treasure in the folk tale of “Ali Baba and The Forty Thieves,” in real life, you want security measures to be far more robust. To ensure a secure approach, the principle of least privilege can be applied. The least privilege states that access is granted or applied only according to what is necessary for that user to complete his/her work. To prioritize the security needs of the organization first, security teams can limit the access of all non-administrators. Should an adversary compromise an employee’s credentials, gaining access to the network may not be successful if the stolen credentials have the least privilege. Pro tip: As part of a strong security routine, perform a best practice check of user account settings and minimize how many people have higher-tier access.
Is this thing on? Filtering email systems
Although software can help lock down employee emails, they should already have spam filters provided by the email solution the company uses. Encourage users to mark any spam email that makes it through to his or her inbox to ensure that the information helps the filters do a better job.
This is a test; it is only a test
As mentioned above, mistakes are bound to happen when humans are involved. A company cannot protect against a threat of which they are unaware. To determine the actual risk level for phishing scams more accurately, a company can run a simulated phishing test using a range of available tools. Basically, the security team should send employees a convincing email message that may appear to be a phishing email but will not actually harm anyone or anything. Depending upon which tool is used, it might track results such as which employees opened the email, or which employees clicked links that were embedded in the email.
Learn from Eisenhower: Planning is indispensable
These days, regardless of how completely a company may plan, an attack is always a possibility. One way to ensure that long-term damage isn’t inevitable is to take to heart the words of Dwight D. Eisenhower – ‘In preparing for battle, I have always found that plans are useless. But planning is indispensable.’ In other words, prepare the company well before any adversary or threat is looming. Invest in modern security tools and planning for a response with the latest intelligence technology, like behavioral analytics. This alerts security teams and helps identify odd behavior and abnormal activity such as an unusual attachment or the source country of an email. If this is indicative of a phishing attack, the company can immediately take protective measures. On top of a well-informed base of users, this technology is an added layer of security to ensure devices and servers remain safe.
For the foreseeable future, heightened awareness and a strong security posture are vital to the protection of the COVID-19 vaccines. The health of the global population, as well as the global economy, depending upon how well we can guard the vaccine supply and distribution chain until vast swaths of people are inoculated against a deadly virus. At the close of the very trying and unusual 2020, we were reminded to focus time and energy on what we can control, and it’s about deploying strong security best practices. Perhaps through the steps shared above, we can make 2021 more challenging for the attackers, but brighter for the rest of us.
About the author
Samantha (Sam) Humphries has been happily entrenched in the cybersecurity industry for over 20 years. During this time, she has helped hundreds of organizations of all shapes, sizes, and geographies recover and learn from cyberattacks, defined strategy for pioneering security products and technologies, and is a regular speaker at security conferences around the world. In her current regeneration, Sam is part of the global product marketing team at Exabeam, where she has responsibility for anything that has “cloud” in the name. She authors articles and blogs for various security publications has a strong passion for mentoring and often volunteers at community events, including BSides, The Diana Initiative, and Blue Team Village (DEFCON).
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.