Security Experts:

Connect with us

Hi, what are you looking for?



State-Sponsored Hackers Likely Behind Attacks on COVID-19 Vaccine Cold Chain

An unknown threat actor that is likely sponsored by a nation state is believed to be behind a recent phishing campaign targeting the COVID-19 vaccine cold chain, IBM Security reported on Thursday.

An unknown threat actor that is likely sponsored by a nation state is believed to be behind a recent phishing campaign targeting the COVID-19 vaccine cold chain, IBM Security reported on Thursday.

The company’s researchers believe the attacks started sometime in September and evidence suggests that the attackers have targeted organizations in at least six European and Asian countries.

The targets appear to be associated with the Cold Chain Equipment Optimization Platform (CCEOP) of Gavi, the Vaccine Alliance, whose main goal is to improve access to vaccines in poor countries. The CCEOP was launched a few years ago by Gavi and its partners due to the need for temperature-controlled environments to ensure that vaccines remain cold and effective until they reach their destination.

The coronavirus pandemic and the approval of COVID-19 vaccines are leading to an increase in demand for such solutions so it’s not surprising that entities related to the CCEOP have been targeted.

The attacks observed by IBM involved phishing emails apparently coming from an executive at Haier Biomedical, a Chinese firm that is qualified for the CCEOP program and which is said to be the only complete cold chain solutions provider in the world. The phishing emails, posing as a request for quotation related to the CCEOP program, were sent to executives in IT, sales, procurement and finance departments, and in some cases to a wide range of employees within the targeted organization.

The emails contained an HTML file that instructed recipients to enter their credentials in order to view its content. By attaching the phishing page directly to an email, the attackers can reduce the risk of their phishing pages being detected and shut down.

IBM Security researchers believe that the goal of the campaign may have been to collect credentials that would give the attackers access to internal communications and information on the distribution of a COVID-19 vaccine.

Targets of the attack included the European Commission’s Directorate General for Taxation and Customs Union, which could serve as an entry point to high-value organizations across the European Union, as well as companies in the IT, energy and manufacturing sectors that could provide access to valuable information related to the distribution of a coronavirus vaccine. Targeted organizations have been notified, but it’s unclear if any of them took the bait.

“However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender’s authenticity,” IBM Security explained in a blog post.

IBM has not been able to definitively link the campaign to a known group, but its sophistication and targets suggest that it’s a state-sponsored operation.

“Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets,” it explained. “Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”

It would not be surprising to learn that a state-sponsored threat actor is indeed behind these attacks given the accusations made since the start of the pandemic by various countries. The US has accused China, the UK has accused Russia, and Microsoft has accused both Russia and North Korea of targeting vaccine research.

Related: Kremlin Denies UK Claims of Vote Meddling, Vaccine Hacking

Related: Russia Denies Microsoft Claims of Healthcare Cyber Attacks

Related: China Accuses US of ‘Slander’ Over Coronavirus Research Hacking Claims

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.