The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) issued a threat advisory about a threat actor actively targeting large biomanufacturing organizations with a new payload dubbed Tardigrade malware.
The new malware strain was active since Spring 2021 and remains undetected for extensive periods while continuously exfiltrating data.
BIO-ISAC’s security researchers suggested that Tardigrade malware was deployed for cyber espionage or to disrupt biomanufacturing processes.
They named the variant after the microscopic organism that can survive extreme heat and cold, high pressure, radiation, and vacuum.
Tardigrade malware compiles in memory and survives without a C2 server
According to BIO-ISAC researchers, Tardigrade malware is a metamorphic variant of Smoke Loader delivered through USB or online phishing.
They explained that Smoke Loader acts as the initial entry point before downloading additional Tardigrade malware payloads. Smoke Loader was active since 2011 and used in cryptocurrency mining campaigns.
BIO-ISAC suggests that Tardigrade’s main objectives were to maintain persistence, stage ransomware attacks, and conduct intellectual property theft. Tardigrade is also compatible with Conti, Ryuk, and Cobalt Strike. The organization also suggested that Tardigrade malware targets biomanufacturing organizations based on public or news activity.
However, advanced Intel’s Vitali Kremez described Tardigrade’s dropper as a “Cobalt Strike HTTP beacon crypted with a typical Conti ransomware group crypter.”
The biodata integration firm BioBright also noted that Tardigrade malware won’t run unless in specific environments, suggesting that it was tailored for biomanufacturing facilities. The firm also noted that although similar to SmokeLoader, Tardigrade offered advanced features and customization options. According to BioBright, Tardigrade also functions like a keylogger and a trojan allowing attackers to engage in any malicious activity on the host network.
BioBright’s chief medical officer and BIO-ISAC member Ed Chung noted that Tardigrade malware was still evolving and security researchers were still learning about it. However, he insisted on the need for disclosures to create awareness of the highly evasive malware variant. BioBright researchers warned that the Tardigrade malware could shut down a biomanufacturing facility by causing network outages leading to millions in losses daily.
Meanwhile, BIO-ISAC’s researchers noted that Tardigrade malware employs advanced cloaking techniques. They discovered that it could survive without command-and-control servers (C2) while still propagating across the compromised networks. The malware achieves this functionality by leveraging internal logic for network propagation and determining which files to compromise.
Additionally, Tardigrade malware can compile in memory without leaving a consistent digital signature thus difficult to track. Consequently, less than half of antiviruses on virustotal.com can detect the variant.
Highly advanced malware
Tardigrade’s impressive cyber espionage capabilities suggested that an advanced or nation-state threat actor could be behind the biomanufacturing malware.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, noted that nation-state hackers often masquerade as ransomware gangs to prevent attribution.
“This provides fantastic cover to nation-state actors looking to use that information for intelligence or industrial espionage purposes. The targeting of vaccine makers could indicate that this attacker sought to steal information about the vaccine development and manufacturing process, an attempt to disrupt production from an adversarial nation-state or both.”
Similarly, the researchers described the malware operator as a well-funded advanced persistent threat actor. They observed that the threat actor employed tactics similar to those of a Russian APT. Russia and China were accused of various intellectual property theft attempts related to biotechnology, especially in the COVID-19 vaccine research.
“It’s almost lost in the shuffle as vaccine manufactures race to develop and certify coronavirus vaccines and boosters, but these enterprises are also being hit with malware attacks designed to cripple manufacturing systems, steal intellectual property, and install ransomware,” said Saryu Nayyar, CEO at Gurucul. “This malware, called Tardigrade, turns out to be highly sophisticated, adapting to its environment, escalating privileges, and able to make decisions without a command-and-control server.”
How to protect biomanufacturing facilities from Tardigrade malware
BIO-ISAC advises biomanufacturing facilities to assume that they have been compromised and initiate the cyber response process.
The organization advised bioeconomic facilities to ensure proper network segmentation between corporate, operational, and guest networks. Additionally, they should maintain offline backups of crucial biological infrastructure, create a “crown jewels” analysis for their facilities, and inquire about lead times for key bio-infrastructure components.
Similarly, they should use antivirus software with behavioral threat detection, train biomanufacturing employees on phishing attacks, and create upgrade paths for key instruments relying on outdated operating systems.
“The Tardigrade APT attack on vaccine machine infrastructure is another example of the omnipresent nature of attackers and who they will target with their malware,” said Garret Grajek, CEO at YouAttest. “Like the unkillable micro-animal that the APT is named after (tardigrade), the threat actors are simply a truth of modern-day IT existence.”
