Cyber Incident Victim: Kraeber & Co
Date:
Sep 2020
Location:
United States of America
Summary
Attackers impersonated a biomedical company in phishing emails targeting a firm involved in COVID-19 vaccine logistics, Kraeber & Co., using malicious HTML attachments that deployed an ActiveX component to harvest credentials. Stolen login information enabled further infrastructure access attempts to exfiltrate sensitive vaccine research and distribution data, amid broader campaigns against global cold chain organizations attributed to nation-state actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2020, IBM identified a large-scale spear-phishing campaign targeting organizations involved in the COVID-19 vaccine cold chain—a critical system for storing and transporting temperature-sensitive vaccines. Threat actors impersonated Haier Biomedical, a legitimate COVID-19 vaccine supply chain partner and supplier for the CCEOP program, to send fraudulent emails to executives at global organizations specializing in vaccine logistics. Targets included entities headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan. The phishing emails aimed to harvest account credentials for subsequent attacks on these organizations' infrastructure. By December 2020, Cyble researchers observed an evolution of this campaign involving emails masquerading as Haier Biomedical communications with the subject line "Draft of Contract related to the CCEOP and Vaccine Program," specifically targeting German logistics firm Kraeber & Co. These emails contained malicious HTML attachments that prompted recipients to enter login credentials under the pretense of accessing PDF content. Upon enabling document security controls, a malicious ActiveX component automatically executed in the background, capturing and transmitting credentials to attacker-controlled servers via POST requests. This method represented a precision-targeting approach designed to evade detection by security systems.
The compromised credentials provided threat actors potential access to sensitive COVID-19 vaccine research data, cold chain logistics details, and personally identifiable information (PII). IBM and Cyble assessments indicated attackers sought to exploit these breaches to disrupt or steal intelligence related to vaccine distribution networks. Concurrently, DHS CISA issued alerts warning that nation-state actors were conducting similar targeted attacks against cold chain organizations. Separately, Cyble documented dark web marketplace listings advertising stolen COVID-19 medical databases and fraudulent sales of Pfizer/BioNTech vaccines, though the feasibility of shipping ultra-cold-storage vaccines through illicit channels remained unverified. The campaign highlighted threat actors' strategic shift toward exploiting vulnerabilities in vaccine research, storage, and distribution infrastructure during the pandemic. No specific containment measures or operational disruptions at Kraeber & Co were detailed in the available reports.