By Maggie Miller, THE HILL, 12/06/20
Government officials and health-care groups are growing increasingly concerned about nation states and criminal hackers targeting the supply chain for COVID-19 vaccines.
Concerns have been amplified as the U.S. prepares to roll out the first vaccines later this month, with groups involved in creating and shipping the vaccines a prime target for potential cyberattacks.
“We have noticed an uptick in attacks against all aspects of the vaccine supply-chain from research through to manufacturing and distribution,” Marc Rogers, the executive director of cybersecurity at software group Okta, told The Hill on Friday.
Rogers, who helps lead the COVID-19 CTI League that tracks and helps defend against cyberattacks aimed at health groups, noted that the League has seen “ramped up” cyberattacks aimed at medical institutions corresponding to increasingly positive news around vaccine development.
“My suspicion is that all parties in the cybercriminal underground from ordinary criminals to nation states recognize that the vaccines represent a golden opportunity and are responding as such,” Rogers said.
North Korea has been among such nations, with The Wall Street Journal reporting recently that North Korean hackers targeted at least six pharmaceutical groups in the U.S., the United Kingdom and South Korea involved in developing a vaccine, including Johnson & Johnson and Novavax.
“All CISOs [chief information security officers] in health care are seeing attempted penetrations by nation state actors, not just North Korea, every single minute of every single day,” Johnson & Johnson CISO Marene Allison said at the Aspen Institute’s virtual Cyber Summit earlier this week.
A spokesperson for Novavax told The Hill in a statement Friday that the company was “aware of ongoing foreign threats identified in the news.”
“We are confident we can continue to progress with our COVID-19 vaccine candidate without disruption and that these incursions do not pose a risk to the integrity of our data,” the spokesperson said.
But as concerns have grown in recent weeks around the process to store, ship and deliver COVID-19 vaccines once they are approved, hackers are increasingly eyeing non-health care groups in the vaccine supply chain as potential targets.
Cold storage groups — which are necessary for shipping and storing COVID-19 vaccine candidates at extremely low temperatures, such as one recently rolled out by Pfizer — have been increasingly in the crosshairs.
A report last week from IBM warned of a “global phishing campaign” targeting groups associated with cold storage for the COVID-19 vaccine process. Researchers wrote that “the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) put out a corresponding alert encouraging U.S. organizations involved in the Operation Warp Speed vaccine distribution effort to review IBM’s findings.
At least one major cold storage group had already been targeted before those alerts were issued.
Americold, the largest cold-storage provider in the U.S. and a global operator of cold storage warehouses, disclosed to the Securities and Exchange Commission (SEC) in November that it had discovered that its networks had been hit by a cyberattack.
“The Company took immediate steps to help contain the incident and implemented business continuity plans, where appropriate, to continue ongoing operations,” the company wrote in the filing. “The Company has notified and is working closely with law enforcement, cybersecurity experts and legal counsel.”
André Pienaar, founder of the firm C5 Capital, which helped form a group of around 40 major cybersecurity companies known as the Cyber Alliance to Defend Our Healthcare, pointed to the attack on Americold as an example of a weak link in the vaccine supply chain.
“The point of attack in the supply chain that the hackers targeted have been the cold storage facilities,” Pienaar told The Hill. “Cold storage companies are dismally underinvested in cybersecurity and the hackers can enter their systems by hacking the industrial controls rather than phishing emails.”
Cold storage groups are not the only organizations related to COVID-19 vaccines and treatments that have been targeted.
Meredith Harper, CISO of pharmaceutical group Eli Lilly, which has worked to develop a COVID-19 antibody drug, said at the Aspen Institute summit that her company had seen a major spike in attacks on third-party groups associated with carrying out Eli Lilly’s work.
“Probably this year we have done way more incidents around our third parties than we’ve seen in the last few years,” Harper said.
Government officials say they are aware of the threats to the vaccine supply chain and are working to address them.
Acting CISA Director Brandon Wales said that his agency is working with the National Security Agency and the FBI to ensure that the Operation Warp Speed vaccine supply chain process remains secure. He noted that foreign nations had targeted COVID-19 vaccine research and development initiatives since the start of the pandemic.
“There is more that we need to do to push deeper and further into these supply chains, not just the big companies behind the vaccine, but the companies that are going to be essential to get this vaccine from manufacturing through distribution, that last mile to the American people,” Wales said at the Aspen Institute summit last week.
Pienaar said that beyond the vaccine supply chain, his group has also tracked threats to patient data collection associated with immunization.
“Effective immunization programs depend on accurate data collection systems and software,” Pienaar said. “Our threat intelligence is that this will be the next attack vector for hackers.”
Rogers noted that while the impending COVID-19 vaccine approval and rollout is good news for public health, the threat of cyberattacks interrupting the process remains high.
“We may be nearing what looks like the finish line, but now is not the time for us to take the eye off the ball,” Rogers said. “We need to double down on vigilance and ensure that key entities in the distribution of these much needed vaccines are watched and guarded 24×7.”