We’ve already seen our fair share of pandemic-driven fraud and cybercrime, but what can we expect as vaccine rollouts pick up pace worldwide? Raymond Pompon, Director of F5 Labs, responds.
Cyber espionage to steal vaccine data
A viable vaccine is valuable intellectual property. Beyond the pharmaceutical formula itself, even data on testing and drug trials can be valuable to an organisation working to develop its own drug. With countries struggling to secure an effective vaccine, such data is a tempting target. We’ve already seen some attacks.
In late 2020, North Korean cyber attackers reportedly targeted the vaccine maker AstraZeneca in the UK. They apparently used spear phishing via social media to try to inject malware by way of job description documents. Over the summer, Russian cyber attackers were also detected in a vaccine theft attempt.
Threat actors on the hunt for vaccine data are advanced cyber attackers, either working for or hired by nation states. This makes them the most capable and well-resourced threat that organisations could face.
The goal of these attackers is unauthorised access to information, such as data related to research proposals, drug development, manuscripts, virus testing, clinical trials, and drug manufacturing.
Healthcare and drug research facilities tend to have elevated security controls to protect their intellectual property. However, cyber-attacks will also target their business partners and third parties, which may have lower levels of security.
The likelihood of vaccine cyber espionage is high, and we’ve already seen attacks targeting coronavirus research organisations, including academic institutions, biomedical research laboratories, pharmaceutical companies, hospitals, and drug manufacturers.
Sabotage the vaccine pipeline
In October 2020, a large U.S. clinical trial software manufacturer involved in coronavirus drug testing experienced a ransomware attack. And we’ve seen ransomware and malware hitting hospitals regularly.
In 2017, the NotPetya malware attack that targeted Ukraine appeared to be ransomware but later, experts concluded that it was a denial-of-service weapon wielded by Russian threat actors. The software was designed to be more crippling than ransomware; not just encrypting data but wiping it out permanently.
The cooling systems required by vaccines are also vulnerable to cyberattack, especially if they are tied to IoT controls. As we’ve seen over the years, IoT systems have very poor security controls and are often subverted and infected by malware. We have also seen anti-vaccine activists in trusted positions physically sabotaging vaccine cooling systems. IoT tampering would be much easier and potentially harder to trace.
Cybercriminals could stand to make a lot of money by slowing or crippling vaccine distribution efforts. But it also would be easy for competitor nation states to use ransomware (and cybercriminals) to conceal other sinister moves such as slowing down a nation’s recovery. Right now, the vaccine pipeline is as essential as much of our other critical infrastructure.
Vaccine saboteurs are likely to be highly motivated and well-resourced, and the newer versions of ransomware are faster, smarter, and stealthier than before. Attackers are looking to deny access to data and critical computing resources, either short-term for ransom payment or as long as possible to sabotage the rollout.
Many targeted facilities are regulated and aware of the threat of malware. But, again, third parties are a potential Achilles heel. Many smaller clinics, retail drugstores, regional government agencies, and other entities with reduced cybersecurity capabilities are also potential victims.
Using stolen vaccine data for disinformation
In October of 2020, the Centre for Countering Digital Hate reported that 50 million people follow anti-vaccine groups on social media. In January of 2021, regulatory data regarding the COVID-19 vaccine was stolen by cyber attackers, reportedly to fuel disinformation campaigns.
In the past, F5 Labs wrote about how hacktivists can use doxing (the unauthorised release of private or personal information) to intimidate or embarrass an opponent. We also noted that leakers can release carefully curated and incriminating emails or confidential documents, which can be effective against organisations or public figures. Sometimes they will modify leaked vaccine data prior to publication in an attempt to sow disinformation.
Vaccine cyber thieves
The most proficient attackers are hostile nation states that use misinformation to slow down vaccinations.
There are also the anti-vaxxers, who tend to act as a loose confederation.
It is important to note that the anti-vaxxer movement isn’t only about fear or ignorance, but also about profit. There are individuals and groups attempting to discredit vaccines in order to sell alternative medical therapies for COVID-19.
The attackers’ goal here is to violate confidentiality by stealing data for disclosure. They may modify that stolen data to help sway opinion. The targeted assets are the same as the cyber espionage attacker’s, most notably research data, virus testing, and clinical trials that show side effects or potential problems.
Most targeted organisations will be subject to regulation and intellectual property protection. However, their connections with third parties can expand the attack surface. Furthermore, individual researchers’ personal accounts, such as home emails, are also potential targets. These could perhaps hold personal notes expressing vaccine doubts. which attackers could use to influence opinion.
Hacking the vaccine appointment system
The likely attackers here would be individuals with hacking skills and cyber criminals looking to sell vaccine access. Their capabilities would be variable but tending toward the lower end of the scale. There is a profit to be made, but it’s not as lucrative and easy as other cybercrime schemes. The ultimate goal is to weaken the integrity of the appointment system by unauthorised modifications or additions to the waiting list.
The controls around the vaccine registration systems are likely to be highly variable, but also tending towards the higher side, as they are also regulated medical systems.
Evidence of this type of criminal activity is starting to emerge. For example, a healthcare provider in Michigan recently cancelled 2,700 vaccine appointments after a breach allowed people to cut in line. The attempt failed, and the likelihood of similar successful attacks remains on the low side. There is a considerable risk of getting caught. Less traceable methods of getting early access to vaccines like bribing medical professionals are more likely.
Mitigation against vaccine cyberthreats
If you or your organisation have any role in the vaccine supply chain, you should evaluate your security and strengthen defences accordingly. The two most probable attacks are either by phishing or web attacks.
If you are an individual, a good resource is the Department of Justice Coronavirus Response web page, which gives information about COVID-19 fraud and steps to take to prevent or combat it. Before you start sharing personal or financial information online, it’s a good idea to double-check the request with state or local health department websites as well as the Centers for Disease Control and Prevention (CDC). You should never share health or financial information over untrustworthy Internet channels such as email or social media.
One warning though: Don’t spend too much time trying to figure out how attackers think. Even if we could perfectly understand their motives and methods (and we can’t), they will shift over time. The key is to assess the most likely kinds of attacks each system and asset could face, and build defenses for them accordingly.