Biomanufacturing facilities facing persistent malware attack

News
abstract image Light traces. visualization of hacker attacks on information data server

Large biomanufacturing facilities, including some that may be involved in producing COVID-19 vaccines and drugs, are being targeted by a malware threat that seems to have an unprecedented level of sophistication, according to a cybersecurity group.

The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has gone public with its findings after it launched an investigation of a ransomware attack on an unidentified facility in the spring.

The hackers used malware – now dubbed Tardigrade – as well as a highly complex loader, the software that drops the malicious content into a system.

The malware was also discovered at a second facility last month, raising concerns that is actively spreading in the biomanufacturing sector. It also demonstrates a high degree of autonomy as well as the ability to evolve as it is disseminated – which are unusual characteristics for malware.

The initial attack locked down computers across the biomanufacturing unit, but unusually the hackers did not seem particularly aggressive about claiming a ransom payment, leading the investigation team to suspect some other purpose.

BIO-ISAC thinks the motivation may be espionage and theft of intellectual property, as well as an attempt to disrupt operations – and reckons that the group behind it is well-funded and may even be state-backed.

Worryingly, the malware seems to be specifically designed and targeted to biomanufacturing facilities, it said.

The disclosure follows claims by a news agency in February that North Korea launched a cyber-attack on Pfizer in a bid to steal information about its BioNTech-partnered COVID-19 vaccine, in a report citing South Korea's National Intelligence Service (NIS)

In fact, there have been 18 publicly-revealed attacks on bioeconomy organisations in the last couple of years, including private companies, academic institutions and government agencies, according to Ed Chung, digital biosecurity lead at Bio-ISAC member company BioBright, which was involved in the response to the first attack.

This is likely a small fraction of the total number of attacks against biotechnological infrastructure, as many go unreported, he added.

"Biological production pipelines are complex and long," said Chung. "In a cyberattack such as this, when biological equipment threatens to be shut down or even altered in function, the consistency and integrity of the entire production phase…and the end product becomes threatened."

Researchers at BioBright have been analysing and reverse engineering the Tardigrade malware and loader to tease out its characteristics, but consider the threat so severe that they have decided to go public with their initial findings before that process is fully completed.

Callie Churchwell, senior digital biosecurity analyst at BioBright, said that organisations should review the segmentation of biomanufacturing networks, identify "crown jewel" equipment that needs to be protected, and test and perform offline backups for key infrastructure.

"Biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures," said BIO-ISAC.

According to recent Deloitte report, the pharma industry is often the number one target of cybercriminals – either private or state-sanctioned – as drugmakers move toward increased digitisation and storing of highly valuable data online.