In early December 2020, as United States and European governments readied their distribution plans in anticipation of coronavirus disease 2019 (COVID-19) vaccine authorization, law enforcement agencies prepared for an onslaught of various types of criminal activity and organized crime linked to COVID-19 vaccine distribution. Similar to the predatory criminal behavior seen earlier in the pandemic, it was expected there would be an increase in cybercriminal advertising and selling fake vaccines. And even before vaccines were authorized, the International Criminal Police Organization (INTERPOL) reported having found 1,700 purported online pharmacy websites containing cyber threats, such as phishing and spamming malware. However, in addition to these consumer-targeted schemes, there were also reports of cyberattacks targeting COVID-19 vaccine manufacturers and public health organizations. This cyber threat activity became so severe that INTERPOL issued an “Orange Notice” warning of organized crime efforts to infiltrate or disrupt COVID-19 supply chains. Shortly thereafter, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a joint security alert highlighting the risk to the COVID-19 vaccine distribution chain.
Included in this alert was information provided by the IBM Security X-Force Threat Intelligence task force — which is dedicated to monitoring COVID-19 cyber threats — describing a global phishing campaign targeting organizations associated with the COVID-19 vaccine distribution chain. Notable targets included three leading COVID-19 vaccine manufacturers and distributors, as well as “cold chain” companies — those responsible for safely storing and transporting the vaccines. As part of this campaign, cyber threat actors sent spear-phishing emails directly to executives involved in sales, procurement, IT, and finance positions at pharmaceutical companies involved in developing vaccines. These emails used malicious HTML attachments, disguised as “Requests for Quotations,” to conduct “credential harvesting” attacks and steal login and passwords for many of the victims’ accounts. Just recently it was reported that the scope of the attack was much broader than initially thought. Victims also included biomedical research organizations, medical equipment manufacturers, pharmaceutical firms, surgical material makers, immunology experts, and pharmacies distributing COVID-19 rapid tests. Logistics and transportation companies were also heavily targeted in the cyberattack, including eight companies in the automotive, aviation, maritime, and transport services sectors across Italy, Korea, Japan, Colombia, and the US.
Unfortunately, since December, disruptive attacks like these have not only persisted, they are now starting to expand to other sectors of the COVID-19 supply chain. As many states begin to close mass vaccination sites and divert resources to community health care providers, cyber threats against health care providers have also started to grow at an exponential rate. On May 20, 2021, the FBI issued a new cyber-flash alert warning health care providers of at least 16 different ongoing ransomware attacks directed at health care providers and other first responders — all by just one ransomware gang alone. Ransomware releases malware into a victim company’s data network in order to encrypt the data stored on the system and deny the data to the victim company. The responsible cybercriminals then offer to decrypt the data for a hefty ransom, recently as high as $25 million. The FBI noted that these ransomware gangs are gaining access to victim networks through the use of malicious email links, attachments, and stolen remote desktop protocol (RDP) credentials. These ransomware gangs have even gone so far as “weaponizing” Microsoft Word documents with infected and malicious PowerShell scripts.
In their recent flash alert, the FBI recommended the following steps health care providers can undertake to help mitigate these cyber threats. These steps include, but are not limited to:
- Regularly back up data and password protect backup copies offline;
- Implement network segmentation;
- Implement a recovery plan to maintain copies of sensitive or proprietary data;
- Install updates and patch operating systems, software, and firmware as soon as these updates are released;
- Use multi-factor authentication;
- Use strong and secure passwords and make sure to regularly change them;
- Disable RDP ports;
- Require administrator credentials to install software;
- Audit user accounts with administrative privileges;
- Install and regularly update antivirus and anti-malware software;
- Add an email banner to e-mail messages not coming from your organization;
- Disable hyperlinks in received e-mail; and
- Focus on cybersecurity awareness and training. Train users to identify and avoid malicious emails that release malware in your system.
This troublesome trend points to the fact that the COVID-19 cold chain is under attack daily. Cyberattacks against all actors in the COVID-19 supply chain, from manufacturers to health care providers, are only going to continue over the coming weeks and months. It is time for all health care providers to take a more proactive role in the protection of their infrastructure and facilities — facing the growing reality that the American health care sector is under cyberattack.