Eli Lilly CISO on COVID vaccine suppliers: ‘My biggest concern is their being aware they are a target’

On the heels of IBM's discovery that hackers had targeted the cold storage supply chain for COVID-19 vaccine distribution, Eli Lilly Chief Information Security Officer Meredith Harper said her main worry is that those supporting the vaccine rollout don't recognize the risk.

"My biggest concern is their being aware that they are a target," said Harper Thursday at the Aspen Cyber Summit, on a panel moderated by NPR's Diana Temple Raston.

Harper was not referring to any specific supplier. But at the same panel, FBI assistant director for cyber readiness, outreach and intelligence, Tonya Ugoretz, said the bureau observed nation-state actors attempting to intercede in the COVID-19 vaccine operations at all levels using multiple types of attacks.

The IBM X-Force report, also released Thursday, said that hackers posing as Haier Biomedical attempted to harvest credentials from companies related to the "cold chain" – the storage distribution system for temperature-sensitive vaccines. The companies targeted provided support for the cold storage supply chain platform established by Gavi, the vaccine alliance for which Haier is a legitimate provider.

X-Force has not been able to attribute the attacks or definitively ascertain a motive, though without a clear mechanism to monetize the attacks, researchers believe a national actor is most likely involved.

Ugoretz said, in general, there is a range of potential motives actors have in attacks against the vaccine effort. Among the more widely speculated is a desire to steal intellectual property in an attempt to undermine the credibility of the United States health system.

In that sense, third-party providers may not recognize the risk associated since they do not handle intellectual property, Harper said.

Eli Lily, she said, regularly helps third parties in its supply chain handle information security problems. This year, she said, the number of those incidents increased.

This would not be the first attempt to hack the massive global patchwork of firms involved in vaccine research and distribution. Attacks have already been attributed to China, Russia and North Korea against major firms, including Johnson & Johnson.

"Let's call it an attempted hack, not a hack," said Marene Allison, CISO of Johnson & Johnson at the Aspen Summit panel, noting there is a big difference in cybersecurity between trying and succeeding.

Allison went on to say the biomedical industry has been the target of nation-state hacking since 2010, and has adapted to a baseline level of attacks. There have been more instances since the outbreak of COVID-19, including insider events, which Allison has watched in realtime. A Johnson & Johnson plant in Wuhan, China, quickly saw a 30 percent increase in events after the beginning of the outbreak, she said.

"Will there likely be some kind of attempt? Maybe," she said.

Nonetheless, Allison expressed "full confidence" in the robustness of the point to point security involved in distributing the vaccine, noting that companies regularly face attempts to hijack shipments of controlled substances like morphine.

The vaccine developed by Johnson & Johnson does not require cold storage.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency echoed IBM's warning on Thursday.

In its write up, IBM said the attacks included targets at the "European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan."

Indicators of compromise are available in the report.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.