Hackers targeting groups involved in COVID-19 vaccine distribution, IBM warns

By Raphael Satter

WASHINGTON (Reuters) – IBM is sounding the alarm over hackers targeting companies critical to the distribution of COVID-19 vaccines, a sign that digital spies are turning their attention to the complex logistical work involved in inoculating the world’s population against the novel coronavirus.

The information technology company said in a blog post published on Thursday that it had uncovered “a global phishing campaign” focused on organizations associated with the COVID-19 vaccine “cold chain” – the process needed to keep vaccine doses at extremely cold temperatures as they travel from manufacturers to people’s arms.

The U.S. Cybersecurity and Infrastructure Security Agency reposted the report, warning members of Operation Warp Speed – the U.S. government’s national vaccine mission – to be on the lookout.

Understanding how to build a secure cold chain is fundamental to distributing vaccines developed by the likes of Pfizer Inc and BioNTech because the shots need to be stored at minus 70 degrees Celsius (-94 F) or below to avoid spoiling.

IBM’s cybersecurity unit said it had detected an advanced group of hackers working to gather information about different aspects of the cold chain, using meticulously crafted booby-trapped emails sent in the name of an executive with Haier Biomedical, a Chinese cold chain provider that specializes in vaccine transport and biological sample storage.

The hackers went through “an exceptional amount of effort,” said IBM analyst Claire Zaboeva, who helped draft the report. Hackers researched the correct make, model, and pricing of various Haier refrigeration units, Zaboeva said.

“Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic,” she said.

Messages sent to the email addresses used by the hackers were not returned.

IBM said the bogus Haier emails were sent to around 10 different organizations but only identified one target by name: the European Commission’s Directorate-General for Taxation and Customs Union, which handles tax and customs issues across the EU and has helped set rules on the import of vaccines.

In a statement, the European Commission said it was aware that it had been targeted by a hacking campaign.

“We have taken the necessary steps to mitigate the attack and are closely following and analyzing the situation,” the statement said.

IBM said other targets included companies involved in the manufacture of solar panels, which are used to power vaccine refrigerators in warm countries, and petrochemical products that could be used to derive dry ice.

Who is behind the vaccine supply chain espionage campaign is not clear.

Reuters has previously documented how hackers linked to Iran, Vietnam, North Korea, South Korea, China, and Russia have on separate occasions been accused by cybersecurity experts or government officials of trying to steal information about the virus and its potential treatments.

IBM’s Zaboeva said there was no shortage of potential suspects. Figuring out how to swiftly distribute an economy-saving vaccine “should be topping the lists of nation states across the world,” she said.

(Reporting by Raphael Satter; editing by Grant McCool and Rosalba O’Brien)

Big U.S. companies form group to boost hiring of minorities in New York

By Kanishka Singh

(Reuters) – Leaders from major U.S. companies, including banks and tech giants, have formed a group aimed at increasing the hiring of individuals from minority communities in New York.

The New York Jobs CEO Council, which counts chief executives from 27 firms among its members, aims to hire 100,000 people from low-income Black, Latino and Asian communities by 2030.

Jamie Dimon, chief executive of JPMorgan Chase & Co, IBM CEO, Arvind Krishna, and Accenture CEO, Julie Sweet, will co-chair the group.

Other companies in the group include Amazon.com Inc., Google, Microsoft Corp. and Goldman Sachs, according to a press statement.

U.S. companies have been under increasing pressure to do more to provide minority groups with access to opportunities in the wake of anti-racism protests sparked by the death of a 46-year-old African-American man, George Floyd. Floyd died in May after a white police officer knelt on his neck for nearly nine minutes.

The protests also came as minorities were disproportionately represented in coronavirus deaths, and lower-income communities in the United States were hit hard economically.

“Today’s economic crisis is exacerbating economic and racial divides and exposing systemic barriers to opportunity,” Dimon said in an opinion piece in the Wall Street Journal on Monday, adding that often high-achieving people across New York were not given opportunities at the city’s top employers.

“Young people in low-income and minority communities feel this failure the most. Unless we actively work to close the gap, COVID-19 will make matters worse,” said the opinion piece which was co-authored with Félix V. Matos Rodríguez, the chancellor of the City University of New York.

(Reporting by Kanishka Singh in Bengaluru; Editing by Edwina Gibbs)

New genre of artificial intelligence programs take computer hacking to another level

FILE PHOTO: Servers for data storage are seen at Advania's Thor Data Center in Hafnarfjordur, Iceland August 7, 2015. REUTERS/Sigtryggur Ari

By Joseph Menn

SAN FRANCISCO (Reuters) – The nightmare scenario for computer security – artificial intelligence programs that can learn how to evade even the best defenses – may already have arrived.

That warning from security researchers is driven home by a team from IBM Corp. who have used the artificial intelligence technique known as machine learning to build hacking programs that could slip past top-tier defensive measures. The group will unveil details of its experiment at the Black Hat security conference in Las Vegas on Wednesday.

