In the fall of 2020, many countries began to require that travelers test negative for the new coronavirus before crossing their borders. As with anything of value, a black market soon emerged. Travelers could illicitly purchase forged negative COVID-19 test results and try to fake their way through the checkpoint.1 Goodness knows, we’ve already seen our fair share of pandemic-driven fraud and cybercrime. So now as we begin the vaccine rollout, what can we expect from the cyber attackers?
We’re going to break down the possible attacks by examining each major threat scenario, looking at the likely attackers and their motivations and capabilities. We’ll also look at their specific attack objective as per the cybersecurity CIA triad. On the defense side, we’ll look at the targetable assets for that scenario and the security controls in place. Based on this, we can make a general forecast about the risk of that scenario happening. Got it? Okay, let’s go.
Cyber Espionage to Steal Vaccine Data
We wrote about how nation states will use advanced attackers to commit economic espionage and steal billions of dollars in intellectual property. A viable vaccine is a very valuable piece of intellectual property. Beyond the pharmaceutical formula itself, even data on testing and drug trials can be valuable to an organization working to develop its own drug. With some countries struggling to secure an effective vaccine,2 such data is a tempting target.
We’ve already seen some attacks. In late 2020, North Korean cyber attackers reportedly targeted the vaccine maker AstraZeneca in the UK.3 They apparently used spear phishing via social media to try to inject malware by way of job description documents. Over the summer, Russian cyber attackers were also detected in a vaccine theft attempt.4
Vaccine Cyber Espionage Attackers and Their Goals
Threat actors in this case are advanced cyber attackers, either working for or hired by nation states. This makes them the most capable and well-resourced threat that organizations could face.
The goal of these attackers is unauthorized access to information, which can include data related to research proposals, drug development, manuscripts, virus testing, clinical trials, and drug manufacturing.
Vaccine Cyber Espionage Defenses in Place
Healthcare and drug research facilities do have elevated levels of security controls due to the requirements for protecting intellectual property. In the United States, these organizations fall under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Food and Drug Administration Code Title 21 of Federal Regulations (FDA CFR 21 part 11), which both mandate a high level of security. However, cyber attacks will also target business partners and third parties, which may have lower levels of security.
The likelihood of vaccine cyber espionage is high, and we’ve already seen attacks targeting a wide range of coronavirus research organizations. Among them: academic institutions, biomedical research laboratories, pharmaceutical companies, hospitals, and drug manufacturers.
Sabotage the Vaccine Pipeline
The entire world is a racing to vaccinate its population before the coronavirus infects any more people. Also, the faster a population is vaccinated, the faster it can get back to rebuilding its economic systems. But for some nations, winning that race also means a head start against countries seen as competitors. For many unscrupulous actors, victory can not only be had by being fast, but also by slowing down the other racers.
If cyber attackers are looking to sabotage the vaccine pipeline, what would such an attack look like? In October of 2020, a large U.S. clinical trial software manufacturer involved in coronavirus drug testing experienced a ransomware attack.5 We’ve already seen ransomware and malware hitting hospitals regularly. Was this another typical ransomware attack? Or something else?
In 2017, the NotPetya malware attack that targeted Ukraine appeared to be ransomware but later, experts concluded that it was a denial-of-service weapon wielded by Russian threat actors. The software was designed to be more crippling than ransomware; not just encrypting data but wiping it out permanently.6
Additionally, the cooling systems required by vaccines are also vulnerable to cyberattack, especially if they are tied to IoT controls. As we’ve seen over the years, IoT systems have very poor security controls and often subverted and infected by malware. We have also already seen anti-vaccine activists in trusted positions physically sabotaging vaccine cooling systems.7 IoT tampering would be much easier and potentially harder to trace.
Obviously, cybercriminals could stand to make a lot of money by slowing or crippling vaccine distribution efforts. But it also would be easy for competitor nation states to use ransomware (and cybercriminals) to conceal other sinister moves such as slowing down a nation’s recovery. Right now, the vaccine pipeline is as essential a conduit as much of our other critical infrastructure.
Once again, threat actors in this case are highly motivated and well-resourced. In addition, the newer versions of ransomware are faster, smarter, and stealthier than before. Attackers are looking to deny access to data and critical computing resources, either short term for ransom payment or as long as possible to sabotage the rollout.
Vaccine Saboteur Defenses in Place
Many targeted facilities are regulated and very aware of the extant threat of malware. However, as seen the case of the U.S. clinical trial software manufacturer, third parties are also viable targets. For example, many smaller clinics, retail drugstores, regional government agencies, and other entities with reduced cybersecurity capabilities are also potential victims of bad actors in the vaccine rollout.
Probability of Occurrence of Vaccine Sabotage
Ransomware is already a highly profitable and attractive attack tool for cyber attackers, and it is still affecting the globe on an unprecedented scale. Whether vaccine distribution is targeted by nation states using ransomware for plausible deniability or because of normal cyber crime, ransomware is a highly likely threat to the vaccine pipeline.
