Was it coincidental? Or was it clever mockery that hackers pulled off a ‘ransomware’ attack on the U.S. division of JBS, the world’s largest meat company, on Memorial Day weekend – traditionally America’s opener for the summer grilling season? That might be fun to discuss someday. But this crime perpetrated against the meat industry comes on the heels of the trauma inflicted on it last year by COVID-19. And the U.S. is fed up with the mischief.  

Dennis McLaughlin, McLaughlin Writers LLC. (Sources: Susan Landau, Tufts University’s School of Engineering and Fletcher School; Bloomberg News June 1,2021; Forbes June 1, 2021; Cattle Buyers Weekly, June 7, 2021; Wall Street Journal, June 18, 2021; June 11, 2021; U.S. Department of Justice, June 7, 2021; CNN Business, June 1, 2021.) 

Hackers Put Food and Fuel in their Crosshairs

The Memorial Day ransomware attack on JBS had an instantaneous incendiary effect on the U.S. food industry. In a matter of hours it lit up hog farms in Iowa, small-town processing plants around the heartland and New York restaurants. “The hack set off a domino effect that drove up wholesale meat prices, backed up animals in barns,” reported Bloomberg News, “and forced food distributors to hurriedly search for new supplies. And that all took place in a Memorial Day-shortened work week.”

JBS recognized the breach of all JBS’s meatpacking facilities early Sunday morning, May 30, said an official at the United Food and Commercial Workers union that represents JBS employees. The cyberattack closed all of the company's U.S. beef plants located in states including Arizona, Texas, Nebraska, Colorado, Wisconsin, Utah, Michigan and Pennsylvania.

Quick to react, Andre Nogueira, CEO of JBS USA Holdings Inc., said the company alerted U.S. authorities and detailed three actions it took immediately: Determine which operations could be run offline; Restart systems using backup data; Enlisting experts to handle negotiations with the attackers. By that afternoon, JBS concluded that encrypted backups of its data were intact.

JBS operations in Australia were also targeted in the same attack. But the Australian meat industry seemed to take the transgression with a bit more sanguinity than Americans. The Australian Meat Industry Council, a major trade group, said in a statement that "there is no indication whatsoever that this cyberattack will cause a major impact on Australian domestic red meat and pork products supply."

Still reeling from the Colonial Pipeline ransomware incursion, we Yanks were not so confident. The meat sector of the U.S. economy, having been shocked last spring by COVID-19 plant shutdowns, was on guard. No one was in the mood to deal with meat shortages in stores, hog herd euthanasia or milk dumping on dairy farms and livestock ranches.

The Usual Suspects

A Russian criminal group is probably responsible for a disruptive new cyberattack on the world’s largest meat processing company, the White House claimed early this month. The Russian government has consistently denied any involvement in recent hacking campaigns, telling Forbes Magazine in a December statement these attacks run counter to “the principals of the Russian foreign policy, national interests” and its understanding of interstate relations. Recently, the Russian Embassy in Washington, D.C., called allegations that Russia was behind the JBS hack “groundless.”

Even though recent cyberattacks have been blamed on Russian criminal gangs rather than government actors, some cybersecurity experts and government officials believe Russian authorities quietly tolerate private hackers. Dr. Susan Landau, a cybersecurity professor at Tufts University’s School of Engineering and Fletcher School, thinks Russian President Vladimir Putin likely allows criminal hacker gangs to operate in his country (and maybe even quietly collaborates with them sometimes) because it "fits with his foreign policy objectives, and it doesn't cost him anything.”

Cyberattacks on corporate targets can assert Russia’s power globally and create insecurity in the United States, explains Dr. Landau. Most recent hacks have been small enough to avoid drawing severe retaliation from the United States. By outsourcing this activity to criminals, the Russian government gains what she describes as “implausible deniability.”

Nothing New

While countries have conducted cyber-espionage on each other for years, Dr. Landau says, Russia’s interest in sophisticated offensive attacks date back to 2015, when hackers linked to Russia shut down parts of Ukraine’s power grid. No matter how cyberattacks are carried out, she maintains hackers cannot launch them without implicit Chinese or Russian government permission.

Russia has been accused of leading or otherwise endorsing hacking campaigns. Russia was tied to a cyberattack of the Democratic National Committee’s email server in 2016, part of a wider apparent effort to sway the results of the 2016 presidential election. And Russian intelligence officers were accused last year of orchestrating a massive 2017 cyberattack that caused billions of dollars in damage to businesses worldwide. While countries have conducted cyber-espionage on each other for years, Dr. Landau says Russia’s interest in sophisticated offensive attacks seemed to have begun in 2015, when hackers linked to Russia managed to shut down parts of Ukraine’s power grid.

Russia didn’t appear to target election systems last year, according to a U.S. intelligence report in March. But it was accused of trying to spread unfavorable, misleading information about presidential candidate Joe Biden.

Cyberattacks have caused friction between the American and Russian governments. The Biden administration imposed sanctions on several Russian tech companies in April after the SolarWinds hack, and the Department of Justice charged Russian intelligence officers last year with a string of severe international cyberattacks.

As It Turns Out….

