Cybersecurity News

Tardigrade Malware Poses Unprecedented Threat to Biomanufacturers

Bad actors used Tardigrade malware to target a vaccine biomanufacturing facility, and experts are advising the healthcare sector to stay vigilant.

Tardigrade Malware Poses Unprecedented Threat to Biomanufacturers

Source: Getty Images

By Jill McKeon

- The Health Sector Cybersecurity Coordination Center (HC3) released an alert warning the healthcare sector of Tardigrade malware, a sophisticated strain of malware that was used to attack a vaccine biomanufacturing facility.

New research from cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) indicated that an Advanced Persistent Threat (APT) group is operating the malware due to its “unprecedented sophistication and stealth.”

According to BIO-ISAC a large vaccine biomanufacturing facility was involved in a cyberattack in Spring 2021. Researchers detected further presence of this malware in October 2021 at a second facility.

“Due to the advanced characteristics and continued spread of this active threat, BIO-ISAC made the decision to expedite this threat advisory in the public interest,” the nonprofit stated.

“At this time, biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures.”

Tardigrade is a metamorphic version of the SmokeLoader family of malware and primarily delivers attacks via infected email software, adverts, plug-ins, USB, and infected networks.

Tardigrade’s main goal is to download and manipulate files, then deploy other modules while remaining hidden. It is compatible with other APT payloads, including Conti, Ryuk, and Cobalt Strike.

“While many malware systems are polymorphic, this system seems to be able to recompile the loader from memory without leaving a consistent signature,” BIO-ISAC found. “Recompiling occurs after a network connection in the wild that could be a call to a command and control (CnC) server to download and execute the complier.”

This strategy allows for an unexpected level of autonomy compared to other malware.

“HC3 recommends that biotechnology companies specifically as well as the healthcare and public health sector (HPH) generally review this report and take appropriate action to protect their information infrastructure against the spread of Tardigrade,” HC3 said in its alert.

BIO-ISAC recommended that facilities review their biomanufacturing network segmentation and run tests to verify proper segmentation between corporate, guest, and operational networks. Biomanufacturers should also test and perform offline backups of key biological infrastructure and plan for the potential consequences of certain machines being inoperable.

BIO-ISAC also suggested that organizations inquire about lead times for key bio-infrastructure components, such as chromatography systems and endo toxin and microbial contamination systems.

Proper cyber hygiene is the best way to protect organizations from cyberattacks. Since phishing is a common attack vector for this particular strain of malware, organizations should train biomanufacturing facility staff to look for targeted attacks and review social media posts to determine likely targets.

Researchers also noted that many machines in this sector are outdated or legacy systems that cannot be patched or updated. If this is the case, organizations should segment them aggressively and attempt to upgrade to different systems.

“The Bioeconomy and Biomanufacturing sectors are under concerted, sophisticated attack. You are a target,” BIO-ISAC concluded. “This malware is extremely difficult to detect due to metamorphic behavior. Vigilance on key personnel corporate computers is important.”