BIO-ISAC: Beware of Tardigrade Attacks on BiomanufacturersOrganization: 'Highly Targeted' Malware Used to Launch Ransomware, IP Theft
The Bioeconomy Information Sharing and Analysis Center is warning vaccine makers and other biomanufacturers of escalating threats involving Tardigrade malware, which experts say is used to launch ransomware and other potentially serious attacks.
BIO-ISAC, in an advisory issued on Nov. 22 and updated this week, says Tardigrade is an advanced persistent threat for attacks involving ransomware preparation, intellectual property theft and more.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center on Nov. 23 issued a similar alert about Tardigrade based on the BIO-ISAC advisory.
"At this time, biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures," BIO-ISAC says in a statement.
Charles Fracchia, a co-author of the BIO-ISAC advisory and CEO and founder of BioBright, a biomedicine data informatics technology firm, calls Tardigrade "a very serious threat" to the bioeconomy.
"It reveals both the high level of vulnerability that exists across the field, and it also lays bare the advanced nature of actors and threats that are being levied in the field," he says. "Every biopharma and bioeconomy company needs to pay attention to these threats and recognize that they are potentially under attack."
Tardigrade at its core is a metamorphic loader, Fracchia says. "The closest relative we know - but still quite distinct - is SmokeLoader."
Tardigrade's primary attack vectors includes phishing, USB, files and "network autonomously," BIO-ISAC says in the advisory. "The main role of this malware is still to download, manipulate files, send main.dll library if possible, deploy other modules and remain hidden," the advisory says.
The malware's goals include "espionage, tunnel creation, and carry a bigger payload."
Tardigrade has been involved in several attacks on bioeconomy companies over the past several months, including a cyberattack in the spring of 2021 on an unnamed large biomanufacturing facility, BIO-ISAC says.
"Through the subsequent investigation, a malware loader was identified that demonstrated a high degree of autonomy as well as metamorphic capabilities. In October 2021, further presence of this malware was noted at a second facility."
Tardigrade appears to be "a significant threat" to the biotech firms because the malware is highly targeted, and highly sophisticated, says Erick Galinkin, principal artificial intelligence researcher at security firm Rapid 7.
"The malware has lateral movement capabilities that are autonomous and feature a degree of nondeterminism, making detection more challenging," he says.
"The malware also uses a distributed command-and-control network, varying IPs that do not correlate to a specific command-and-control node."
Also concerning is that Tardigrade malware appears to be a variant of the SmokeLoader family, Galinkin says. "SmokeLoader is a well-known and fairly generic backdoor that has been used in campaigns ranging from APTs to commodity malware since at least 2014," he says.
According to Galinkin, SmokeLoader is used as a first-stage malware in an attack and downloads commodity ransomware or banking Trojans.
"Tardigrade appears to be a sophisticated version of SmokeLoader that incorporates metamorphism - that is, the code mutates but remains logically equivalent, making signature-based detections challenging," he says
Fracchia says BIO-ISAC is not identifying the specific actors suspected of being involved with Tardigrade.
"All we are saying at this stage is that the actor/actors involved are highly advanced, likely the top-level actors."
The types of biomanufacturing and other bioeconomy companies at risk "are distributed all over the world," he says.
Tardigrade's tactics, techniques and procedures should be on the radar of biomanufacturing and related organizations' security teams, says Megan Stifel, chief strategy officer at the Institute of Security and Technology, a nonprofit coalition.
"Working quickly to address the vulnerabilities and poor security practices that were exploited and the basic practices we know ransomware actors leverage - phishing, poor multifactor authentication implementation, open remote desk protocols, etc. - must be addressed, yesterday," she says.
"Organizations involved in pandemic response are prime targets for ransomware because the actors know society depends on these companies maintaining operations, making them likely to pay, and especially if they are underfunded on cybersecurity, which frustratingly is far too many."
Fracchia says it is particularly important that companies review and test the network segmentation at their organizations.
BIO-ISAC also recommends that bioeconomy organizations:
- Work with biologists and automation specialists to create a "crown jewels" analysis for their companies. That includes assessing the impact if certain machines are inoperable and how long it would take to recertify affected instruments.
- Test and perform offline backups of key biological infrastructure.
- Inquire about lead times for key bioinfrastructure components, including chromatography systems, as well as endotoxin and microbial contamination systems.
- Use antivirus with behavioral analysis capabilities.
- Emphasize phishing awareness training for the workforce, especially key employees who are likely targets for social engineering phishing scams.
- Accelerate upgrade paths for key instruments and aggressively segment legacy equipment running outdated operating systems.
In its advisory, HHS' HC3 recommends that biotechnology companies specifically, as well as healthcare and public health sector organizations, carefully review the BIO-ISAC report and take appropriate action to protect their information infrastructure against the spread of Tardigrade.