By Mark Bruno
In June 2017, Ukraine was the recipient of an absolutely devastating cyber-attack. Allegedly carried out by the Russian state-sponsored hackers known as Sandworm, the attackers deployed a formidable ransomware virus known as “NotPetya.” Most public infrastructure and a massive portion of Ukraine’s private sector were brought to their knees by this weapon. The entirety of the nation’s healthcare system had to go offline, crippling any ability to get effective and timely healthcare to an unknown number of citizens.
As cyberwarfare knows no borders, the NotPetya worm spread to several major multinational corporations. Among them were Maersk - the largest shipping company in the world, and Merck - the American vaccine manufacturer, despite neither company being the virus’ intended target. In 2021, with a backed-up supply chain and a global need to support COVID-19 vaccine rollouts, the implications of a similar attack could result in widespread loss of life. The very nature of the world’s response to the pandemic has required quick and reliable access to niche supply networks, efficiently allocated healthcare resources, and for the population to receive accurate information easily. This renders the current global effort extremely vulnerable to internet-based attacks and posits a grim new possibility for the damage that can be done with cyberweapons.
The Fragility of Cold Chain Logistics
Cold chain, the niche supply network designed to move items that are temperature-sensitive, has proven to be vulnerable to cyber-attacks since the earliest days of COVID-19 vaccine development. A number of vaccines, including most influenza shots and the MRNA-based COVID-19 jabs, must be stored and transported at low temperatures. This is a massive feat-of-scale, considering that the World Health Organization is hoping to deliver 11 billion COVID-19 vaccines worldwide by next Summer. Given the delicate nature of the cold chain, its importance, and the expense it takes to maintain, it presents an enticing target to threat actors.
In December of last year, IBM’s Security X-Force announced that they had uncovered a massive global phishing campaign against The Gavi Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP). The CCEOP is a public-private partnership developed to promote global vaccine distribution primarily in developing countries. The campaign attempted to spear-phish credentials from high-level employees at businesses associated with Gavi’s CCEOP program in at least six countries. The report does not name any entity specifically, but asserts that the precise nature of the attack was indicative of a state-sponsored actor.
The idea that this could be a threat actor with the capabilities of a government behind them is troubling. There are no firm rules at the moment as to what constitutes an act of war in the cyberspace realm. Many definitions of the term “cyber warfare” assert that it is when one nation attacks the critical infrastructure of another. However, when critical infrastructure in so many nations is reliant on the private sector, corporate-government partnerships, and various international bodies, when does an attacker meet that threshold of an “act of war?” Gavi’s CCEOP and the attacks discovered by X-Force demonstrate a prime example of such a conundrum.
Holding Healthcare Systems Ransom
Another way that hackers have become increasingly threatening during the COVID-19 pandemic has been the outright attacks taking place on hospitals and healthcare infrastructure. The increased pressure on healthcare systems from treating COVID-19 patients has come with a marked increase in the amount of cyber-crime directed at that infrastructure. Threat actors often choose Ransomware attacks against such institutions.
A Ransomware attack is when malware that has made its way onto a system encrypts all of a computer’s files, making them completely unusable. The attackers then demand payment for the decryption key. While extremely common, Ransomware can be altered in some cases to make a system unrecoverable. Such an alteration was a component of the NotPetya cyber weapon.
In May, Ireland’s public healthcare service, the Health Service Executive, announced that it had sustained two ransomware attacks. Ireland was forced to temporarily shut down the entirety of its Health Services’ IT systems. The Irish government claimed that they paid no ransom to the attackers, with the consequences being a week of backed up emergency rooms, an inability to process COVID-19 PCR tests, and workers being forced to use an entirely on-paper system.
A similar incident took place in Lazio, Italy, this time specifically targeting the government’s vaccine appointment system. It inhibited nearly six million citizens from receiving their injections. After the initial announcement, Lazio’s governor followed up by saying that the attacks were ongoing, and of a “terrorist nature”, but did not elaborate as to whether or not a specific organization may have been implied. The attacks came from outside of the country, and also utilized ransomware.
It’s critical to note that these incidents, by directly impeding individuals’ access to treatment and preventative medicine, are risking those individuals’ lives. Cyber criminals bet on this realization, in the hopes that they’ll be able to monetize their Ransomware. This also means that they are willing to gamble with innocent lives, and one can reasonably assume that they have been indirectly responsible for a number of deaths in this way.
Being a novel illness, information on the COVID-19 infection still continues to amass rapidly. Suggested treatments, countermeasures to slow its spread, and research on its mutations and symptoms have all required rapid delivery to both authorities and the public. This has rendered social media and internet communication both a major strength and a serious liability to any unified global response. This is because the nature of today’s internet provides a platform to disinformation as readily as scientific findings. Disinformation has certainly claimed lives throughout the course of the pandemic. The amount of distrust in vaccines and expert recommendations continues to propagate on every social media platform, despite the current efforts of Facebook and Twitter.
One way that disinformation replicates is through the manipulation of stolen data. This gives the disinformation the apparent credibility of an authoritative source, while allowing the attacker to craft their narrative. These attacks also send clear threats to the organizations that they have stolen their information from. In December of 2020, the Netherlands-based European Medicines Agency (EMA) became the victim of such a data breach, and the investigation is still ongoing. According to the EMA, the hackers stole digital correspondence documents and manipulated them in a way, “that could undermine trust in vaccines.” An analysis of the incident by Switzerland’s CyberPeace institute stated that, “The targeted nature of the attack and manipulated leak hints towards a state-sponsored cyber-enabled information operation that could potentially undermine the reputation of Comirnaty [the BioNTech/Pfizer vaccine], both globally and regionally. In turn, this could give rival vaccines a competitive edge in states’ soft power bid of ‘vaccine diplomacy’ as well as impede the pandemic response in the EU as part of a greater Infodemic.”
An Honest Threat Assessment
It’s important to note that while the pandemic didn’t necessarily bring with it any specific, new cyber warfare tactics, it’s the world itself that has become more vulnerable. COVID-19 has tested the limits of our world’s systems in a way that would make a tool such as the NotPetya cyberweapon absolutely devastating.
ICUs and emergency rooms all over the world are pushed to capacity, despite the now-plentiful availability of vaccines in many nations. Should the mobility of those vaccines be reduced through an interruption to the cold chain or if patients are unable to secure their vaccine appointments, how many millions more will require such hospitalizations? If those hospitals’ internal networks go down across a continent, how many patients could potentially die waiting for treatment? How many people have been convinced, through any number of disinformation efforts, to refuse, or even just hesitate to be vaccinated? Is there ever going to be a way to tell just what that death toll could be?
There are a number of long-established cybersecurity best practices that would reduce the harm generated by the threats outlined in this analysis. Many of those practices, however, require an engaged public and a non-complacent security culture among our institutions. As with any security policy, this must begin with an honest threat assessment.
About the author: Mark Bruno
Mark Bruno is a non-commissioned officer in the United States military, where he serves as a Combat Medic and a Public Affairs Representative. He is currently a Master’s Student of Information Assurance at the University of Maryland’s Global Campus, and holds a Bachelor of Science in Communication. Aspiring to a career in Conflict Journalism, his areas of security interest are in military medicine, information security, and weapons technology.
Any analysis or views expressed in this article are personal and do not represent any positions or policies of the US Department of Defense.