When ransomware hit a biomanufacturing facility this spring, something didn’t sit right with the response team. The attackers left only a halfhearted ransom note, and didn’t seem all that interested in actually collecting a payment. Then there was the malware they had used: a shockingly sophisticated strain dubbed Tardigrade.
As the researchers at biomedical and cybersecurity firm BioBright dug further, they discovered that Tardigrade did more than simply lock down computers throughout the facility. The found that the malware could adapt to its environment, conceal itself, and even operate autonomously when cut off from its command and control server. This was something new.
Today the cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center, or BIO-ISAC, of which BioBright is a member, is publicly disclosing findings about Tardigrade. While they’re not making an attribution about who developed the malware, they say its sophistication and other digital forensic clues indicate a well-funded and motivated “advanced persistent threat” group. What’s more, they say, the malware is “actively spreading” in the biomanufacturing industry.
“This almost certainly started with espionage, but it has hit on everything—disruption, destruction, espionage, all of the above,” says Charles Fracchia, BioBright’s CEO. “It’s by far the most sophisticated malware we’ve seen in this space. This is eerily similar to other attacks and campaigns by nation state APTs targeting other industries.”
As the world scrambles to develop, produce, and distribute cutting-edge vaccines and medications to combat the Covid-19 pandemic, the importance of biomanufacturing has been put on full display. Fracchia declined to comment about whether the victims do work related to Covid-19, but emphasized that their processes play a critical role.
The researchers found that Tardigrade bears some resemblance to a popular malware downloader known as Smoke Loader. Also known as Dofoil, the tool has been used to distribute malware payloads since at least 2011 or earlier and is readily available on criminal forums. In 2018, Microsoft stymied a large cryptocurrency mining campaign that used Smoke Loader, and the security firm Proofpoint published findings in July about a data-stealing attack that disguised the downloader as a legitimate privacy tool to trick victims into installing it. Attackers can adapt the malware’s functionality with an assortment of ready-made plug-ins, and it’s known for using clever technical tricks to hide itself.
The BioBright researchers say that despite the similarities to Smoke Loader, Tardigrade appears to be more advanced and offers an expanded array of customization options. It also adds the functionality of a trojan, meaning that once installed on a victim network it searches for stored passwords, deploys a keylogger, starts exfiltrating data, and establishes a backdoor for attackers to choose their own adventure.
“This malware is designed to build itself differently in different environments, so the signature is constantly changing and it’s harder to detect,” says Callie Churchwell, a malware analyst at BioBright. “I tested it almost 100 times and every time it built itself in a different way and communicated differently. Additionally, if it’s not able to communicate with the command and control server, it has the capability to be more autonomous and self-sufficient, which was completely unexpected.”
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
