Covid-19 vaccines supply chain has become a target for cybersecurity attacks. How real is the threat?

by Damiano Peruzzi – PQE Group

Abstract

In the constantly evolving scenario of Cybercrime, two main aspects reveal an increased urgency of tackling the challenges posed by Cyber Threats. The first is the fast scalability of cyber targets, which have changed in the recent few years from single and specific computers to distributed systems and networks of companies. The second one is represented by the nature of the Cyber Threat, no longer identified solely with isolated and independent criminals, but increasingly represented by specialized forces of national states. Most recent news on Cybersecurity incidents targeting specifically the production and the distribution of Covid-19 vaccines show that this trend is escalating very rapidly and cybersecurity culture still lacks of effectiveness: the vast majority of the companies that could be now considered as new cyber targets (e.g. third party suppliers, distributors, and so on) do not have a clear plan for dealing with cyberattacks.

International Vaccine supply chain targeted by cyber-espionage, IBM reports.

On December 3rd 2020 BBC News issued an article on its website [1], reporting a statement by IBM according to which the international vaccine supply chain was targeted by cyber-espionage, with particular attention to the cold supply chain for COVID19 vaccines. According to IBM, an international phishing campaign started in September 2020, targeting with fake emails organizations across 6 countries linked to the Cold Chain Equipment Optimization Platform (CCEOP) of Gavi, the international vaccine alliance. Attackers impersonated a business executive from a legitimate Chinese company involved in CCEOP’s supply cold chain to obtain log in credentials and gain insights about infrastructures, purchases and movements concerning the vaccines. The campaign reached a broad spectrum of companies involved in the COVID19 operation such as companies involved in manufacturing solar panels, which can be used to keep vaccines cold in places where reliable power is not available, a South Korean software-development company, a German website-development company, which supports clients associated with pharmaceutical manufacturers, container transport, biotechnology and manufacturers of electrical components for communications.

A systemic cybercrime approach, excalating at a nation-states level.

This high-impact news, although not an isolated one, shows the two most important aspects to keep in mind nowadays: first, more and more often a “target” is not to be considered a “single point” in the cyberspace. To make a parallel, is not like a specific house been targeted by a burglar that wants to penetrate it. Nowadays many valuable information are exchanged among different players in an interconnected network. It’s like the burglar observing the whole house block and gaining in the easiest way fundamental information to achieve its purpose. Therefore, this time the target was not the single pharmaceutical company, but the whole supply chain network, making this information gathering campaign of high impact.

Second, the precision targeting and nature of the specific targeted organizations potentially point to nation-state activity, says IBM. And that’s the point. A growing number of cyber threats derive not from independent hackers (or groups of hackers), but from foreign states, making the dangerousness of these attacks exponentially higher, as well as their striking power. More like a SWAT assault than a random burglar.

McAfee reporting cybercrime is worth over 1 trillion $ hidden costs globally.

But what this all means? Trying to have a more practical look at global situation, The Washington Post recently reported[2] a McAfee study[3] on the global cost of cybercrime.
Since 2018, McAfee estimates that the cost of global cybercrime reached over $1 trillion globally. The estimated monetary loss from cybercrime is approximately $945 billion. Added to this was global spending on cybersecurity, which was expected to exceed $145 billion in 2020. Today, this is $1 trillion dollar drag on the global economy. Their 2018 report found that cybercrime cost the global economy more than $600 billion. The new estimate suggests a more than 50% increase in two years.

“The increase in cybercrime stems in part from the dramatic shift in the threat landscape in just the past two years”, said Grobman, senior vice president and chief technology officer at McAfee, “as hackers move from targeting specific machines or users to whole organizations”, and to networks of organizations we would add. “There can also be a residual impact when a company is a part a supply chain”, Grobman notes. A 2017 attack on Danish shipping company Maersk disrupted operations for two weeks and cost the company $300 million. And the “vaccine case” confirms this tendency, unfortunately.
Moreover, the Washington Post states, Cybersecurity officials have warned of an increase in efforts by Chinese hackers to steal U.S. business secrets and research. Specific cases aside, this confirms the evolution trend shown by the cyberattack led on the vaccine supply chain.

Companies lacking countermeasures like a cybersecurity plan against cybercrime.

A tricky question rises spontaneously: are companies, let them be public or private, ready for this new scenario? Question is tricky but answer is trivial. Despite a spike in crime, many companies lack a clear plan for dealing with cyberattacks, confirm the McAfee report. More than half of the 1,500 organizations surveyed for the report said they lack plans to both prevent and respond to an incident. Only a third of the organizations that had plans said their plans were actually effective. Hence, our house has not even a good alarm system to prevent intrusions.

Are your systems really safe from cyber-attacks? Secure your systems from potential hacking and cyber threats.

PQE Supports your business with holistic cyber-security plans complete with Penetration Tests, Vulnerability Assessment, End-User awareness plans, to keep IT infrastructure, systems and supply chain safe from any kind of cyber threats such as hacking, phishing, social engineering, spear fishing, ransomware etc., without any loss of business performance.

Visit our Digital Governance services page or contact us to find the most suitable solution for your company.

Related Articles