BIO-ISAC warns of Tardigrade malware actively targeting bioproduction facilities


The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) published a threat notice about a malicious actor actively targeting large biofabrication organizations with a new payload called Tardigrade malware.

The new malware strain has been active since spring 2021 and remains undetected for long periods of time while continually exfiltrating data.

BIO-ISAC security researchers suggested that the Tardigrade malware was deployed for cyber espionage or to disrupt biofabrication processes.

They named the variant after the microscopic organism that can survive extreme heat and cold, high pressures, radiation, and vacuum.

Tardigrade malware compiles in memory and survives without a C2 server

According to researchers at BIO-ISAC, Tardigrade malware is a metamorphic variant of Smoke Loader transmitted via USB or online phishing.

They explained that Smoke Loader acts as the initial entry point before downloading additional Tardigrade malware payloads. Smoke Loader has been active since 2011 and used in cryptocurrency mining campaigns.

BIO-ISAC suggests that Tardigrade’s main goals were to maintain persistence, organize ransomware attacks, and commit intellectual property theft. Tardigrade is also compatible with Conti, Ryuk and Cobalt Strike. The organization also suggested that Tardigrade malware target biofabrication organizations based on public activity or current affairs.

However, Intel’s Vitali Kremez advanced describe Tardigrade’s dropper as “Cobalt Strike HTTP beacon encrypted with typical Conti ransomware group encryptor”.

Biodata integration company BioBright also noted that Tardigrade malware would only work in specific environments, suggesting that it was designed for bioproduction facilities. The company also noted that while similar to SmokeLoader, Tardigrade offered advanced features and customization options. According to BioBright, Tardigrade also functions as a keylogger and Trojan horse allowing attackers to engage in any malicious activity on the host network.

BioBright Chief Medical Officer and BIO-ISAC member Ed Chung noted that Tardigrade malware is still evolving and security researchers are still learning more. However, he insisted on the need for disclosures to raise awareness of the highly evasive variant of malware. BioBright researchers have warned that Tardigrade malware could shut down a bioproduction facility, causing network outages resulting in millions of losses per day.

Meanwhile, BIO-ISAC researchers noted that Tardigrade malware uses advanced concealment techniques. They discovered that it could survive without command and control (C2) servers while spreading over compromised networks. The malware achieves this functionality by taking advantage of internal logic for network propagation and determining which files to compromise.

Additionally, Tardigrade malware can compile in memory without leaving a consistent digital signature, making it difficult to track. As a result, less than half of the antiviruses on can detect the variant.

Very advanced malware

Tardigrade’s impressive cyber espionage capabilities suggest that an advanced or state threat actor could be behind the biofabrication malware.

Chris Clements, Vice President of Solutions Architecture at Sentinel Cerberus, noted that nation-state hackers often pose as ransomware gangs to prevent attribution.

“This provides fantastic coverage for state actors seeking to use this information for intelligence or industrial espionage purposes. Targeting of vaccine makers could indicate that this attacker was seeking to steal information about the vaccine development and manufacturing process, an attempt to disrupt the production of an opposing nation-state or both. “

Likewise, the researchers described the malware operator as a well-funded advanced player in persistent threats. They observed that the perpetrator was employing tactics similar to those of a Russian APT. Russia and China have been accused of various attempts to steal biotechnology-related intellectual property, particularly in research into the COVID-19 vaccine.

“It’s almost lost in the shake-up as vaccine makers rush to develop and certify coronavirus vaccines and booster shots, but these companies are also hit by malware attacks designed to cripple manufacturing systems,” steal intellectual property and install ransomware, “said Saryu Nayyar, CEO at Gurucul. “This malware, called Tardigrade, is proving to be very sophisticated, adapting to its environment, increasing privileges and capable of making decisions without a command and control server.”

How to protect bioproduction facilities from tardigrade malware

BIO-ISAC advises biofabrication facilities to assume they have been compromised and initiate the cyber response process.

The organization advised bioeconomic facilities to ensure appropriate network segmentation between corporate, operational, and guest networks. In addition, they must maintain offline backups of critical biological infrastructure, create a “crown jewel” analysis for their facilities, and learn about delivery times for key bio-infrastructure components.

Likewise, they must use anti-virus software with behavioral threat detection, train biofabrication workers in phishing attacks, and create upgrade paths for key instruments based on outdated operating systems.

BIO-ISAC has warned of #Tardigrade malware linked to potential #ransomware attacks, nation-state cyberwarfare, and intellectual property theft targeting large bioproduction facilities. # cybersecurity #respectdataClick to Tweet

“The Tardigrade APT attack on vaccine machine infrastructure is another example of the pervasive nature of attackers and the targets they will target with their malware,” said Garret Grajek, CEO of You attest. “Like the unkillable micro-animal from which the APT takes its name (tardigrade), threat actors are simply a truth of modern computing existence.”


Comments are closed.