UPDATED: The latest threat to the manufacturing industry: suspicious malware
Supply chain issues and an inspection backlog have hindered manufacturing’s seemingly endless boom, following an influx of money. But a new threat looms over the industry: a strain of Windows malware.
BIO-ISAC, an international organization that addresses threats to the bio economy, issued the warning on its website Monday, saying that a “large biomanufacturing facility” was involved in an attack in spring 2021, and the same malware was noticed at a second facility in October 2021. The organization expedited the threat advisory in the public’s interest and has issued a statement to manufacturers: Assume that you are a target, and review security protocol accordingly.
The malware goes beyond polymorphic malware, which, according to PC Magazine, only rewrites part of the computer code to avoid being detected. This version of the malware completely recodes itself during each connection, when first connecting to the internet. That makes it easier to prevent leaving behind a signature, further evading antivirus programs. Dubbed Tardigrade, Wired found that a malware analyst at BioBright tested the malware 100 different times, and each time, it built itself in a different way.
“Additionally, if it’s not able to communicate with the command and control server, it has the capability to be more autonomous and self-sufficient, which was completely unexpected,” the analyst, Callie Churchwell, told the magazine.
BioBright CEO Charles Fracchia said in a call with Endpoints News Tuesday that the organization is very concerned with the malware, and even more concerned with companies ability to handle an attack. In 2017, Merck was ravaged of its HPV vaccine Gardasil, after a malware infection dubbed NotPetya shut down the production of the vaccine, costing thhe giant $135 million in a loss in sales in just a single quarter due to the attack, and another $240 million in the following quarter. The company was forced to borrow vaccine doses from the US national stockpile. And that was a piece of malware that wasn’t even intended for Merck, Fracchia said.
“I do not know what at the end of the day motivated these actors in groups to do this, it is difficult, and it’s always a little bit speculation,” he said. “It is a highly advanced tool that has functionality that seems really strange to have in such a tool, and it’s in an environment that we haven’t really seen before…We were a little bit surprised by the level of sophistication when we started reverse-engineering it.”
Tardigrade still has the ability to make decisions within a network, even if it’s cut off from its hackers, Wired said. That means it could spread through USB drives or autonomously through interconnections. The report from BIO-ISAC hints that the threat could be trying to steal information about medical innovations. To prevent this from happening, BIO-ISAC says that manufacturers should do the following:
- Review your biomanufacturing network segmentation
- Work with biologists and automation specialists to create a “crown jewels” analysis for your company
- Test and perform offline backups of key biological infrastructure
- Inquire about lead times for key bio-infrastructure components
- Assume you are a target
The first variant of the malware was dubbed Smoke Loader, while the suspected second variant is called Dofoil. It has reached a random batch of Amazon Web Services, GoDaddy and Akamai.
“Recompiling occurs after a network connection in the wild that could be a call to a command and control (CnC) server to download and execute the complier,” the report says. “Allows the system to change portions/all the functions based on CnC like a normal loader system but with a level of autonomy that is unexpected.”
Cybersecurity threats have been omnipresent as the world has shifted to be even more dependent on the internet. The EMA, WHO and US Department of Health and Human Services have all come under cyber attack, along with hospital systems.
While actors in China and Russia have consistently worked to steal intellectual property about drugs and manufacturing processes during the pandemic, every instance isn’t always disclosed publicly, Charles Carmakal, the CTO of the cybersecurity firm Mandiant, told Wired. If you have IP stolen, legally, companies don’t have to disclose that.