In a recent ransomware attack on a biomanufacturing plant, the attackers have used a surprisingly sophisticated strain dubbed Tardigrade malware. According to researchers at BioBright, a biomedical and cybersecurity organization, this malware did more than just lock down computers throughout the institution. When the virus was cut off from its command-and-control server, they discovered that it could adapt to its surroundings, hide itself, and even act autonomously.
BIO-ISAC (Bioeconomy Information Sharing and Analysis Center), a cybersecurity non-profit, made their findings regarding Tardigrade public. They claim the malware’s complexity and other digital forensic indicators point to a well-funded and motivated “advanced persistent threat” outfit, albeit they don’t disclose who created it. The virus is also “actively spreading” in the biomanufacturing business, according to the researchers.
Tardigrade, according to the researchers, looks a lot like Smoke Loader, a prominent malware downloader. Despite its resemblance to Smoke Loader, the BioBright researchers claim that Tardigrade is more sophisticated and offers a wider range of customizing possibilities. It also has trojan capabilities, which means that once placed on a target network, it looks for saved passwords, installs a keylogger, begins data exfiltration, and creates a backdoor for attackers to pick their adventure.
Even if it is cut off from the cybercriminals who distributed it, Tardigrade may make judgments about how to proceed within a victim network. Tardigrade appears to be primarily crafted for phishing campaigns. Still, it could also spread via tainted USB sticks or even travel from one infected network to another autonomously with the correct linkages.
The background and purpose of Tardigrade are still mostly unclear. For example, it’s unclear why attackers would employ such a precise and sophisticated technology to transmit something as noisy and obvious as ransomware, making Tardigrade more likely to be found. The ransomware strike might have been a cover for other activities—a method that has been employed previously, most notably by Russia—but the researchers say they haven’t reached any strong conclusions yet.