The biomanufacturing sector has been warned about targeted attacks involving Tardigrade malware – a sophisticated metamorphic variant of the SmokeLoader backdoor.
Tardigrade malware is known to have been used in two cyberattacks on companies in the biomanufacturing sector in 2021. In the spring of this year, a large biomanufacturing facility was targeted and a second facility was infected with the malware in October. The attacks prompted the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) to issue a warning to firms in the biomanufacturing sector and their partners about the new malware threat.
BIO-ISAC said Tardigrade malware is a sophisticated malware from the SmokeLoader family that has a far greater degree of autonomy than previously detected SmokeLoader variants. The SmokeLoader backdoor is dependent on command-and-control infrastructure and is externally directed, whereas Tardigrade malware is able to make decisions about which files to modify and can achieve lateral movement using internal logic, without having to receive instructions from a C2 server. Tardigrade malware can achieve immediate privilege escalation by impersonating a client technique and is metamorphic, which makes it particularly hard to detect.
The malware is still being analyzed, although the malware is known to have achieved lateral movement using network shares and creating folders with random names from a list, for example, ProfMargaretPredovic. BIO-ISAC said the APT actor has made the attacks look like they involved ransomware; however, further investigation revealed the attacks were far more sophisticated. It is now thought that the malware was deployed as part of an espionage campaign, then was used to prepare the victim’s system for a ransomware attack. Researchers observed Tardigrade malware sending encrypted traffic to a C2 IP address which could indicate the malware is exfiltrating sensitive data. According to BIO-ISAC, the malware can change its properties based on the victim’s environment and is believed to have been delivered via phishing emails, although other methods of distribution may be used.
The analyses so far indicate a great deal of time and effort has gone into creating Tardigrade malware. While malware variants are often developed that use polymorphism to evade antivirus software, Tardigrade uses a different technique of metamorphism. With polymorphic malware, the code is scrambled in a semi-random way using different keys for encryption to evade signature-based antivirus solutions. Tardigrade malware changes its constituent parts and then recompiles itself in a sophisticated way that researchers are still trying to work out. The degree of sophistication, its advanced morphic behavior, and the targeted companies suggest the malware is the work of a well-funded APT group, but it is currently unclear whether attacks are being conducted for espionage, to disrupt COVID-19 vaccine production, or for some other purpose.
BIO-ISAC has made several recommendations that firms in the biomanufacturing sector have been advised to implement immediately to improve their defenses against Tardigrade malware attacks.
- Review network segmentation and run tests to ensure proper segmentation between corporate, guest, and operational networks
- Conduct a “crown jewels” analysis
- Test and perform offline backups of biological infrastructure
- Inquire about lead times for key bio-infrastructure components, such as chromatography, endotoxin, and microbial containment systems
- Use antivirus software with behavioral analysis capabilities
- Ensure anti-phishing software is deployed
- Train the workforce to be on the lookout for targeted attacks
- Review the LinkedIn and social media posts of employees to identify individuals who are likely targets