When the ransomware hit A biomanufacturing facility this spring, something wasn’t right for the response team. The attackers left only a lukewarm ransom note, and they don’t seem interested in getting an actual payment. Then there was the malware they used: a shockingly complex strain called Tardigrade.
As researchers at biomedical and cybersecurity firm BioBright digging further, they discovered that Tardigrade did more than just shut down computers throughout the facility. He found that the malware could adapt to its environment, disguise itself, and even run independently when disconnected from the C&C server. This was something new.
Today, the nonprofit Bioeconomy Information Exchange and Analysis Center for Cybersecurity, or BIO-ISAC, of which BioBright is a member, is publicly disclosing findings about Tardigrade. Although they do not attribute information about who developed the malware, they say that its development and other digital forensic evidence indicates the existence of a well-funded and motivated “Advance Persistent Threat” group. Furthermore, they say malware is “actively spreading” in the bio-manufacturing industry.
“This almost certainly started with espionage, but it hit everything — disrupting, destroying, spying, all of the above,” says Charles Fracchia, CEO of BioBright. “It is by far the most sophisticated malware we have seen in this field. This is eerily similar to other attacks and campaigns by state APTs targeting other industries.”
As the world scrambles to develop, produce and distribute advanced vaccines and medicines to combat the Covid-19 pandemic, the importance of biomanufacturing has been fully highlighted. Fracchia declined to comment on whether the victims acted in connection with Covid-19, but emphasized that their operations play a critical role.
The researchers found that Tardigrade bears some resemblance to the popular malware downloader known as Smoke Loader. Also known as Dofoil, the tool has been used to distribute malware payloads since at least 2011 or earlier and is readily available on criminal forums. In 2018, Microsoft thwarted a large crypto-mining campaign that used the Smoke Loader, and security firm Proofpoint published findings in July about a data theft attack that disguised the downloader as a legitimate privacy tool to trick victims into installing it. Attackers can adapt the malware’s functionality with a variety of off-the-shelf plug-ins, which are known to use clever technical tricks to disguise themselves.
BioBright researchers say that despite its similarities to the Smoke Loader, Tardigrade appears to be more advanced and offers an expanded set of customization options. It also adds a Trojan horse functionality, which means that once installed on the victim’s network, it searches for stored passwords, deploys a keylogger, starts data mining, and establishes a backdoor for attackers to choose their own adventure.
“This malware is designed to build itself differently in different environments, so the signature is constantly changing and difficult to detect,” says Kaley Churchill, BioBright Malware Analyst. “I tested it nearly 100 times and each time it built itself differently and communicated differently. Plus, if it wasn’t able to connect to the command and control server, it would have the potential to be more independent and self-sufficient, which is unexpected completely “.