Phishing Attack Targeted German COVID-19 Task Force FirmVictimized Company Tasked With Procuring Personal Protective Equipment
An ongoing phishing campaign has targeted top officials at a German multinational company tasked with the procurement of personal protective equipment during the COVID-19 pandemic, according to cybersecurity researchers at IBM X-Force Incident Response and Intelligence Services.
This phishing campaign, which started March 30, targeted more than 100 high-ranking management officials in operations, finance and procurement at the unnamed multinational corporation as well as its third-party supply chain partners, which include American and European companies, according to IBM.
The targeted firm is part of the German government's private sector task force commissioned to leverage international contacts to obtain medical equipment for healthcare providers treating COVID-19 patients.
This "precision targeting" phishing campaign aims to steal Microsoft credentials, which would allow the attackers to access the victim's accounts, give them the ability to steal data and move laterally through the firm's IT network, the report says.
"It's possible that attackers could collect information associated with the production of PPE, communications between suppliers, details surrounding logistics and transport routes, all of which could support broader objectives to gather intelligence on certain nations or companies' strategies and resources," Nick Rossmann, lead for research and operations at IBM X-Force IRIS, tells Information Security Media Group.
The phishing attempts started on the same day the German government met with and commissioned nine of the country's top multinational corporations to be part of the COVID-19 task force, according to the IBM X-Force report. About 40 organizations have been targeted by the campaign but it is unclear if any of the phishing attacks have been successful, the report adds.
"Based on our analysis, attackers likely intended to compromise a single international company's global procurement operations, along with their partner environments devoted to a new government-led purchasing and logistics structure," IBM reports.
Personal protective equipment for healthcare workers has been in short supply because of the pandemic, which has resulted in an "unprecedented leap in prices and competition." This means it's likely that criminal and state-sponsored actors will seek to exploit the procurement process for their own needs, according to IBM.
Rossman says that although there isn't enough information to identify the threat actor behind this attack, various characteristics of the campaign suggest that it is likely a state-sponsored threat actor, as financially motivated cybercriminals don't usually invest the kind of time that this campaign required.
"This is a very precise campaign: the timing of the suspicious activity coinciding with the announcement of the task force to the day, the specific companies being targeted, as well as the specific departments/executives being targeted, show us that this is a very calculated operation," says Rossman.
The researchers found more than 280 URLs tied to a Russia-based IP address and over a third of them had Base64 encoded email IDs that belong to officials at the targeted multinational corporation and companies that made up its third-party supply chain, according to the report.
The phishing emails were delivered through encoded URLs that redirect the victims to a fake Microsoft login page where they are urged to enter their credentials, which are then exfiltrated to several Yandex accounts, the report says.
The attacks were carried out on companies involved in chemical manufacturing, aviation and transport, medical and pharmaceutical manufacturing, finance, oil and gas, and communications, according to the report.
IBM X-Force IRIS has informed the targeted multinational corporation and the German Computer Emergency Response Team about these attacks.
Other COVID-19 Attacks
Other healthcare centers, research facilities and other organizations battling the COVID-19 pandemic have been also targeted by hackers.
In May, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned that hacking groups linked to the Chinese government are targeting research and healthcare facilities that are working on developing vaccines, testing procedures and treatments for COVID-19 (see: US Says China-Linked Hackers Targeting COVID-19 Researchers).
CISA and United Kingdom's National Cyber Security Center also issued a joint warning to medical institutions, pharmaceutical companies, universities and others about "password spraying campaigns" by advance persistent threat groups linked to nation-states attempting to steal COVID-19 research data (see: Alert: APT Groups Targeting COVID-19 Researchers).
Managing Editor Scott Ferguson contributed to this report.