The agricultural sector is designated as one of the country’s sixteen critical infrastructure industries, but historically has not received robust cybersecurity support from the government, according to a letter to the Department of Homeland Security from Iowa Republican Senators Chuck Grassley and Joni Ernst. The letter presses the agency to address the rise in ransomware attacks, particularly damaging to the agricultural industry.
A Russian cybercrime cell, BlackMatter, has attacked numerous U.S.-based organizations and has demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero. In June, the world’s largest meat processing company, JBS, was attacked by REvil, shutting down nine meat packing plants in the United States. And in recent weeks, two Iowa grain operations were targeted.
The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation and National Security Agency published on Oct. 18 a cybersecurity advisory regarding BlackMatter ransomware cyber intrusions targeting multiple U.S. critical infrastructure entities, including two U.S. food and agriculture sector organizations.
First seen in July 2021, cyber actors leveraged BlackMatter with embedded, previously compromised credentials that enabled them to access the network and remotely encrypt hosts and shared drives. When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data. BlackMatter is a ransomware-as-a-service (Raas) tool, which means the developers are able to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it.
NEW Cooperative, an Iowa grain cooperative, was recently targeted with a cyberattack. BlackMatter took control of the Iowa co-op’s systems and demanded $5.9 million. The systems BlackMatter attacked controlled crop irrigation, livestock feed schedules and inventory distribution. NEW Cooperative controls 40% of the grain distribution in the country.
“The company’s rapid return to alternative operations averted a crash in grain prices, but the threat of continued attacks has dire consequences,” according to the senators’ letter.
In a separate cyberattack, BlackByte, another ransomware group, claims it attacked Farmers Cooperative Elevator Co., based in Arcadia, Iowa. BlackByte was threatening to release 100 gigabytes of sensitive data — including financial, sales and accounting information if a ransom wasn't paid.
“The extent of the damage from the NEW Cooperative and Farmers Cooperative Elevator Co. attacks is not isolated to the grain market. Feed from the cooperatives’ grain supply sustains millions of livestock. These attacks will affect the supply chain that puts food on the shelves in grocery stores across the country. As Iowa farmers adopt new technologies to get their crops to market, their exposure grows to similar attacks. That exposure not only risks the livelihood of Iowa farmers, it risks food security for Americans,” the senators say.
The joint advisory from FBI, CISA and NSA highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks, says Eric Goldstein, executive assistant director for cybersecurity, CISA.
“CISA, FBI and NSA are taking every step possible to try to make it harder for cyber criminals to operate. Americans can help us in this long-term endeavor by visiting Stopransomware.gov to learn how to reduce their risk of becoming a victim of ransomware,” says Goldstein.
CISA, FBI and NSA are unified in emphasizing the value and importance for organizations to apply best practices to protect their networks, systems and data, such as (1) implement and enforce backup procedures; (2) use strong, unique passwords; (3) use multi-factor authentication; and (4) implement network segmentation and traversal monitoring. Detection signatures are also included in this advisory that may be used for detecting network activity associated with BlackMatter activity.
“The threat of ransomware goes beyond specific impacts to a victim company – it has risen to a national security issue,” says Rob Joyce, director of cybersecurity at NSA. “NSA’s technical skills and threat intelligence will continue to support our partners across government and industry to degrade adversary footholds into networks where they launch ransomware. Employing the mitigations in the joint advisory with CISA and FBI will protect networks and mitigate the risk against BlackMatter and other ransomware attacks.”
Grassley and Ernst also requested a response from DHS Secretary Alejandro Mayorkas relating to the agency’s preparation for future cybersecurity attacks and how the agricultural sector will be integrated into their plans.