An advanced persistent threat has hit two different vaccine manufacturers, and it relies on a shape-shifting malware, which initially displays as a ransomware attack. Ultimately, the infection proves far more sophisticated…

This new attack, known as Tardigrade, leverages malware that can adapt to its environment, hide itself, and operate autonomously when disconnected from a command-and-control server (C2).

In April, experts discovered Tardigrade in a large biomanufacturing facility. In October, a second facility exhibited a Tardigrade malware infection. While exploring the malware, investigators uncovered a malware loader that is highly autonomous and that shows metamorphic capabilities.

The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) recently elected to release information about Tardigrade in order to disrupt the spread of this “active threat.”

Biomanufacturing organizations

Experts advocate for biomanufacturing enterprises to assume that they represent potential targets for this attack. Partner organizations may also prove at-risk of Tardigrade malware intrusions.

Biomanufacturing groups can review cyber security and response postures to prevent and defend against this threat.

Vaccine manufacturers and malware

Since the start of the pandemic, vaccine manufacturers have experienced waves of cyber attacks. In October of 2020, one vaccine manufacturer was forced to close plants after experiencing a cyber attack. Several months later, cyber attackers installed themselves within the European Medicines Agency (EMA) server and illicitly observed intellectual property.

Tardigrade malware attacks

Researchers with BioBright, a biomedical and cyber security firm and BIO-ISAC member, state that the malware used in Tardigrade attacks is similar to that within the SmokeLoader family. It retains metamorphic capabilities. This variant is especially notable due to its properties that enable it to shape-shift based on the environment. Previous versions of SmokeLoader malware were externally directed by C2 infrastructure. However, the structures used in Tardigrade operate more autonomously. Further, Tardigrade can direct its own lateral movement.

By impersonating client technique, Tardigrade malware can also engage in immediate privilege elevation. Finally, researchers noticed SmokeLoader shuttling encrypted traffic to a C2 IP address, indicating potential information exfiltration.

Cobalt strike in disguise?

A handful of security researchers have questioned the BIO-ISAC assertions pertaining to the Tardigrade malware and its characteristics. These researchers contend that a Cobalt Strike beacon is involved and that the malware doesn’t necessarily seem connected to SmokeLoader.

BioBright disputes this interpretation, and explains that second and third-party confirmations indicate otherwise. In summary, the disagreement stems from disparate confidence levels in automatic tools.

In-depth testing

Researchers state that Tardigrade isn’t your everyday malware. It’s a sophisticated piece of code, as indicated by metamorphic capabilities. This advanced aspect of Tardigrade concerns researchers.

Advanced tools like Tardigrade indicate that threat actors have ramped up their efforts to disrupt critical business sectors. Amidst the coronavirus pandemic, the biomanufacturing sector became highly critical to the continuation of lives and livelihoods. Interruptions in the biomanufacturing sector could potentially harm our ability to curb the coronavirus. Biomanufacturing groups must be able to prevent and detect Tardigrade before it can render damage.

For information about biotech, the coronavirus and security, click here. To receive more timely insights, analysis and resources, sign up for the CyberTalk.org newsletter.