A highly sophisticated malware able to aggressively spread inside networks is being employed on biomanufacturing industry targeted attacks. Security researchers named the malware Tardigrade and based on initial research, it might be a SmokeLoader variant. SmokeLoader is commonly utilized as a malware loader and backdoor, however, Tardigrade and SmokeLoader are different from each other.
The sophisticated character of the malware combined with the targeted attacks on vaccine companies and their partners clearly indicates an Advanced Persisted Threat (APT) actor created and use the malware. The first detection of the malware was in attacks on the biomanufacturing industry in spring 2021. At that time, an infection was identified in a big American biomanufacturing company. The malware was discovered for a second time in an October 2021 attack on a biomanufacturing company. Most likely, the malware has been employed in cyberattacks on a number of companies in the industry.
Compared with SmokeLoader, which needs sending of instructions to the malware from a command-and-control system, Tardigrade malware could make use of its internal logic to decide about lateral activity and which files to alter. The malware possesses a distributed command-and-control system and utilizes various IPs that don’t match a particular command-and-control node. The malware is likewise metamorphic meaning its code frequently changes, at the same time retains its performance. Therefore, it is not effective to use signature-based detection mechanisms to identify and block Tardigrade malware.
Tardigrade malware is sneaky and may be employed to get persistent access to the system of victims for surveillance. The malware makes a tunnel to exfiltrate data and prepares systems for other malicious activities like ransomware attacks. The malware was initially discovered while investigating what seemed like a ransomware attack.
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) issued an alert regarding the malware because of the considerable threat the malware brings to the biomanufacturing industry and its associates. The HHS’ Health Sector Cybersecurity Coordination Center (HC3) likewise issued an advisory about the malware recently.
BIO-ISAC states all biomanufacturing websites and their partners must have the assumption that they will be targeted and should do something to strengthen their defenses versus this new threat. The main method of malware distribution is thought to be phishing emails, though the malware can spread using USB drives and can pass on autonomously all over the victims’ systems.
It is vital to make sure cybersecurity guidelines are adopted, like closing open remote desktop protocols, updating outdated operating systems and software programs, aggressively segmenting systems, using multifactor authentication, and making sure antivirus software program is employed on all devices that can do the behavioral evaluation.
BIO-ISAC additionally advises performing a “crown jewels” analysis, which must include evaluating the effect of an attack in case particular critical devices be made inoperable, making sure offline backups are done on biomanufacturing system, examining backups to make sure recovery is achievable, giving phishing awareness training to the employees, questioning about lead times for acquiring critical infrastructure parts like chromatography, microbial containment systems, endotoxin, and speeding up the upgrade of obsolete equipment.
Additional details on the Tardigrade malware threat can be found on the pages of BIO-ISAC and HC3.