Thinking more on my snarky response to recent publicity surrounded alleged targeting of the COVID-19 vaccine cold chain,¹ I wanted to more positively explain some errors 1/n
__
¹ https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

I don't have a blog or presume that anyone would be interested enough to read it on the regular, so please indulge me with a dreaded Tweet thread Please note I don't want to point the finger at the authors, who were researching as part of their job 2/n

However, as this has hit the news cycle and it has the risk of unduly concerning related parties (yes, RFIs were incoming), I think it's important to point out some apparent biases that has rendered the conclusion of this piece flawed 3/n

The first bias is attentional bias¹. News reports suggested a team was set up to look for COVID-related threats, and the sender domain of these attacks was related to medical research, so will be instantly self selecting 4/n
__
¹ https://en.wikipedia.org/wiki/Attentional_bias

This is ok sometimes, and in fact I was actually looking into this before the news broke because some very weak TTP indicators started niggling at me as being possibly connected to actors in my mission area. But, you are already writing your own narrative before you start 5/n

Detecting some suspicious activity, the researchers appear to have collected more data that pointed towards some sort of specific targeting of medical organizations, leading to anchoring¹ 6/n

__
¹ https://en.wikipedia.org/wiki/Anchoring_(cognitive_bias)

The data likely used is all available on a well known malware scanning service, and at first view does look to cluster fairly interestingly. However, despite frequency illusion¹ the result set is quite small 7/n

__
¹ https://rationalwiki.org/wiki/Frequency_illusion

This is sufficient enough to enduce confirmation bias¹ to support the conclusion that this is indeed an attack relating to medicine in some way. This is amplified with an email subject line directly referencing COVID vaccines 8/n

__
¹ https://en.wikipedia.org/wiki/Confirmation_bias

From here, an interesting narrative can be built around a hypothesis of cold storage supply chain attacks via illusory correlation¹, with outliers like energy gen being explained that they could be used in cooling 9/n

__
¹ https://en.wikipedia.org/wiki/Illusory_correlation

However, if further research was done on similar instances of the phishing kit, it would be revealed that activity is far broader,¹ even when selecting for the specific sender domain with an interesting name 10/n

__
¹ https://en.wikipedia.org/wiki/Insensitivity_to_sample_size

Ultimately, this has resulted in a headline grabbing report that a number of media outlets have picked up with apparently little verification, as COVID vaccines are a hot topic right now. However, nothing suggests that this activity is anything more than criminal phishing 11/n

What more could have been done in this case? Certainly, research looking to disprove hypothesis would be valuable. I found several clusters using the same kit, and while it could be a targeted actor using commodity tools, more digging should have been performed 12/n

You need to understand the limits of your visibility and ideally either be honest about that, or seek further sources that allow you to test your conclusion. It's really helpful if you have external peers with other data sets. This activity is really broad.. 13/n

Even within this cluster, there are tens more related URLs and domain names associated with this activity that aren't included in the report. This is actually quite interesting but doesn't point to vast operational resources being used 14/n

What about the "targeted" nature of the emails? Yes, they were detailed, but anyone spending time looking at BEC scams will be able to point to some real social engineering gems. A few minutes of research shouldn't be confused with nation state 15/n

Don't also assume you know the end state of an attack immediately. The authors couldn't imagine how getting credentials could lead to cash out, and therefore assumed targeted action. This ignores huge profit generation from big game hunting ransomware, for example 16/n

It's clear that a potential campaign against organizations related to a hot topic is great marketing fodder. Tthe lack of analytical rigour in the research is worrying, but I'm really disappointed at the journalists who threw out column inches with apparently no verification 17/n

Now this "campaign" is COVID cyber attack dogma, more time won't be spent correcting the record, and we have similar organizations concerned that they are being specifically targeted. This is not good intel practice and reflects poorly on the industry 18/n

I'm also bemused that @CISAgov would push out a press release¹ pointing to this piece without apparent verification. I'm totally willing to be shown this is notable activity, but I doubt that its the case 19/19

__
¹ https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/ibm-releases-report-cyber-actors-targeting-covid-19-vaccine-supply

Oh, and this is a great resource: https://medium.com/better-humans/cognitive-bias-cheat-sheet-55a472476b18#.mu63fm1ma