No sooner had the first positive news about coronavirus vaccines emerged than cybercriminals were already gearing up: coronavirus vaccinations as a hook for phishing attacks, espionage and sabotage of research results, attacks on supply chains and dubious offers of fake vaccines on the darknet – cybercriminals were quick to exploit the topic. How can they be stopped?

Since the beginning of the pandemic, coronavirus has been a popular topic for phishing campaigns. As soon as the first pharmaceutical companies reported their successes in producing a vaccine, phishers simply adapted the subject lines of their phishing emails to reflect the current status quo. Now they are carrying out their criminal social engineering with the hook ‘vaccinations’ or ‘vaccination appointments’.

Direct attacks on vaccine manufacturers

In addition to these newly labelled phishing attacks, the number of direct attacks on vaccine manufacturers is also increasing:

• In mid-November, a senior Microsoft manager reported on a company blog about cyber attacks on seven well-known vaccine manufacturers in Canada, France, India, South Korea and the United States. A hacker group from Russia and two from North Korea were named as the originators of the attacks. All three groups are said to have links to government agencies.
• In October, US cybersecurity company Crowdstrike reported attacks on Japanese vaccine laboratories. These attacks are believed to have originated in China.
• Back in July, the intelligence services of the US, Canada and the UK issued a joint statement blaming Russian hackers for attacks on organisations involved in the development of coronavirus vaccines. According to the British National Cyber Security Centre (NCSC), the hacker group ‘Cozy Bear’ was targeting ‘the theft of valuable intellectual property’ and, in the NCSC’s view, was ‘almost certainly’ operating as part of the Russian intelligence service.
• At the end of November last year, developers at British-Swedish vaccine manufacturer AstraZeneca received fake emails with lucrative job offers, peppered with digital attack tools that the hackers used to gain access to the company’s computers. Anonymous sources suspect that the emails originated in North Korea.
• Last October, the branches of Indian vaccine manufacturer Dr. Reddy’s in five countries fell victim to a large-scale cyber attack. This time, no Russian state hackers were involved: Dr. Reddy’s had been entrusted with testing the Russian coronavirus vaccine Sputnik 5.

BSI: Cybercriminals exploit general uncertainty

In a joint report on the cyber security situation in both countries, the German Federal Office for Information Security (BSI) and the French security agency ANSSI also noted that cybercriminals have responded flexibly to the coronavirus pandemic and are deliberately exploiting the general uncertainty among companies and the population. The healthcare systems in both countries face the major challenge of combating the pandemic while at the same time effectively arming themselves against possible cyber attacks. This is because clinics, vaccine manufacturers and their supply chains are increasingly becoming the focus of cybercriminals. ‘Failures in these areas can have devastating consequences that we cannot afford, especially in the midst of a pandemic,’ said the BSI. The Federal Office is therefore in intensive discussions with the German government about protecting the logistics chains for vaccines.

Supply chains and cooling systems in the crosshairs

Following widespread attempts to spy on research results, hackers are increasingly targeting these supply chains (in this case, the cold chains): They are trying to disrupt supply chains, shut down cold storage facilities or penetrate supply systems. An example from Israel shows that IoT systems are particularly vulnerable here: hackers attempted to drastically increase the chlorine content of the public drinking water. Imagine if hackers had direct access to vaccine production and altered the respective proportions of the active ingredients. Even small changes to the formula can significantly impair effectiveness. This could well end in a health disaster.

In addition to production, storage and the rather complex logistics also represent potential points of attack. Attackers could target the relevant temperature control systems and manipulate the storage temperature. This would greatly reduce the effectiveness of the vaccines. Logistics also offers enormous opportunities for attack, for example, a ransomware attack on the scheduling software, which could lead to delays in delivery and affect the timetable for vaccine distribution. In addition, storage facilities could become inaccessible and transport routes could be disrupted.

Offers of fake vaccines on the darknet

Offers of vaccines have also multiplied on the darknet, where doses of the Biontec/Pfizer vaccine were offered for 250 euros per dose. Europol has also observed a massive 400 percent increase in advertising for COVID-19 vaccines. Prices also rose significantly again in January to between 400 and 1,000 euros per dose. In addition, individual doses are no longer being sold separately, but in packages containing several vaccine doses.

Continued high risk of targeted attacks

Accordingly, the BSI also assesses the threat situation for German pharmaceutical companies and vaccine manufacturers as high. BSI President Schönbohm told Deutsche Welle: ‘There is still a risk of targeted attacks against research institutions. Companies must also do their part, for example by investing appropriately in information security.’

Companies can take a number of measures to provide immediate protection:

• Awareness training on phishing protection
• Secure data in the cloud
• Use secure VPN connections
• Secure your browser
• Protect data on all end devices
• Multi-factor authentication

Many of your employees are probably interested in getting vaccinated as soon as possible. This may make them more likely to open an email that suggests it contains the latest information on the subject. For this reason, Perseus recommends that all companies raise awareness of this issue among their employees as soon as possible through appropriate training, e.g. with simulated phishing attacks.

Please feel free to contact us on 030/95 999 80 80 (Mon–Fri 9 a.m.–6 p.m., except public holidays) or by email at info@perseus.de.