Large biomanufacturing facilities, including some that may be involved in producing COVID-19 vaccines and drugs, are being targeted by a malware threat that seems to have an unprecedented level of sophistication, according to a cyber security group.
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has released findings from its investigation of a ransomware attack on an unidentified facility.
The hackers used malware – now dubbed Tardigrade – as well as a highly complex loader, the software that drops the malicious content into a system.
The malware was also discovered at a second facility last month, raising concerns that it is actively spreading in the biomanufacturing sector. It also demonstrates a high degree of autonomy as well as the ability to evolve as it is disseminated – which are unusual characteristics for malware.
The initial attack locked down computers across the biomanufacturing unit, but unusual that the hackers did not seem particularly aggressive about claiming a ransom payment, leading the investigation team to suspect some other purpose.
BIO-ISAC thinks the motivation may be espionage and theft of intellectual property, as well as an attempt to disrupt operations, and has predicted that the group behind it is well-funded and may even be state-backed.
The malware seems to be specifically designed and targeted to biomanufacturing facilities, it said.
The disclosure follows claims by a news agency in February that North Korea launched a cyber attack on Pfizer in a bid to steal information about its BioNTech-partnered COVID-19 vaccine, in a report citing South Korea’s National Intelligence Service (NIS).
There have been 18 publicly revealed attacks on bioeconomy organisations in the last couple of years, including private companies, academic institutions and government agencies, according to Ed Chung, digital biosecurity lead at BIO-ISAC member company BioBright, which was involved in the response to the first attack.
Chung added that this is likely a small fraction of the total number of attacks against biotechnological infrastructure, as many go unreported.
“Biological production pipelines are complex and long.”
“In a cyber attack such as this, when biological equipment threatens to be shut down or even altered in function, the consistency and integrity of the entire production phase … and the end product becomes threatened,” Chung said.
Researchers at BioBright have been analysing and reverse engineering the Tardigrade malware and loader to tease out its characteristics but considered the threat so severe that they have decided to go public with their initial findings before that process is fully completed.
According to Callie Churchwell, senior digital biosecurity analyst at BioBright, organisations should review the segmentation of biomanufacturing networks, identify “crown jewel” equipment that needs to be protected, and test and perform offline backups for key infrastructure.
BIO-ISAC added that biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cyber security and response postures.
A recent Deloitte report has also revealed the pharma industry is often the number one target of cyber criminals – either private or state-sanctioned – as drugmakers move towards increased digitisation and storing of highly valuable data online.