Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct.

The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector.

In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade malware has far greater autonomy and can use its internal logic to make decisions about lateral movement and which files to modify. The malware has a distributed command-and-control network and uses a variety of IPs that do not correspond to a specific command-and-control node. The malware is also metamorphic, which means its code regularly changes while retaining its functionality. That means signature-based detection mechanisms are not effective at identifying and blocking Tardigrade malware.

Tardigrade malware is stealthy and can be used to gain persistent access to victims’ systems for espionage. The malware creates a tunnel for data exfiltration and has been used to prepare systems for further malicious activities such as ransomware attacks. The malware was first detected when investigating what appeared to be a ransomware attack.

An advisory about the malware was issued by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) due to the significant threat the malware poses to the biomanufacturing sector and their partners, with the HHS’ Health Sector Cybersecurity Coordination Center (HC3) also issuing a recent alert about the malware.

BIO-ISAC says all biomanufacturing sites and their partners should assume that they will be targets and should take steps to improve their defenses against this new malware threat. The primary method of malware delivery is believed to be phishing emails, although the malware is capable of spreading via USB drives and can propagate autonomously throughout victims’ networks.

It is important to ensure cybersecurity best practices are followed, such as closing open remote desktop protocols, updating out-of-date operating systems and software, aggressively segmenting networks, implementing multifactor authentication, and ensuring antivirus software is used on all devices that is capable of behavioral analysis.

BIO-ISAC also recommends conducting a “crown jewels” analysis, which should include assessing the impact of an attack should certain critical devices be rendered inoperable, ensuring offline backups are performed on biomanufacturing infrastructure, testing backups to ensure recovery is possible, providing phishing awareness training to the workforce, inquiring about lead times for procuring critical infrastructure components such as chromatography, endotoxin, and microbial containment systems, and accelerating the upgrade of legacy equipment.

Further information on the Tardigrade malware threat is available from BIO-ISAC and HC3.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.