HHS Warns of Sophisticated Malware
Cybersecurity

HHS Warns of Sophisticated Malware Dubbed “Tardigrade” Targeting the Biomanufacturing Sector.

Marty Tatro
by March 15, 2022

Biomanufacturing, a term used to describe technology using biological systems to produce commercial biomaterials for medicines, has come under attack by what is described as a “sophisticated” malware variant (Department of Health and Human Services). With biotechnology becoming a tool used widely in creating medicines and other medical products, a threat of this type could mean problems for those in the commercial and medical realms who use them. 

What is “Tardigrade?”

Tardigrade is an aggressive and highly sophisticated malware used for multiple purposes. This particular malware is being used to load ransomware and other downloadable threat vectors to the systems at biomanufacturing facilities, allowing the attacker to access those systems, lock them down, or gather intelligence that can be used later or even sold. This threat is even more problematic because it can reside on systems without detection due to its ability to morph its code to avoid detection. It has also maintained its core integrity and even moved to other systems without an external command and control (CnC) connection to those that initiated the attack. 

Who is targeted?

Currently, the only targets publicized are those that deal with biomanufacturing processes or are in the medical field. However, with an advanced threat package such as this, it is very possible that it can be customized for other targets. It is not yet known whether the attackers will use the Tardigrade malware for this type of target.

What else can it do?

  • Intellectual property/information theft,
  • Automatic customization of its build to the environment it finds itself in,
  • Non-persistent signature,
  • Can recompile its loader from memory,
  • Other capabilities.

What are some indicators of compromise (IoCs) of Tardigrade?

IoCs are events or actions taken by a threat vector that can be used to recognize that there may be a problem. Some of Tardigrade’s IoCs are (BIO-ISAC):

  • Export of the following files:
    • DllGetClassObject 
    • DllMain
    • DllRegisterServer
    • DllUnregisterServer
    • InitHelperDll
    • StartW
  • Registry flushing
  • The monitoring of specific files

Northstarr Recommendations 

Many of these recommendations are best practice, but ensuring that your organization maintains best practices and updates them as needed is always a good policy. Review your policies, procedures, recovery plans, how you get, use, maintain, and store your data. 

  • Network segmentation,
  • Ensuring remote access protocols and protections are up to date and monitored for improper use or use by unauthorized personnel,
  • Disaster response plans are created, implemented, and followed,
  • Backup your data in multiple locations, as well as offline,
  • Use preventative measures such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) and access controls.