Last month, a threat intelligence task force created by IBM Security X-Force uncovered a global phishing campaign targeting organisations associated with a COVID-19 cold chain. This component of the vaccine supply chain ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation. The phishing attack worked like this: The adversary impersonated a business executive from Haier Biomedical, a member company of the COVID-19 vaccine supply chain and qualified supplier for the Gavi vaccine alliance's Cold Chain Equipment Optimisation Platform (CCEOP) programme. Disguised as this employee, the adversary sent phishing e-mails to organisations believed to be material support providers to meet transportation needs within the COVID-19 cold chain.
In a blog later, Claire Zaboeva, Senior Strategic Cyber Threat Analyst at IBM, assessed that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorised access to corporate networks and sensitive information related to the COVID-19 vaccine distribution. The campaign started in September 2020 and spanned across six countries and targeted organisations likely associated with Gavi, the global vaccination alliance, and CCEOP programme.
India is not among the list of these countries, but that does not mean the country's digital vaccine delivery and distribution (VDD) infrastructure - the backbone of its national level COVID-19 vaccination plan, is safe. The key to the success of the pan-India roll out of COVID-19 vaccination drive, scheduled to be launched by Prime Minister Narendra Modi on January 16, will be the cybersecurity framework India has readied, experts say.
"The fears are not misplaced. In 2020, Indian firms' digital architecture has been put to the test by many hacker groups. Last month, IBM's cybersecurity arm notified the United States Department of Homeland about the possibility of a sophisticated state-sponsored attack on government organisations involved in vaccine delivery across the globe," says Supratim Chakraborty, Partner, Khaitan & Co.
According to him, alongside these well-coordinated attacks,there have also been many instances of small groups or individuals looking to extract data or money from unsuspecting citizens and organisations through phishing and through malware attacks. "This has prompted firms across India to focus on onboarding specialised cyber security specialists or teams to guard against external attacks as well as internal leaks through unsuspecting employees," he says, adding that "the good news, however, is that these are not novel threats."
India also has an agency to deal with cyber security threats. The Indian Computer Emergency Response Team (CERT-In), within the Ministry of Electronics and Information Technology, is mandated to strengthen India's security-related defence of the internet domain.
GV Anand Bhushan, Partner at Shardul Amarchand Mangaldas & Co, says that the tensed situation with China and Pakistan last year had seen a sudden spike in the number of cyber-attacks. Going by the trend in the past, he sees a high possibility of attacks on the players involved in the VDD infrastructure manifested in the form of a ransomware attack, malware attack, phishing attack, an attempt to steal confidential information etc. He wants the government to ensure that an over-arching cybersecurity framework is implemented to prevent the occurrence of such attacks.
"It is absolutely critical for the government to ensure, with the assistance of CERT-In, that it has a full proof Crisis Incident Response Plan in place that clearly lists down the strategy to be adopted in case of a cyber-security incident," he says.
The CoWIN (Covid Vaccine Intelligence Work) App may also need to be shielded from cyber attacks. Ram Seethepalli, CEO, Cyberior by Europ Assistance India, points out that the entire ecosystem for CoWin was conceptualised by the Indian government in the last two to three months.
"While it has not yet been rolled out for all the citizens, we expect the technology infrastructure to resemble that of our election voting systems. The AarogyaSetu app was a major success in terms of adoption, but being an information only app, the implications of cybersecurity lapses aren't as huge as it could be with CoWin. The technology rollout should have ideally begun along with physical inventory stock-taking as that would have given time to prepare for all situations and better readiness", Seethepalli says.
According to Seethepalli, the robustness of the security framework around the platform deployed will depend a lot on the public-private partnerships that evolves in the coming days. "Due to the rapid requirement for prototyping and development, the responsibility lies on partners to ensure that no corners are cut and that the systems aren't susceptible to dangerous threats such as hacking from the foreign state and rogue actors that wish to target the data of citizens and also potentially disrupt the entire vaccination process," he says.
Seethepalli points out that there are already many fake versions of the CoWIN app and the government has already warned the citizens against downloading them or sharing any information. "As a country with over a billion people, we mustn't be in a situation where the vaccinated citizens' data is not only hacked but also erased thus rendering a chunk of the population as unvaccinated. Another scenario of duplication could lead to the opening up of a huge black market for the vaccine. Pandemonium could ensue and may significantly derail the objective and the government's recovery efforts," he cautions.
While all experts have their own recommendations to make, IBM Security X-Force has some tips for organisations to increase their cyber readiness amidst the risks outlined in its blog:
- Create and test incident response plans
- Share and ingest threat intelligence
- Assess third-party ecosystem for potential risks
- Apply a zero-trust approach to your security strategy
- Use Multifactor Authentication (MFA) across the organisation
- Regular e-mail security educational trainings
- Use Endpoint Protection and Response tools