Using Stolen Vaccine Data for Disinformation
In October of 2020, the Centre for Countering Digital Hate reported that 50 million people follow anti-vaccine groups on social media.8 That is a significant number of individuals looking to consume information (or disinformation) supporting their beliefs. Some of the most powerful “evidence” supporting their claims would come from actual researchers and scientists. In January of 2021, regulatory data regarding the COVID-19 vaccine was stolen by cyber attackers, reportedly to fuel these kinds of disinformation campaigns.9
In the past, F5 Labs wrote about how hacktivists can use doxing (or the unauthorized release of private or personal information) to intimidate or embarrass an opponent. We also noted that leakers can release carefully curated and incriminating emails or confidential documents, which can be effective against organizations or public figures. Medical regulators have already said that the leaked vaccine data was changed by the hacktivists prior to publication in a deliberate attempt to sow disinformation.10
Vaccine Cyber Thieves
The most proficient attackers are hostile nation states that use misinformation to slow down vaccinations, similar to sabotaging the vaccine pipeline discussed previously.
There are also the anti-vaxxers, who aren’t known to act collectively but rather as a loose confederation. Their capabilities would be highly variable but likely unsophisticated; the same for any griefers and pranksters who would be looking to sow chaos and anarchy for their own anti-social desires.11
An important thing to know is that the anti-vaxxer movement isn't only about fear or ignorance, but also about profit. There are individuals and groups attempting to discredit vaccines in order to sell alternative medical therapies for COVID-19.12
The attackers’ goal here is to violate confidentiality by stealing data for disclosure. They may modify that stolen data to help sway opinion. The authentic stolen data helps led credibility to any modifications they may make to what is leaked. The targeted assets are the same as the cyber espionage attacker’s, most notably research data, virus testing, and clinical trials that show side effects or potential vaccine problems.
Vaccine Cyber Theft Defenses in Place
As stated previously, most of the targeted organizations are subject to regulation and intellectual property protection. However, also like before, third-party organizations with access to this data (such as providers of analysis tools) may have weaker security controls in place. In addition, individual researchers’ personal accounts, such as their home emails, are also potential targets. These emails could hold personal notes expressing vaccine doubts to friends and family, which attackers could use to influence opinion.
Probability of Occurrence of Vaccine Cyber Theft
Likelihood of these kinds of attacks is high, as it appears to already be happening. Furthermore, if you include third parties and individual researchers, there is a very wide attack surface—especially since information that can be misrepresented or manipulated for propaganda purposes need not be confidential or proprietary. It just needs to look legitimate.
Hacking the Vaccine Appointment System
Many countries and U.S. states are starting to create online appointment systems to manage the queue and prioritize vaccinations. Who gets the vaccine first certainly can be seen as matter of life or death for some individuals. There will be a subset of the population with a strong desire to be vaccinated as soon as possible. In fact, there have already been accusations of people “cutting in line,” with some offering up to $25,000 for access.13 The question is: Will cyber criminals make use of this opportunity to hack those appointment systems?
Vaccine Appointment System Attackers
The likely attackers would be individuals with hacking skills and cyber criminals looking to sell vaccine access. Their capabilities would be variable, but tending toward the lower side of the capabilities scale. There is a profit to be made here, but it’s not as lucrative and easy as other cyber crime schemes. The goal of those attacking vaccine appointment systems would be to weaken the integrity of the appointment system by unauthorized modifications or additions to the waiting list.
Vaccine Appointment System Defenses in Place
The controls around the vaccine registration systems are likely to be highly variable, but also tending towards the higher side, as they are also regulated medical systems.
Overall, the likelihood of such successful attacks is somewhat low. One primary reason is that those who use illegal means to get an early vaccination will be placing themselves at considerable risk of getting caught. It seems more likely that individuals will attempt less traceable methods of getting early access to vaccines, such as bribing medical professionals.
Mitigation Against Vaccine Cyberthreats
One general piece of advice is obvious: If you or your organization have any role in the vaccine supply chain, you should evaluate your security and harden defenses as needed. The two most probable attacks are either by phishing or web attacks. F5 Labs has many resources on these topics, such as the 2020 Phishing and Fraud report and the ongoing Application Protection Research series.
If you are an individual, a good resource is the Department of Justice Coronavirus Response web page, which gives information about COVID-19 fraud and steps to take to prevent or combat it. Before you start sharing personal or financial information online, it’s a good idea to double-check the request with state or local health department websites as well as the Centers for Disease Control and Prevention (CDC). You should never share health or financial information over untrustworthy Internet channels such as email or social media.
These scenarios are a good exercise in risk analysis and how you can break down a vague threat into specific potential attacks. One warning: Don’t spend too much time trying to figure out how attackers think. Even if we can perfectly understand their motives and methods (and we can’t), they will shift over time. The key is to get a strong grasp of the most likely kinds of attacks that each system and asset could face, and then build the appropriate defenses for them.