FAIR Institute Blog

Hacking the COVID Cold Chain: A Health Care Sector Example of FAIR

[fa icon="calendar"] Apr 26, 2021 4:06:32 PM / by Colin Connor and Itzik Kotler

Vaccinatiion - Hacking the COVID Cold Chain - A Health Care Sector Example of FAIRIn September, 2020, our IBM X-Force IRIS security analysis group began tracking strange phishing attacks targeting suppliers of HVAC equipment and services. Looking deeper, we determined that targeting with phishing attacks the “cold chain”hat would likely distribute vaccines for COVID-19.

The activity started well before the success of the Moderna and Pfizer vaccines were announced. Both vaccines require storage in low temperatures, with the Pfizer vaccine requiring storage at minus 70 degrees Celsius. This level requires health care institutions to purchase expensive super-cold freezers most do not have or handle the vaccine in customized containers filled with dry ice. 

The proactive thinking of the attacker showed significant sophistication. From this, we determined that the phishing attacks were likely the work of state actors or cybercriminal gangs. The attacks used thoughtful social engineering, spoofing leading executives from a company called Haier Medical in requesting RFPs from executives at COVID cold chain companies.


About the authors: Colin Connor is Global Threat Intelligence Strategic Analyst for IBM X-Force Threat Intelligence. Itzik Kotler is CTO for SafeBreach

IBM is a sponsor of the FAIR Institute.


Based on this information, we completed a FAIR™ assessment of the risk to the COVID cold chain. The assessment was concerning. Because of the pressure to distribute vaccines and the urgency and shortage of production, this COVID cold chain is a desirable target that could be leveraged for many types of gains:

  • Illicit intelligence to steal shipments and resell them on the black market
  • Applying ransomware attacks and extracting large payments from nation-state actors
  • Conducting geopolitical warfare or attacks to undermine longer-term government position and credibility by hindering vaccine distribution 

With a FAIR approach, we were able to quickly alert and communicate the severity of the risk to the highest levels of our customers in industry, research, and government. This is an outlier. As means of comparison, there was a wave of fake websites generated, and phishing attacks focused on COVID earlier this year. Those attacks sought to fuel credential stuffing and PII harvesting but were not nearly as targeted or focused as the COVID cold-chain attacks. So, communicating the difference between even similar threat types is paramount in supplying proper protection.

Conclusion: Quantification, Communication, Remediation, Validation

Taking this a step further, we would recommend organizations in the COVID cold chain mount a comprehensive threat analysis program. We did this for our exposed customers using Breach-and-Attack Simulation (BAS). We focused on phishing attacks, potential lateral traversals, and all other likely resulting secondary attack types that we have seen targeted at healthcare organizations or other COVID-facing organizations. 

Based on our efforts, we have made many remediation recommendations to clients and then used BAS to validate that the remediations would block the indicated attack types in production environments. 

In the future, we plan to automate remediation steps based on FAIR quantification results and continuously tune our threat intelligence and vulnerability management engines to reflect better coordination between quantification (FAIR) and remediation BAS).

Only with this type of rigorous approach can organizations keep up with the rapid pace of innovation and change of cybercriminals. With better communication tools, we can enhance the response speed and general security metabolism of organizations facing ever greater risk.

Learn more about IBM Risk Quantification Services

Topics: Risk Management

Colin Connor and Itzik Kotler

Written by Colin Connor and Itzik Kotler

Colin Connor is Global Threat Intelligence Strategic Analyst for IBM X-Force Threat Intelligence. Itzik Kotler is CTO for SafeBreach.

Join the FAIR Community