The non-profit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) released a disturbing advisory yesterday regarding an advanced, actively spreading persistent threat (APT) to bio-drug and vaccine manufacturers with a type of Windows malware it calls Tardigrade. It can evolve to avoid detection while taking over computer systems to steal and modify files. Some analysts have compared it to another malware program, Smoke Loader, which has been around for about ten years.
The Center reports that a large biomanufacturing facility was involved in a cyberattack in Spring 2021. Through the subsequent investigation, a malware loader was identified that demonstrated a high degree of autonomy as well as metamorphic capabilities. In October 2021, further presence of this malware was noted at a second nondisclosed facility.
Due to the advanced characteristics and continued spread of this active threat, BIO-ISAC officials say they made the decision to expedite this threat advisory in the public interest due to the advanced characteristics and continued spread of this active threat.
Cyberattacks increased during the pandemic
A GEN article last February pointed out the COVID-19 pandemic actually exacerbated the problem of cyberattacks. According to analysis by cybersecurity firm Bluevoyant, the number of attacks against drug manufacturers was 50% greater in 2020 than in 2019. The surge, the authors said, is in part because companies developing SARS-CoV-2 vaccines and therapeutics are being targeted.
“COVID-19 vaccines are the crown jewels in 2020 with eight of the most prominent companies in the race for a vaccine facing high volumes of targeted malicious attacks,” noted the authors.
Drug firms that use digital technologies are the most likely to be targeted, said Saurabh Sinha, a cybersecurity expert at the University of Johannesburg in South Africa who has written about the risks faced by the sector.
While the Tardigrade hackers have not been identified, it’s known that groups from Russia and China have been busy trying to steal intellectual property on drugs and biomanufacturing operations during the pandemic.
Information and recommendations
There is a PDF entitled “BIO-ISAC-Tardigrade-Disclosure Long” on the BIO-ISAC website that details a list of information about Tardigrade, which the Center put together with BioBright, a company that offers solutions for data automation and integrated lab data informatics. The BIO-ISAC/BioBright team also published recommendations that should be implemented right now:
Review your biomanufacturing network segmentation.
- Run tests to verify proper segmentation between corporate, guest, and operational networks.
- Most facilities use remote logins with shared passwords to operate key instrumentation. Enforcing segmentation is essential.
Work with biologists and automation specialists to create a “crown jewels” analysis for your company.
- Ask: “If this machine was inoperable overnight, what would be the impact?”
- Ask: “How long would it take to re-certify (GxP) this instrument?”
Test and perform offline backups of key biological infrastructure.
- Ladder logic for biomanufacturing instrumentation
- SCADA and Historian configurations
- Batch record system
Inquire about lead times for key bio-infrastructure components.
- Chromatography systems
- Endotoxin and microbial contamination systems
Prevention is key.
- Use antivirus with behavioral analysis capabilities.
- Phishing is a vector of attack.
- Train biomanufacturing facility staff to look out for targeted attacks.
- Review LinkedIn and other social media posts of employees for vaccine manufacturing posts to determine likely targets.
- The bioeconomy and biomanufacturing sectors are under concerted, sophisticated attack. You are a target.
- This malware is extremely difficult to detect due to metamorphic behavior. Vigilance on key personnel corporate computers is important.
Accelerate upgrade paths for key instruments.
- Many machines in the sector use outdated operating systems. Segment them off aggressively and accelerate upgrade timelines.
Analysis continues, and updates will be released on isac.bio as further details are made available. At this time, biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures.
“What people need to realize is that this is a clear and present danger. It is an active threat, and our field is not anything special,” Charles Fracchia, CEO of BioBright, told GEN. “We are subject to the same level of attack, and we have to move away from a physical security center model of biomanufacturing. For years, we have relied on GGGs, that is, guns, guards, and gates. That’s okay, for example, when the lab notebook system is physical.
“But when everything is electronic, as is the case with clinical record systems and batch records systems, that old model won’t work. When everything is digital, you really need to care a heck of a lot more about the security of that data, or you literally risk your company.”