HHS: APT targeting biomanufacturing with stealthy Tardigrade malware

A new sophisticated, stealthy malware variant known as Tardigrade is aggressively proliferating in the biomanufacturing sector due to ongoing targeting from a suspected advanced persistent threat, according to a recent Department of Health and Human Services Cybersecurity Program alert to the health and public health sectors.

The ongoing threat was brought to light by the cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), calling Tardigrade’s tactics using “unprecedented sophistication and stealth.”

The malware is aggressively spreading throughout the biomanufacturing sector. BIO-ISAC has been analyzing the tactics to what is now called Tardigrade, including its tactics and the timeline for discovery. Researchers explained that Tardigrade is “potentially the first identified malware with this level of sophistication targeting biomanufacturing facilities.”

“This is ongoing and this disclosure was accelerated in the public interest given the observed spread,” they continued.

The threat was first observed in the spring of 2021 when a cyberattack struck a large biomanufacturing facility. An investigation into the incident discovered a highly capable malware loader that displayed a high level of autonomy. A second attack was detected about six months later at another facility with the same, highly advanced capabilities. 

Tardigrade has been classified as metamorphic, as it’s able to recompile its loader from memory and without leaving a consistent signature. The malware also resembles a popular loader known as Smoke Loader, or Dofoil and is being used to deliver ransomware. 

The researchers noted the ransomware is likely being used as a diversion for the actual attack purpose: intellectual property theft. 

Smoke Loader is a loader or trojan designed to attack the victim’s network with more effective and destructive malware. It’s part of the Smokey Bear family, which is known for continually automizing its techniques and tactics, and focused on the use of multi-purpose tools like keylogging, identity theft and backdoor access.

Typically, Smoke Loader is delivered via infected email software, plug-ins, infected networks, adverts and physical infections, like USBs. The initial Tardigrade variant was Smoke Loader, followed by Dufoil and delivered via USB, files and autonomously through the network. 

Its primary attack delivery was through phishing attacks. Other entry points include external remote services, replication of removable media, supply chain compromise and valid accounts.

Tardigrade "unusually capable" at evading detection

Previous Smoke Loader versions were dependent and directed by the command-and-control infrastructure. But since becoming Tardigrade, the malware is much more autonomous and able to decide on lateral movement, based on internal logic.

In fact, researchers have observed Tardigrade with a “significant level of autonomous decision-making ability, possibly on random wait times.” 

The malware is “unusually capable” in that it’s able to customize its deployment based on the victim’s environment, which better allows it to evade detection. Even when cut off from its operators, Tardigrade is able to operate autonomously.

The malware’s infrastructure appears able to recompile the loader from memory and without a consistent signature. The recompiling process occurs “after a network connection in the wild that could be a call to a command and control (CnC) server to download and execute the compiler.” 

The method enables the system to change either some of all of the functions based on CnC, much like a normal loader system.

“The main role of this malware is still to download, manipulate files, send main.dll library if possible, deploy other modules and remain hidden [and for] espionage, tunnel creation, and for a bigger payload,” according to the BIO-ISAC report.

Tardigrade is currently compatible with several other APT-made payloads, including Conti, Ryuk, and Cobalt Strike.

The malware is able to selectively identify files for modification and uses an impersonation client technique to gain admin control connectivity before replacing the main.dll and attempting to export the original file to “varying IPs that do not correlate with a specific CnC.

The traffic is encrypted and leverages a range of methods, with one able to laterally spread via network shares and creates folders in CnC-connected servers with random names.

Bioeconomy companies, biomanufacturing sector targets of Tardigrade

Tardigrade targets include bioeconomy companies and biomanufacturing sector, which are possibly being targeted based on public releases and news activity. BIO-ISAC explained the attack motivations appear to be intellectual property theft, persistence and ransomware preparation.

The BIO-ISAC alert provides indicators of compromise for relevant security teams. Biotechnology companies and healthcare entities are being urged to review the threat methods to proactively defend against the ongoing cyberattacks to stop the spread of Tardigrade.

In light of ongoing supply chain attacks, security leaders of these impacted sectors are being urged to review network segmentation and to work with biologists and automation specialists to assess the company’s crown jewels. Administrators must also test and perform offline backups of key infrastructure.

In short, all biomedical and healthcare sector entities should consider themselves a target. As progress continues on the COVID-19 vaccine and treatment development, it’s likely these manufacturing entities will remain a key target into the foreseeable future of the pandemic response.