Skip to content ↓ | Skip to navigation ↓

Security researchers are warning biomanufacturing facilities around the world that they are being targeted by a sophisticated new strain of malware, known as Tardigrade.

The warning comes from the non-profit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) which revealed that at least two large facilities working on manufacturing bio-drugs and vaccines have been hit by the same malware this year, in what appear to be targeted attacks.

Charles Fracchia, founder of BioBright and a BIO-ISAC board member, says that Tardigrade is an APT targeting Windows computers in the bioeconomy and biomanufacturing sector “using tools of unprecedented sophistication and stealth.”

Microscope - tardigrade

At first Tardigrade might be mistaken for a (sadly all-too-common) ransomware attack, but what makes it different is its sophistication and autonomy. And – unlike ransomware – if Tardigrade makes any attempts to extort money from its victims they appear to be half-hearted, with much more interest being paid on exfiltrating data and spying on its victims.

Security researchers claim that Tardigrade appears to be a variant of the SmokeLoader malware family, but is far more autonomous – able to decide for itself to select files for modification, and move laterally throughout an organisation and take other actions such as infect USB drives, rather than rely upon a command-and-control centre.

Fraccia told Wired that Tardigrade took things to a new level:

“This almost certainly started with espionage, but it has hit on everything — disruption, destruction, espionage, all of the above. It’s by far the most sophisticated malware we’ve seen in this space. This is eerily similar to other attacks and campaigns by nation state APTs targeting other industries.”

Attacks against pharmaceutical companies and the bioeconomy have happened around the world during the pandemic, as malicious attackers have found the sector to be poorly defended compared to its heightened value to society.

For now, as nations scramble to protect their citizens from COVID-19, no-one is publicly pointing fingers as to who might be responsible for Tardigrade’s attacks. Instead the focus is on spreading word of the threat, in fear that other biomanufacturing facilities may be hit.

Analysis of exactly what Tardigrade is capable of doing is ongoing, but researchers working with BIO-ISAC say that they felt it was right to make a public disclosure having seen the continuing spread of the attack.

Initial infections appear to be most likely to occur through a poisoned email, tricking recipients into opening a file. But the Tardigrade malware can also be spread laterally across networks, and even infect USB sticks.

Malware researcher Callie Churchwell says that one method Tardigrade uses for lateral spread was network shares and that it “creates folders with random names from a list (eg: ProfMargaretPredovic)”

BIO-ISAC recommends that at-risk biomanufacturing organisations review their network segmentation, determine what the “crown jewels” are to protect inside their company, test and perform offline backups of key infrastructure, inquire about lead times for key bio-infrastructure components should they need to be replaced or upgraded, and “assume you’re a target.”


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.