Cyber Incident Victim: European Commission's Directorate-General for Taxation and Customs Union
Date:
Dec 2020
Location:
—
Summary
A spear-phishing campaign targeted organizations critical to COVID-19 vaccine cold chain logistics, including the European Commission’s Directorate-General for Taxation and Customs Union, alongside energy, manufacturing, and security firms. Attackers impersonated a biomedical executive to harvest credentials for compromising vaccine distribution data, with IBM X-Force assessing the operation's precision and global scope as indicative of potential nation-state involvement. Successful breaches risked disrupting vaccine supply chains across EU member states and other high-value targets, though direct attribution remained unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2020, a large-scale spear-phishing campaign began targeting organizations critical to the COVID-19 vaccine cold chain, including the European Commission’s Directorate-General for Taxation and Customs Union. Attackers sent tailored emails to executives in sales, procurement, IT, and finance roles at these organizations, impersonating representatives of Haier Biomedical, a Chinese cold chain provider affiliated with the Vaccine Alliance’s Cold Chain Equipment Optimization Platform. The campaign expanded beyond individual targets to include organizational support pages, with victims spanning multiple sectors including energy, manufacturing, software, and internet security. IBM X-Force identified the activity in a December 3, 2020 report, noting the operation’s global scope across Germany, Italy, South Korea, the Czech Republic, Taiwan, and broader Europe. The attackers’ objective centered on credential harvesting to facilitate further compromise and intelligence gathering on vaccine distribution logistics. IBM analysts highlighted the campaign’s precision targeting of high-value entities as indicative of potential nation-state tradecraft, emphasizing that the lack of direct financial motivation and the strategic value of vaccine transport data aligned with state-sponsored objectives rather than criminal enterprise.
The campaign’s discovery prompted coordinated warnings from IBM X-Force and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS-CISA), urging cold chain participants in Operation Warp Speed to implement provided indicators of compromise. While the European Commission entity’s compromise status remained unconfirmed, analysts warned that successful breaches could cascade across all 27 EU member states due to its central role. Separately, cold storage firm Americold suffered a November 16, 2020 cybersecurity incident forcing system shutdowns and activation of business continuity plans, though the company did not confirm ransomware or link the attack to its potential COVID-19 vaccine storage role. Industry reports indicated Chicago Rockford Airport had sought partnership with Americold for vaccine storage, while unnamed sources described the incident as ransomware-related. No group claimed responsibility for either the phishing campaign or Americold’s disruption, and no direct operational connection between the two events was established in public reporting.