Lessons Learned from the Vaccine Supply Chain Attack
Like legitimate businesses, threat actors develop strategies and tactics to achieve their goals by taking advantage of security vulnerabilities. Before the December 2020 attack, confirmed by Pfizer, BioNTech and the European Medicines Agency, the hackers did reconnaissance in order to launch a spear-phishing email campaign. As attackers “try, try and try again” to get their hands on sensitive data, organizations must pay attention to cybersecurity basics to improve supply chain protection.
A Top Vulnerability? People
According to , office document phishing skyrocketed during the second half of Q3. In both a sensitive situation, like an election, or during ‘business as usual’, a lack of employee cybersecurity awareness offers a path of least resistance for attackers to infiltrate an organization through methods involving phone, text or email. Spear phishing, the highly targeted form of phishing, includes familiar names, words, phrases and calls to actions, knowing that a recipient is more likely to trust the source.
A click on a malicious email usually does one of two things. It injects something, likely a botnet, into the environment, or it downloads ransomware. A botnet gives hackers control over the computer, so attackers can monitor the environment and gather intelligence in a “slow as you go” way, honing in on the right person and computer for ransomware purposes.
From a cybersecurity perspective, phishing attacks are an insider threat risk. If personnel are unaware of cyber-hygiene, they’re unaware of the threat they pose.
Impacts on Vaccine Development and Distribution
Successful attacks on supply chains disrupt critical infrastructure by redirecting information and modifying logistics. Attackers wage ransomware attacks at institutions that have the financial resources to pay ransoms.
breaches are financially motivated. A single successful intervention through an executive, researcher, scientist, manufacturing line worker, vendor employee or clinic/hospital worker, can unintentionally provide a big payday for attackers. With more companies racing to mass-produce and distribute vaccines, comes more opportunities for assailants to cash in.
A breach can influence vaccine viability and who gets or doesn’t get the vaccine. If attackers succeed in stealing clinical trial or patient data, they can cash in on companies willing to pay in hopes of staying out of the news. Stolen credentials can be sold on the dark web and/or used to access R&D information that speeds vaccine production with no upfront R&D expense.
The Next Phase of the Threat
Attackers then continually adapt their techniques, capitalize on what’s working, and expand their list of targets. For example, hospitals and clinics affiliated with targeted vaccine manufacturers may be subjected to the same tactics but for a different purpose: identity theft. Currently, identities sell for between $1,500 and $2,000USD on the dark web.
Moreover, phishing campaigns may involve executives in the vaccine supply chain. Emails that appear to come from a CFO, for example, will direct someone in finance to redirect a certain amount of money to a specified account.
People who attract media attention are likely to be targeted, either professionally or personally. This includes scientists who publish research results or are recognized publicly for scientific breakthroughs, individuals who make substantial donations, or spokespeople who participate in news interviews.
Additionally, given the number of people working from home due to COVID-19, another phase of malicious activity will likely involve home networks – the easiest to breach. In this case, attackers may execute a man-in-the-middle tactic to gain access through , eluding anti-virus solutions.
So, what signals malicious activity? The key things to look for include excessive exfiltration of data; suspicious emails, phone calls and texts; and unusual network access activity based on who is requesting access and when compared to normal patterns. Additionally, users should watch for anomalies such as high traffic to DNS sites. The traffic may appear to be coming from legitimate sources, but analysis often reveals IP issues and non-specific foreign geographies.
How to Strengthen Supply Chain Security
The vaccine supply chain attack reminds us to go back to the basics. Cybersecurity controls that every organization should implement, include:
- Security Awareness Training – Everyone in the supply chain needs to understand what they’re looking at or hearing - in the case of phone-call phishing-, and know the potential consequences of acting on a communication from a malicious source and what to do when they encounter a potential threat.
- Data Classification – To protect sensitive data properly, it must be located, labelled, segmented and monitored.
- Access Control – Knowing who is accessing what, when and from where. Recommended solutions include identity and access management (IAM), privileged access management (PAM) and multi-factor authentication.
- Monitoring – Visibility is essential to determine who is connecting to the network and to identify abnormal activity.
- Endpoint Protection – This is one of the least adopted controls. Endpoint protection is critical for onsite and remote workers alike.
- Digital Certificates for Email – Up-to-date certificates help prevent attackers from providing their own or spoofing legitimate certificates.
- Patch Management – After lists of IT and OT assets are created, organizations should assign owners who are responsible for timely updates.
- Routine Scanning – On a weekly or monthly basis, scan gateways, networks and endpoints to identify and fix vulnerabilities.
- Network Segmentation – Separation of marketing traffic from finance traffic from OT network traffic and so on, allows the IT team to block communications from unreliable IP addresses and limit attackers’ lateral movement.
- Managed Detection and Response (MDR) – Logs by themselves, are not enough. MDR monitors gateways, networks and endpoints (fixed and mobile) for malicious activity by combining analytics and human intelligence to detect and eliminate threats. MDR also includes threat hunting, a proactive way to remove intruders and malware.
User Awareness Equals Improved Security
Vaccine supply chains are regulated. Compliance is required, but compliance does not equal security. At the end of the day, an organization’s security is just as dependent on people, if not more so, than on technology – which is why user awareness training is a critical component of a multi-layered defence strategy.
When everyone in a supply chain is on high alert, insider threat risk decreases and organizations can more efficiently and effectively identify, react to and remediate spear-phishing and other threats.