State-of-the-art defenses generally rely on examining what the attack software is doing, rather than the more commonplace technique of analyzing software code for danger signs. But the new genre of AI-driven programs can be trained to stay dormant until they reach a very specific target, making them exceptionally hard to stop.

No one has yet boasted of catching any malicious software that clearly relied on machine learning or other variants of artificial intelligence, but that may just be because the attack programs are too good to be caught.

Researchers say that, at best, it’s only a matter of time. Free artificial intelligence building blocks for training programs are readily available from Alphabet Inc’s Google and others, and the ideas work all too well in practice.

“I absolutely do believe we’re going there,” said Jon DiMaggio, a senior threat analyst at cybersecurity firm Symantec Corp. “It’s going to make it a lot harder to detect.”

The most advanced nation-state hackers have already shown that they can build attack programs that activate only when they have reached a target. The best-known example is Stuxnet, which was deployed by U.S. and Israeli intelligence agencies against a uranium enrichment facility in Iran.

The IBM effort, named DeepLocker, showed that a similar level of precision can be available to those with far fewer resources than a national government.

In a demonstration using publicly available photos of a sample target, the team used a hacked version of video conferencing software that swung into action only when it detected the face of a target.

“We have a lot of reason to believe this is the next big thing,” said lead IBM researcher Marc Ph. Stoecklin. “This may have happened already, and we will see it two or three years from now.”

At a recent New York conference, Hackers on Planet Earth, defense researcher Kevin Hodges showed off an “entry-level” automated program he made with open-source training tools that tried multiple attack approaches in succession.

“We need to start looking at this stuff now,” said Hodges. “Whoever you personally consider evil is already working on this.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Susan Fenton)

IBM urged to avoid working on ‘extreme vetting’ of U.S. immigrants

IBM urged to avoid working on 'extreme vetting' of U.S. immigrants

By Dustin Volz

WASHINGTON (Reuters) – A coalition of rights groups launched an online petition on Thursday urging IBM Corp to declare that it will not develop technology to help the Trump administration carry out a proposal to identify people for visa denial and deportation from the United States.

IBM and several other technology companies and contractors, including Booz Allen Hamilton, LexisNexis and Deloitte [DLTE.UL], attended a July informational session hosted by immigration enforcement officials that discussed developing technology for vetting immigrants, said Steven Renderos, organizing director at petitioner the Center for Media Justice.

President Donald Trump has pledged to harden screening procedures for people looking to enter the country, and also called for “extreme vetting” of certain immigrants to ensure they are contributing to society, saying such steps are necessary to protect national security and curtail illegal immigration.

The rights group said the proposals run counter to IBM’s stated goals of protecting so-called “Dreamer” immigrants from deportation.

Asked about the petition and whether it planned to work to help vet and deport immigrants, an IBM spokeswoman said the company “would not work on any project that runs counter to our company’s values, including our long-standing opposition to discrimination against anyone on the basis of race, gender, sexual orientation or religion.”

The petition is tied to a broader advocacy campaign, also begun Thursday, that objects to the U.S. Immigration and Customs Enforcement’s (ICE) Extreme Vetting Initiative.

In an Oct. 5 email seen by Reuters, Christopher Padilla, IBM’s vice president of government affairs, cited the company’s opposition to discrimination in response to an inquiry about the vetting program from the nonprofit group Open Mic.

Padilla said the meeting IBM attended was only informational and it was “premature to speculate” whether the company would pursue business related to the Extreme Vetting Initiative.

Booz Allen Hamilton, LexisNexis and Deloitte did not immediately respond when asked about the campaign, which also highlighted their attendance at the July meeting.

ICE wants to use machine learning technology and social media monitoring to determine whether an individual is a “positively contributing member of society,” according to documents published on federal contracting websites.

More than 50 civil society groups and more than 50 technical experts sent separate letters on Thursday to the Department of Homeland Security saying the vetting program as described was “tailor-made for discrimination” and contending artificial intelligence was unable to provide the information ICE desired.

Opponents of Trump’s policies ranging from immigration to trade have been pressuring IBM and other technology companies to avoid working on proposals in these areas from the Republican president’s administration.

Shortly after the presidential election last year, for example, several internet firms pledged that they would not help Trump build a data registry to track people based on their religion or assist in mass deportations.

IBM is among dozens of technology companies to join a legal briefing opposing Trump’s decision to end the “Dreamer” program that protects from deportation about 900,000 immigrants brought illegally into the United States as children.

“While on the one hand they’ve expressed their support for Dreamers, they’re also considering building a platform that would make it easier to deport them,” Renderos said.

CREDO, Daily Kos, and Color of Change also organized the petition.

(Reporting by Dustin Volz in Washington, additional reporting by Salvador Rodriguez in San Francisco, Editing by Rosalba O’Brien and David Gregorio)