The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

A foreign government could be trying to hack U.S. biomedical companies

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Plenty of movies use Thanksgiving as a backdrop, but there's oddly only one great film where Thanksgiving is the animating force behind all of the action: “Planes, Trains and Automobiles.”

Below: Moody's is downgrading NSO's credit rating, and a GoDaddy breach affected up to 1.2 million customers. 

Meet Tardigrade: the mysterious new bug targeting the biomedical industry

A mysterious and highly sophisticated hacking tool has been found attacking biomanufacturing companies. 

It’s raising alarms about cyber vulnerabilities in the sector that includes producers of coronavirus vaccines and treatments.

It’s not clear what the computer bug was meant to do. But it’s complex and powerful enough that it was almost certainly developed by government-backed hackers, according to a report from the sector’s cyber threat sharing group known as BIO-ISAC. 

At the very least, that suggests the bug was designed to steal information about medical innovations that could benefit the hackers’ government. The United States has already accused China of hiring criminal gangs to steal research and development from firms working on coronavirus treatments. 

High caliber bullet

There are also more troubling possibilities. The tool might have been built to disrupt or destroy software in ways that could halt the manufacturing of vital drugs or change their composition, Charles Fracchia, chairman of the BIO-ISAC and founder of BioBright, the company that discovered the bug, told me in an interview. 

He compared the bug to finding a high caliber gun inside a biomanufacturing plant but not knowing who plans to use it or for what. 

“You don’t develop such a tool to shoot a BB,” he said. “There’s a high caliber bullet out there.”

Fracchia declined to say if the bug, which researchers named Tardigrade, had hit any companies that work directly on coronavirus treatments

The BIO-ISAC is urging all companies in the sector to scan their computer networks for the bug. That’s a huge range of organizations from drug and vaccine makers to creators of biological components that end up in industrial coatings and detergents.

Here’s a deep dive on Tardigrade’s capabilities from Wired’s Lily Hay Newman, who was first to report on it. 


The find is highlighting the often-insufficient cyber protections in a field that’s become a prime hacking target during the pandemic. 

Biomanufacturing companies have a long history of guarding against physical attacks but have spent less time developing cyber protections. Those protections are also relatively complex to install and require specialized knowledge because a lot of the sector’s work is done with custom-built machines and software rather than broadly available commercial tools.

“The level of security is inadequate. We’re fighting a forest fire with water balloons,” Fracchia told me. BioBright sells a system for biomanufacturing companies to encrypt their data, which gives the company insights into cybersecurity throughout the sector. 

The BIO-ISAC formally launched less than a year ago and developed mostly during the pandemic. Its creation was sparked by a 2020 report from the National Academies of Science, Engineering and Medicine, which warned that what it dubbed the “bioeconomy” was highly vulnerable to cyberattacks and its members weren’t doing enough to share information about hacking threats. 

ISACs, which stands for information sharing and analysis center, have developed around sectors that are major hacking targets, such as financial services and information technology. They focus mainly on sharing cyber threat information between members and distributing hacking information that’s shared by the government. 

Many companies that would be included in the bioeconomy are members of other ISACs such as the Health ISAC. 

Critical infrastructure?

Fracchia and other BIO-ISAC members want to surge the sector’s cyber protections. 

They’ve been lobbying for the Department of Homeland Security to label biomanufacturing a critical infrastructure sector. That designation would make it easier to funnel cyber protections and other government resources into the sector. 

“The reality is the status quo is untenable,” he said. 

The outlook isn’t bright on that count. DHS officials have been wary of adding critical infrastructure sectors. One big problem is that the critical infrastructure system dates back to soon after the Sept. 11, 2001, terrorist attacks and has proven unwieldy in dealing with contemporary cyberattacks that often cross industry borders. 

The Biden administration has been working on a more nuanced system that identifies particular functions and systems as critical rather than whole industry sectors.

