A ransomware attack once again caused a serious blow to a critical segment of the United States economy last week. This time it was the food supply, as meat processing giant JBS was temporarily shut down after an attack credited to Russia-based criminal group REvil. The attack was expected to slow production of about 20% of the US beef supply, threatening price spikes during the season of peak demand. The attacks on JBS and Colonial Pipeline demonstrate that critical infrastructure is not only a vulnerable but also viable target for criminal groups; the only question is to what degree it will be exploited before there is a meaningful intervention.
JBS ransomware attack continues trend of incidents focused on widespread economic damage
Until recently, ransomware attacks focused on the ability and willingness of an individual target to pay. The attacks on JBS and Colonial Pipeline, paired loosely with attacks on schools and hospital systems that have become more common in the past two years, indicate that major ransomware gangs may be showing a willingness to shift to a model that resembles terrorist activity and broadly socializes the damage.
The Colonial Pipeline attack struck a serious blow to critical infrastructure, disrupting the gasoline supply to much of the east and southeastern coast of the US for about a week. During that time, some gas stations shut down entirely and others had lines that stretched for miles as the threat of a shortage caused general panic. While beef is not exactly “critical infrastructure,” the sudden loss of a substantial amount of production during the summer grilling and tourism season raised the possibility of added hardship for certain vulnerable communities.
JBS SA is the world’s largest meat processing company; the ransomware attack appears to have hit US division JBS USA, but some of these servers were also providing support for the company’s operations in Australia. Unlike Colonial Pipeline, JBS does not appear to have paid any ransom to the attackers. The company immediately shut down all affected servers upon detecting the ransomware attack and called in a third party remediation service, also shutting down operations at all nine of its beef plants in the US. The company appears to have been able to restore its service from backups and announced that it was back in operation within several days, though it may continue to experience intermittent interruptions for some time.
Though the incident appears to be relatively under control at this time, a shutdown of even a couple of days has a major impact on the meat industry as a whole. Some downstream plants shut down operations and sent workers home, and some shipments of cattle had to be turned around and returned to ranches. Thus far the impact appears to have been more acute in Australia than in the US, with the ripple effect of stopping and returning cattle shipments by train causing a variety of chaos in local markets. At least one plant in Canada also appears to have been impacted, with 2,500 workers in Alberta sent home for about a day and a half. The US Department of Agriculture (USDA) is communicating with other meat processors, but thus far there has been no comment regarding any further ransomware attacks.
Though the shutdown of a major meat packing business for several days may not end up causing much real damage, Amit Yoran, CEO of Tenable and founding director of US-CERT, believes that every organization should take this as a harbinger of things to come: “This is the most recent incident in a disturbing trend of cyberattacks that show just how fragile and vulnerable our supply chains and critical infrastructure are. The Colonial Pipeline attack shut down systems that supply 45% of the Eastern United States’ fuel, and the JBS hack has resulted in the shutdown of some of the largest meat processing plants in the world. These attacks have very tangible impacts that affect large swaths of the population … It cannot be emphasized enough how critical it is that we understand cyber risk, especially in critical business processes. The foundation of our global food supply chains, transportation systems and more are under attack because cybercriminals realize how disruptive and lucrative attacks targeting these systems can be … We’ve been encouraged by the government’s recent efforts to protect critical operational technology and control systems. It’s equally important that our critical infrastructure, supply chain and logistics providers exercise a standard of care to safeguard their systems and the people who rely on them.”
For attackers seeking quick payments, critical infrastructure is an appealing target
The White House initially fingered the ransomware attack as coming from a Russian group and several days later it was attributed to REvil (aka Sodinokibi), the ransomware gang also involved with the Colonial Pipeline attack. REvil provides “ransomware as a service” to criminal clients and claimed that it was not directly responsible for the Colonial Pipeline incident, blaming a client that got a little too ambitious. REvil had claimed that it was “going out of business” (read as most likely taking a break and rebranding) due to international law enforcement scrutiny in the wake of the attack on critical infrastructure. It remains unclear if the JBS attack is the work of REvil or one of its clients.
Tim Wade, Technical Director of the CTO Team at Vectra, sees the recent hits on critical infrastructure as a natural outgrowth of accessibility to ransomware attacks growing to non-technical criminal actors: ” … Tradecraft to executive sophisticated attacks is always being simplified and commoditized, broadening the base of bad actors who have the capability to act maliciously. These factors combine to create a higher volume of generally more public, disruptive attacks and for legacy networks entrenched with technical debt it will be very difficult for those attacks to be prevented. The most cost effective means of mitigating these risks will be to deploy detection and response capabilities around the risk while more structural solutions to organizational technology risks – migration from legacy platforms, major IT hygiene initiatives, etc. – are developed and executed.”
A recent analysis by cybersecurity ratings firm BitSight indicates that the food production industry is uniquely vulnerable to ransomware, with about 70% of companies falling into a “higher risk” category due to reported security practices. 40% of these companies were found to have an even higher level of risk due to failing to keep up with security patches. It is difficult to assess the actual risk of cyber attacks to critical infrastructure due to much of the relevant information being confidential, but the relative ease with which non-nation-state threat groups pulled off these recent ransomware attacks combined with similarly lower-skilled attackers accessing water utilities in the past year raises serious questions.
Neil Jones, Cybersecurity Evangelist for Egnyte, believes that private industry will need to respond with its own immediate hardening measures to keep attacks on critical infrastructure from turning into a regular event: “The recent JBS cyberattack, along with the Colonial Pipeline and Apple/Quanta cyberattacks that preceded it, demonstrate that your organization needs to make cybersecurity a Boardroom priority if you haven’t done so already. For years, cybercriminals have attacked targets for financial gain, but now we’re seeing an alarming pattern of debilitating attacks on our food, critical infrastructure, and IP supply chain, which can have a crippling impact throughout the U.S. economy. While advocating support from your executive team, you need to implement proactive data hygiene and protective behaviors, such as patching your CVEs and hardening your databases now.”