Nicknamed Tardigrade, the attacks are spreading among biomanufacturing companies, according to the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC). The malware is highly customizable, adapts to the environment it has infected and can act autonomously if cut off from the attackers’ command-and-control server, said researchers from BioBright.
BioBright, a BIO-ISAC member, investigated attacks at two facilities, one this spring, and another in October. Both facilities initially reported ransomware attacks on their respective networks, another strange twist to these incidents given the noisy nature of ransomware attacks, which are in stark contrast to the inherently stealthy nature of the malware.
BIO-ISAC released some technical details about these attacks yesterday; given that the group says the attacks are ongoing, users in this industry need to be vigilant about cutting off the intruders’ access to these critical networks.
Tardigrade is polymorphic malware. This is an advanced malware technique where the code changes depending on its environment as a technique to avoid detection. According to an article in Wired, one BioBright analyst said she conducted dozens of tests on the malware, and each time it compiled differently and communicated uniquely with command-and-control servers. If that backdoor access is somehow cut off, the malware will continue to deploy its payloads.
Polymorphic malware is advanced, but not uncommon. Tardigrade stands out because, according to details released by BIO-ISAC, it is able to recompile its loader from memory and not leave a consistent signature. This would complicate detection efforts.
The malware is delivered via numerous vectors, including phishing emails and infected USB drives. It uses a malware loader known as SmokeLoader, or Dofoil, to inject modules onto compromised machines, including keyloggers, password-stealing utilities. It also creates a backdoor connection that allows for downloading files and commands from the attacker’s server, deploying additional attack modules, and remaining hidden on the network. Its purpose is espionage, and BioBright and BIO-ISAC believe it’s the work of an advanced persistent threat (APT) group, likely state-sponsored.
SmokeLoader, meanwhile, has been available on underground forums for a decade. It’s been linked to numerous attacks, including some involving cryptocurrency mining and data exfiltration attacks. It’s armed with numerous plug-ins that enable persistence on compromised networks, and also tools ensure its stealthiness, including some that obfuscate values in the malware, and processes designed to determine if it’s executing within a virtual machine, which would indicate that it’s been found and quarantined.
According to BIO-ISAC’s report, the version of SmokeLoader used by Tardigrade is more autonomous than previous versions and can make decisions on lateral movement or file manipulation based on internal logic. The BIO-ISAC report has made a list of indicators of compromise available, as well as detection statistics; 34 of 69 antimalware vendors detect it as malicious as of yesterday.
The concern is that COVID-19 vaccines and treatments are being developed within this sector, and since the start of the pandemic, espionage efforts targeting these companies have ramped up. BioBright CEO Charles Fracchia declined to connect the victims to Covid-19 research, according to Wired but said their processes play a role.
Stealing private research related to Covid-19 vaccines, for example, would alleviate an adversary state’s research-and-development time and costs significantly.
- Biomanufacturing companies should scan their networks for indicators of compromise pointing to a Tardigrade infection.
- Proper network segmentation is a key mitigation step for operators of industrial networks, including as a tactic for fending off Tardigrade. Operational technology networks should be segmented from enterprise networks, and any crossover points between IT and OT should be guarded.
- Segmentation likely would involve virtual zoning that allows for zone-specific policies that are tailored to engineering and other process-oriented functions. The ability to inspect traffic and OT-specific protocols is also crucial to defend against anomalous behaviours.
- Visibility into remote access is also essential. These connections should be monitored and audited for anomalous activity; shared passwords should be discouraged, and two-factor authentication should be enabled.
- Secure remote access solutions must not only alert on suspicious activities, but also provide the capability to investigate specific sessions, either live or on-demand, and allow administrators to respond by either disconnecting a session or taking another action to contain or remediate the damage.
- BIO-ISAC recommends backups for key segments of the infrastructure, including ladder logic for biomanufacturing instrumentation, SCADA and historian configurations, and the batch record system.