The keys

Moody’s downgraded the Israeli spyware firm NSO Group’s credit rating

The credit rating agency cited recent restrictions on the company like a U.S. blacklisting, saying the moves would make NSO less profitable and make it more difficult for the company to pay its debts.

The details: NSO's increasingly damaged reputation could make it difficult to win new clients and further hurt revenue, the credit ratings agency said. The rating is more bad news for NSO, which faces a growing risk of defaulting on $500 million in debt, Bloomberg’s Davide Scigliuzzo writes. The company did not respond to a request for comment from Bloomberg.

“The company has a relatively low share of recurring revenues and is, unlike many other software companies, highly dependent on new license sales which we believe can become increasingly difficult given the actions taken against NSO,” Moody’s said.

The downgrade is the latest challenge for NSO, which has faced accusations that its spyware targeted journalists and human rights activists. Israeli telecom executive Isaac Benbenisti, who was set to become NSO’s chief executive, stepped down from the post this month — before he even started — “in light of the special circumstances that have arisen” out of the U.S. government’s blacklisting of the company, Reuters reported.

GoDaddy breach hits as many as 1.2 million customers

Up to 1.2 million email addresses were exposed in the hack, the company said. That leaves some current and former GoDaddy customers at risk of phishing attacks, where hackers may pretend to be GoDaddy to steal sensitive information. Some passwords were also exposed in the hack.

The hackers used a “compromised password” to breach GoDaddy’s managed WordPress service, according to the company. GoDaddy discovered the breach last week, the company said.

North Korean hackers targeted Chinese cybersecurity researchers

They’re apparently trying to steal hacking tools and techniques from the researchers, the Daily Beast’s Shannon Vavra reports

“It’s unclear from the CrowdStrike research if the North Koreans were able to claim any victims, but even a mere attempt at hacking security researchers in neighboring China shows these hacking teams are shameless about their thievery hacking missions, and aren’t going to be deterred easily,” Shannon writes.

The hackers probably sent malicious attachments to the researchers by email, the cybersecurity firm CrowdStrike told Shannon. 

 The hacking campaign follows a series of North Korean hacks designed to steal the technological know-how of cybersecurity researchers in other nations. North Korea used fake Twitter accounts, phony research blogs and other trickery to gain researchers trust and to try to get them to download malicious files, Google said in January.

Cyber insecurity

Sensitive data on more than 1 million scholarship applicants was exposed online.

The sensitive data exposed by the scholarship software firm SmarterSelect included highly personal information such as school grades and essays detailing intimate personal experiences, TechCrunch’s Carly Page writes. It also included more standard information such as Social Security numbers. 

It took the company a while to shut down access to the personal information. The cybersecurity firm UpGuard notified SmarterSelect that the information was publicly accessible on Sept. 15, then warned the company again on Sept. 27 when it hadn't heard. “The company acknowledged the warning on September 30, before revoking public access to the [files] on October 5," Carly writes.

"It’s not known whether any malicious actors accessed the data while it was exposed,” she writes. SmarterSelect did not respond to a request for comment from TechCrunch.

Fraudsters hijack newspaper’s Twitter account to push PS5 scam (Motherboard)

Global cyberspace

China may be gathering encrypted data now to decrypt later

Chinese intelligence services may already have begun vacuuming up troves of sensitive U.S. data that’s encrypted now but could be decrypted in the future by super powerful quantum computers, Nextgov’s Brandi Vincent writes, citing a report from Booz Allen Hamilton. 

The United States is in a race with China and other nations to develop such quantum computers, which could revolutionize dozens of industry fields as well as national security. Researchers expect quantum computing to become effective within the next decade or two.

Current forms of encryption translate messages into strings of characters that are so complex that they’re effectively indecipherable by contemporary computers. Quantum computers, however, will have enough horsepower to break those codes and make sense of the messages. Researchers are at work now on developing forms of encryption strong enough to withstand quantum computers.

Hikvision CSO declares "devices with backdoors can’t be used to spy" (IPVM)

Secure log off

“Those aren't pillows!” Thanks for reading. See you tomorrow.