Despite consumer fears of catastrophic meat shortages – still fresh in their minds after COVID-19’s damage to the meat industry a year ago – a déjà vu event did not occur with this latest bold ransomware assault on JBS. "Our systems are coming back online and we are not sparing any resources to fight this threat," said JBS’ Nogueira, within hours of the hack. The company also indicated it might have its operations back to normal by that Wednesday [June 1] after the Sunday cyberattack.

JBS employees, FBI officials and cybersecurity specialists at JBS’s U.S. headquarters in Greeley, Colorado, worked tirelessly throughout the Memorial Day holiday itself to get systems back online. They prioritized efforts on JBS’s shipping platform, allowing the company to resume moving meat to customers.

The attack on JBS has spurred renewed calls for diversifying the nation’s meat processing capacity. By the end of the Memorial Weekend, USDA had reached out to meat processors across the country, encouraging them to accommodate additional capacity and help keep the supply chain moving. USDA said it was also talking to food, agriculture and retail organizations to “underscore the importance of maintaining close communication and working together to ensure a stable, plentiful food supply."

USDA and JBS’ reaction to the situation may have been made easier from lessons the meat industry learned last spring that prompted such serious legislation as the Strengthening Local Processing Act. It was introduced to both the House Ag and Senate Ag Committees this past February. Preceding this action, the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in March 2020 paved the way for states to access federal funds to create grant programs to aid local small meat producing and processing businesses to upgrade their facilities.

States like Kansas and Missouri made significant moves in 2020 to smooth the way for small plants to develop capacity and proficiency to take up the slack in meat processing and packing. Kansas introduced its Strengthening People and Revitalizing Kansas (SPARK) Taskforce to rebuild the Kansas economy.

Small food animal producers and processors received grants to maintain their operations and upgrade facilities. By the end of last year SPARK approved more than $130 million in relief funding for economic development.

The Missouri Meat and Poultry Processing Grant Program was created to support Missouri meat and poultry processing facilities to address COVID-19-related supply chain disruptions. Missouri’s General Assembly appropriated $20 million in federal funds from the CARES ACT to help support these facilities. Missouri Department of Agriculture said grants were intended to incentivize small facilities to increase livestock or poultry slaughter and processing.

U.S. Sharpening Its Knives

After JBS notified the Biden administration of the cyberattack on Sunday, May 30, the White House offered the meat processor assistance, according to the president’s deputy press secretary Karine Jean-Pierre. The offer appears to be more than a gesture, indicating the U.S. has had enough of all this cyber-mischief created by hackers. For the record: There actually have been more than 40 publicly-reported ransomware attacks against food companies since May 2020, says Allan Liska, senior security architect at cybersecurity analytics firm Recorded Future based in Somerville, Massachusetts.

The Senate Homeland Security Committee has also asked the Biden administration for input as it works to draft and consider cybersecurity legislation by August. The committee is seeking a coordinated administration response from the Department of Justice, Homeland Security, and the intelligence community before then.

For his part, during the summit with Russia’s Vladimir Putin, President Biden previewed a tougher U.S. response to ransomware attacks in the future. In remarks after his meeting with Putin, he brandished some of America’s own cyber capabilities, and acknowledged alliances with Norway and Sweden, which have demonstrated proficiency in monitoring Russian communications. That the FBI has recovered a portion of the Colonial Pipeline is evidence the U.S. means business.

Last week Wall Street Journal columnist Holman W. Jenkins, Jr., wrote, “The tide may be turning. Big-dollar ransomware has always been a risky racket for practitioners because it necessitates prolonged communication and negotiation with the victim. If the U.S. is making progress, it’s not because Mr. Putin is being helpful but because Mr. Biden’s threats perhaps aren’t all empty talk.”

Feds Follow the Money

While cyber-ransom warriors are getting bolder – confident their state and international underworld enablers have their backs – the FBI and the Department of Justice are getting better. On June 7, DOJ announced it had seized 63.7 bitcoins valued at approximately $2.3 million. According to DOJ officials, the funds represented about half the proceeds from Colonial Pipeline’s ransom payment to a group known as DarkSide. The seizure warrant was authorized by Laurel Beeler, U.S. Magistrate Judge for the Northern District of California.

Federal law enforcement traced DarkSide’s bitcoin transactions by reviewing transactions on bitcoin’s blockchain infrastructure, or public ledger. “During the review, law enforcement identified 63.7 bitcoins that were located in a digital wallet linked to one of the members of Darkside,” noted Michael Volkov on June 22. Volkov is a principal at Washington, D.C.-based Volkov Law Group, a law firm specializing in corporate compliance, internal investigations and white-collar defense. He added, “It is not clear how the FBI obtained the private key to the digital wallet.” FBI describes a ‘private key’ as equivalent to a password needed to access assets at a specific bitcoin address or file.

The FBI’s seizure was the first time that federal law enforcement recovered a ransomware payment since DOJ announced the creation of the Ransomware and Digital Extortion Task Force in April 2020, Volkov explained. The Task Force prioritizes the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. The Task Force also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.

In a recent session of well-deserved chest-thumping, FBI and DOJ officials touted their success.

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

Said DOJ Deputy Attorney General Lisa O. Monaco: “Following the money remains one of the most basic, yet powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine, and [our seizure] demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.” She also pointed out that the success of this operation demonstrated the value of early notification to law enforcement. “We thank Colonial Pipeline for quickly notifying the FBI when it learned that it had been targeted by DarkSide.”