Nick Rossmann, IBM Security X-Force Global Threat Intelligence Lead, joins Yahoo Finance's Kristin Myers to discuss new cyber attacks discovered on COVID-19 vaccination distribution operations.
KRISTIN MEYERS: Well, Homeland Security had to issue a warning after companies and organizations that will be participating in the coronavirus vaccine distribution faced cyber attacks. And researchers from IBM say they look to be government-sponsored.
So let's dive into this now with Nick Rossman, global threat intelligence lead at IBM Security X-Force. That is the cybersecurity division of the company and a very cool name, I have to add here, Nick. So these cyber attacks you guys say are likely to be government-backed because they're so sophisticated in nature. Which country is most likely to be trying to hack some of these systems?
NICK ROSSMANN: Well, Kristin, thanks so much for having me. What we saw was a global spearphishing campaign against organizations and the cold chain. So the cold chain is all the ways that the vaccine is stored and shipped to us, all the refrigeration mechanisms that need to go into it.
You know, I think when we think about the motivations behind this attack, we zero it in on a potential nation state behind this and just thinking about where they could stand to gain potentially from new refrigeration technologies that might be coming to market, how some of the petrochemicals are made and process to be able to keep vials safe and secure, but potentially even a disruptive or destructive attack that could wipe out vaccines.
KRISTIN MEYERS: So would it be China, Russia, North Korea? Which one of those-- which one of those countries do you think might be the most likely or maybe none of them?
NICK ROSSMANN: So what we took a look at-- whoever was behind this had their digital gloves on pretty tightly. They didn't leave any digital fingerprints behind for us to go back to. So we don't know for sure who it is. I think the motivation aligns to a country who's willing to make that investment into this.
What was really unique, though, is that the cover used was a Chinese biomedical company-- or excuse me-- manufacturing company Haier. And they are a legitimate manufacturer. Now we think that the operators behind this impersonated them, right? It wasn't emails coming directly from that company. But it's vital to see how precise this campaign was in specific targeting these organizations.
KRISTIN MEYERS: So I want to go back to a little bit of the motivations but also what these hackers are really trying to access. So is it information on-- on how to do the cold storage, which would be intellectual property theft? Or are they trying to disrupt the vaccine distribution process altogether? Because those are two very different scenarios at least in my mind and has very different implications in the long run next year, especially if some of these companies try to get the vaccine out.
NICK ROSSMANN: Absolutely. So once they do get the credentials, right. After the spearphishing emails come, someone puts in accidentally their username and password. The possibilities are open to them either way. We think one possibility could be intellectual property, all of the ways that the cold chain is managed in the refrigeration processes, like you said, that IP.
But we can't rule out the potential for disruption. And in this case, a disruptive attack could cause actual destruction. A ransomware instant against one of these providers could literally unfreeze the vaccine while all computers might be frozen on their IT network.
KRISTIN MEYERS: OK, so I want to, like, just make this so clear for everyone at home, right? One, how likely is it that they could be successful, right? That's the first question to you. And two, if they are, and if they do want to disrupt the vaccine distribution, what you are saying is they could potentially prevent any vaccines from being rolled out. They could shut down the refrigeration to destroy the vaccine altogether or perhaps stall it or demand money. I'm kind of wondering how bad this scenario really can get.
NICK ROSSMANN: So we could see a lot of possibilities. The key thing is, once they get access to the network and start moving around, that's going to be a critical factor, right? And what network is it that they have access to? It could be a small refrigeration company, right? Has a small set of vaccines. The impact might be limited.
But even then, even if the impact of the vaccine unfreezing is on 10,000 vials, the public perception of mistrust could just foment in this. So that could be another objective of the nation states trying to do this as well. So we can't exactly rule out what they could be doing. But once they get those credentials to be on the network, the castle's open everywhere.
KRISTIN MEYERS: I mean, are there possibilities that these attacks could work? I mean, is-- am I naive perhaps in thinking that because we know that it's happening that we're, I guess, a little bit safer? Or is it-- is the threat very much still very real and very high?
NICK ROSSMANN: I think the threat is still very real and high. And I think we see it repeatedly from across all parts of the supply chain, right? So whether you're a biomedical company, you're doing this research at the highest end, a manufacturer organizing PPE, some of these cold chain companies, you're going to be repeatedly hit with these spearphishing emails of someone trying to get in on the network, whether that's a cyber criminal or in the case that we think potentially a nation state. There's adversaries behind they're trying to get access to your network. So you got to take those basic security protocols in place even if you think you're not necessarily a target.
KRISTIN MEYERS: Have the hackers at any point in time demanded anything? I mean, do you guys have a clear picture on what this motive is? Is it to stop the vaccine from being distributed? Is it just to steal intellectual property so another company perhaps from another country can make use of it? I mean, have these hackers asked for money as yet?
NICK ROSSMANN: So we haven't had any indications of that, right, of who-- what specific country it is and what they would be asking for. It's the possibility of all of those options that could be on the table, right, depending on the types of companies they use.
And in this case, Kristin, one other concerning point is-- is the potential for upstreaming. So that could be in a case where they target one organization then to get credentials to another organization that might be higher up the chain. So maybe they target a firm that seems less important in the cold chain, no intent to disrupt that. But they start to do that to increase their access and move up to one that handles refrigeration on a broader scale. So once they're in that network, the possibilities just start to grow.
KRISTIN MEYERS: This is absolutely terrifying to me. Have any of the companies that create the vaccines been targeted? Or is this just for that piece and that portion of the cold storage and the distribution there? Like Pfizer and Moderna, have they been attacked as you know as yet?
NICK ROSSMANN: So-- so what we saw in this targeting was just these organizations with the cold chain. But what I can say is that there are been other public reports indicating that those other pharmaceuticals have potentially been targeted. I think that is one of the key points in the research is those particular types of firms that are really involved in that and all the health care data that they might have on how the vaccine's working. But I think in this case, just circling back, it's the cold chain providers' itself operators that were the targets today.
KRISTIN MEYERS: All right. Well, a terrifying way to end this show towards the end on this Friday. Nick Rossmann, global threat intelligence lead at IBM Security X-Force. Thank you for breaking all of that down.