A recent Pharma Manufacturing article on cybersecurity for pharma manufacturers discussed why the information held by the manufacturers was of great interest to cybercriminals and expanded upon the areas at risk. Whether they are seeking trade secrets, manufacturing plans, other data stored in digital files, or looking to disrupt a company’s operations, it is a serious threat.
And the threat is real. In the past week,an alert has been sent out to notify the industry of a specific threat. The industry’s Information Sharing and Analysis Center (ISAC) acknowledged that companies have been targeted with extremely sophisticated malware, that one cybersecurity firm named “Tardigrade.”
Tardigrade can be characterized as an “Advanced Persistent Threat” (APT). To understand an ATP, you need to consider that in prior years, the general attitude of hackers was that they had to get into your network, steal your information, and get out quickly, sometimes trying to cover their tracks. An APT attack is very different. With an ATP, the objective is to get into your network either by exploiting a security weakness or social engineering tactic. But once in your network, the objective is to stay in place for a long period – months or years – without being detected, and use that foothold to steal data or disrupt operations over an extended period, as well as providing a “back door” to enable the threat actors to re-enter the system, often even after the company thinks they’ve defeated the threat. While the first documented “Tardigrade” attack on the pharma manufacturing industry was identified in the Spring of 2021, a second successful attack on another company in the industry was detected in October 2021.
Analysis of this threat malware indicates that while the perpetrators are unknown, Tardigrade is very sophisticated. Reportedly, it can analyze and adapt to the environment in which it finds itself and act even if cut off from its outside control point.
While analysis is still underway, it could well be that when Tardigrade is used to launch ransomware, it may well be to provide a cover for other actions (like stealing trade secrets and other data stored on the network). The focus of the cybersecurity community is to understand how Tardigrade (and other forms of malware) and how to prevent or defeat them. Trying to attribute an attack to a particular person, group or even nation can be difficult or impossible.
The point is that the risk to pharmaceutical manufacturers can no longer be thought of as a conceptual risk – it is very real, very specific and very current.
What should be done? First, if your networks are not being monitored, consider doing so. Monitoring services are continuously updating their intelligence to improve their detection capabilities by identifying what are called Indicators of Compromise (IoCs). Using sensor software placed on network devices, endpoints, and even on IoT assets, monitoring organizations can provide oversight by highly trained and experienced personnel – something that most companies can’t do internally. The external monitoring providers can look across hundreds of thousands of endpoints to provide a depth of experience that most organizations cannot match. Add to that the fact that they can run security operations centers staffed with highly qualified and experienced specialists who are in very short supply.
Can you decide to ignore this threat – that it’s the other organizations that are being hit? Sure, but is it a reasonable way to proceed? Remember that to every other organization, you are “the other organization.” If it turns out that you have been hit by Tardigrade – or another APT attack – how can you explain to your stakeholders that you ignored this threat? That the intellectual property that is the key to your company’s value was stolen and is now being used by foreign manufacturers to undercut your business? In our experience, stakeholders expect that management is assuring that there is a commercially reasonable and updated cybersecurity program in place – and monitoring is increasingly recognized as a key aspect of such a program in both the public and private sectors.
Don’t be the next victim of Tardigrade, or other forms of malware. Don’t be in the position of one of my clients who got a visit from federal law enforcement agents who told them that their systems had been infiltrated with data-stealing malware for at least 5 years – and they had never noticed it.
At the very least, take this warning as an opportunity to assess your cybersecurity posture. Do you have a current threat assessment? When was the last time you evaluated your cybersecurity readiness? When was your last cybersecurity tabletop exercise to judge your readiness to respond to an incident? Can you honestly say you’ve taken the actions necessary to assure that your cybersecurity is at a commercially reasonable level, and that compliance activities are to let you know if your controls aren’t working as intended?
Don’t be the next victim that everyone looks at and says, “glad it wasn’t me!”