Biden’s Supply Chain Intentions Depend on Cybersecurity
In recent years, the United States’ supply chain network has faced an onslaught of cyberattacks. The attacks have left the global superpower a shaking nation with a whole portfolio of challenges, risks, and vulnerabilities exposed to the masses. From the attack to the that breached companies like Apple, Microsoft, Uber, and Tesla, to the most recent , it’s evident that, in an increasingly digital age, cybercriminals fear no traditional governmental powers, and supply chain networks need to hunker down on cybersecurity.
Looking back at the height of the COVID-19 pandemic, western nations found themselves ill-equipped to deal with the novel Coronavirus; not due to lack of knowledge or medical inability but because supply chains were in a chokehold and supplies like personal protective equipment (PPE) for frontline workers weren’t being manufactured fast enough.
The Executive Order (EO) of US supply chains to figure out exactly where the vulnerabilities and risks are, to help institutions and organisations manage any future disruption caused by COVID-like events.
The EO focuses on six primary sectors:
- Communications and information technology
- Defence industrial base (DIB)
- Energy and power
- Public health
The listed sectors, as you might expect, are increasingly dependent on digital products and services to maintain daily operations, which increases their vulnerability to potential attacks ─ so they need cybersecurity. In fact, cybersecurity should be front-and-centre as a critical facet of the EO if the federal government truly intends to create a more robust and resilient supply chain in the face of rising criminal adversity.
Digitisation Dangers The Nation
When it comes to a globally interconnected supply chain, the ambitions of Biden’s administration are potentially a little far-fetched and off-the-mark, in reality. I say that because an overwhelming number of industry-leading organisations ─ even in the tech realm ─ still do not feel confident in their ability to deal with the vulnerabilities in their supply chain. Most of which come not from internal operations but from externals ones in the form of third parties and suppliers that they collaborate with.
According to the dated but increasingly relevant Marsh Microsoft introduction, “cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector. The hard truth organisations must face is that cyber risk can be mitigated, managed, and recovered from, but it cannot be eliminated.”
Taking a look at the survey results reveals a telling tale: that third-party providers and supply chain operations external to an organisation are most likely to be the victim of cyberattacks and potential infiltration.
The survey found a wide discrepancy in many organisations’ view of the cyber risk faced by supply chain partners, compared to the level of perceived risk they themselves pose:
This variance is consistent across industry sectors and geographic regions, and the largest organisations exhibited the largest dissonance: 61% of companies with revenues of US$5bn or more suggested that their supply chain partners pose a risk, whereas only 19% say they themselves pose a risk to the third-parties involved:
Low Confidence in 3rd-Party Risk Mitigation Capabilities
The above paints a pretty poor picture of the overall supply chain security ─ a disconnect between large organisations and their suppliers, which could be driven by companies’ low confidence in their ability to mitigate cyber risks posed by their commercial partners. The number of companies that considered themselves “highly confident” in that area is few and far between, with only 5-15% of respondents feeling prepared to deal with the cyber risks caused by certain types of third-party providers.
So due to the very obvious lack of knowledge, it’s clear that supply chain professionals and organisations, as well as the Biden administration, should call upon their cybersecurity industry peers ─ ─ to take the fight to black hat cybercriminals.
How Cybersecurity Professionals Can Help
According to Padraic O’Reilly, CPO and Co-Founder of CyberSaint, the success of Biden’s Executive Order is heavily dependent on its stakeholders taking note of lessons from cybersecurity’s supply chain risk management initiatives, including:
- Identifying the main weaknesses along the chain of production before determining which ones can be fixed cost-effectively. Then, compare that with the cost of the potential impact ─ discover where the holes are and what’s worth prioritising.
- Thinking about the supply chain as a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple data sources, and supply chain risk is the same. Don’t think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis.
- Standardisation across the globally interconnected supply chain is hard, and communication is key. Cyber experts are hot on the topic, as managing risk is exactly what they do. Vulnerabilities and risk is the language that they speak in. They’ve been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about.
Cross-sector collaboration with a strong focus on communication across hierarchical levels is at the very core of the cybersecurity function. If Biden hopes to see his supply chain initiative reign triumphant, his administration must ensure that efforts are coordinated across agencies, public entities, and the private sector industry. The administration must also carefully consider the potential impact of increased regulation that should be put in place following the year-long project ─ it could make or break the initiative across various sectors.
According to O’Reilly:
“The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the (CMMC), can serve as models for a data-driven approach.
Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success.”
Adapting To The Unknown
The fact of the matter is, when it comes to the US supply chain, we mostly haven’t got a clue. It’s a massively interconnected network that represents an ecosystem ─ one with risks coming from all angles and multiple points of failure. It’d be almost impossible to figure out all of the potential risks, as Biden’s initiative intends, so, according to O’Reilly, it’d be beneficial to focus not on sniffing out every single supply chain vulnerability but on advanced persistent threat (APT) incentives:
- What are the low-hanging targets?
- What do criminals want?
- What are they capable of?
“Doing some scenario modelling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going”, O’Reilly adds.
So the final point to the Biden administration and organisations that are working on is clear: cybersecurity professionals have an advantage over their peers because they already live to standardise data; they view risk through a lense of complexity and costliness of failure, and if the two parties can collaborate effectively, there’s a chance that security professionals can finally understand the full extent of the supply chain ecosystem and, with any luck, secure it from future attacks.