An advanced hacking group known as ‘Tardigrade’ is targeting biomanufacturing facilities and research centers working on vaccines and critical medicines.
The actor uses sophisticated custom malware to spread in compromised networks and exfiltrates data for extensive periods without being noticed.
According to an advisory published by BIO-ISAC today, the actor has been actively targeting entities in the field since at least January 2020.
Tardigrade has targeted multiple universities, research centers, production facilities, and “big pharma” entities involved in developing or producing COVID-19 vaccines.
The first noticeable signs of these attacks came in the form of peculiar ransomware infections in the Spring of 2020, where the actors left ransom notes that didn’t indicate a sincere interest in receiving any payments.
The purpose of these ransomware deployments was likely to conceal the drop of the actual payload, a metamorphic malware that would nest in the compromised systems, spread like a worm, and exfiltrate files.
BIO-ISAC explains that Tardigrade uses a custom metamorphic version of ‘SmokeLoader,’ delivered via phishing or USB sticks that somehow found their way on the premises of the target organizations.
The malware is particularly interesting in the sense that it can recompile the loader from memory without leaving a consistent signature, so it’s a lot harder to identify, trace, and remove.
The SmokeLoader acts as a stealthy entrance point for the actors, downloading more payloads, manipulating files, and deploying additional modules.
Past SmokeLoader versions relied heavily on external direction, but this variant can operate autonomously and even without a C2 connection.
Even if the C2 is down, the malware continues to move laterally based on internal logic and advanced decision-making abilities, even having the ability to selectively identify files for modification.
As of October 25, 2021, BIO-ISAC reports that SmokeLoader can stay hidden from roughly half of the AV engines used in Virus Total.
Partnering with ransomware gangs
BIO-ISAC member BioBright told Wired that the APT group’s initial ransomware attempts were likely performed as cover for other malicious activities on the target’s network.
However, the report’s attack timeline also shows that Tardigrade was involved in numerous well-known traditional ransomware attacks that were highly disruptive, and in most cases, encrypted devices.
These attacks included Düsseldorf University, Americold, Miltenyi Biotec, the European Medicines Agency (EMA), and Ireland’s HSE.
However, the attacks involved many ransomware families, such as DoppelPaymer in the Düsseldorf University Hospital attack, Mount Locker in the Miltenyi Biotec attack, and Conti in the Ireland HSE attack.
The variety of ransomware and payloads deployed indicates that the Tardigrade group likely partnered with different operations to provide initial network access.
It is unclear whether this was to further monetize the compromised network after Tardigrade was done harvesting data or simply as further cover for their previous malicious activity.
As for the attack conducted on the EMA, it is not believed to be a ransomware attack. However, the threat actors leaked documents stolen during the attack that were “manipulated” to weaken trust in Pfizer’s COVID-19 vaccine.
Defending against attacks
The goal of the Tardigrade actors is cyber-espionage and possibly also operational disruption, but their malware can be a persistent problem for the infected systems even if it can no longer communicate with command and control servers.
The BIO-ISAC report recommends the following practices to following standard network segmentation practices, keeping offline backups of key biological infrastructure, and inquiring about lead times for critical bio-infrastructure components.
- Review your biomanufacturing network segmentation
- Work with biologists and automation specialists to create a “crown jewels” analysis for your company
- Test and perform offline backups of key biological infrastructure
- Inquire about lead times for key bio-infrastructure components
- Use antivirus with behavioral analysis capabilities
- Participate in Phishing detection training
- Stay vigilant
Using security software with strong behavioral analysis capabilities is recommended, so even if SmokeLoader changes signature and exfiltration methods, the suspicious behavior could be detected and raise alarms.
At this time, the attribution remains unclear, so the origin of these attacks is unknown.