US JBS ransomware hack likely from Russia as meatpacker prepares to resume operations
- The White House said JBS linked its recent ransomware attack to Russia and the US has been engaging with the Russian government on the matter
- JBS said its food plants would be operational again on Wednesday as rising food prices and supply chain security remain an ongoing concern
Brazil’s JBS SA told the US government that a ransomware attack on the company that disrupted meat production in North America and Australia originated from a criminal organisation likely based in Russia, the White House said on Tuesday.
JBS, the world’s largest meatpacker, said on Tuesday night it had made “significant progress in resolving the cyberattack”. The “vast majority” of the company’s beef, pork, poultry and prepared foods plants will be operational on Wednesday, according to a statement, easing concerns over rising food prices.
The cybergang goes by the name REvil or Sodinokibi, according to four people familiar with the assault who were not authorised to speak publicly on the matter.
While it’s unclear if all of REvil’s hackers operate in Russia, the group’s public face, a user on the dark web cybercrime forum XSS who goes by the name “Unknown,” exclusively publishes in Russian. REvil typically uses a dark web blog dubbed, “Happy Blog” to name and shame victims when they decline to engage in ransom negotiations. REvil has yet to post a blog item dedicated to JBS.
Major US fuel pipeline forced to shut down after cyberattack
The JBS attack comes just three weeks after Colonial Pipeline, operator of the biggest US gasoline pipeline, was targeted in a ransomware attack that was attributed to a group called DarkSide. Experts have said there is some evidence linking the group to Russia. That followed a series of devastating hacks against American government agencies, businesses and health facilities, also often blamed on Russia or Russia-based hackers at a fraught time in relations between the countries.
Earlier this year, REvil took credit for hacking the Taiwanese hardware supplier Quanta Computer and in the process published secret blueprints for new Apple devices. Last year, REvil executed a ransomware attack against a law firm they claimed once represented some of Donald Trump’s television enterprises.
In 2019, the group also attacked a group of Louisiana election clerks a week before Election Day.
JBS SA, the owner of JBS USA and Pilgrim’s Pride, said in an emailed statement that some of the company’s pork, poultry and prepared foods plants were operational and its beef facility in Canada had resumed production.
JBS halted cattle slaughter at all its US plants on Tuesday, according to union officials. On Monday, the attack caused Australian operations to shut down.
“Our systems are coming back online and we are not sparing any resources to fight this threat,” said Andre Nogueira, chief executive of JBS USA.
With North American operations headquartered in Greeley, Colorado, JBS controls about 20 per cent of the slaughtering capacity for US cattle and hogs.
White House spokeswoman Karine Jean-Pierre said the United States contacted Russia’s government and that the FBI was investigating.
“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbour ransomware criminals,” Jean-Pierre said.
JBS sells beef and pork under the Swift brand, with retailers like Costco Wholesale carrying its pork loins and tenderloins. JBS also owns most of chicken processor Pilgrim’s Pride, which sells organic chicken under the Just Bare brand.
Ongoing shutdowns of JBS plants would threaten to raise meat prices further for American consumers during summer grilling season and to disrupt meat exports at a time of strong demand from China.
“The supply chains, logistics and transportation that keep our society moving are especially vulnerable to ransomware, where attacks on choke points can have outsized effects and encourage hasty payments,” said threat researcher John Hultquist with security company FireEye.
05:22
Huawei founder on cybersecurity and maintaining key component supply chains under US sanctions
Ransomware is a type of malware that locks victims out of their computer networks. Cybercriminals often use ransomware to steal data, too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data.
The disruption quickly had an impact on Tuesday, industry analysts said. US meatpackers slaughtered 22 per cent fewer cattle than a week earlier and 18 per cent than a year earlier, according to estimates from the US Department of Agriculture. Pork processing was also down.
Prices for choice and select cuts of US beef shipped to wholesale buyers in large boxes each jumped more than 1 per cent, the USDA said.
The USDA contacted several major meat processors to encourage them to keep supplies moving and slaughter additional livestock when possible, according to a statement. The agency also urged meatpackers to make their IT and supply-chain infrastructure more durable.
The Chinese scientist defending AI systems from hacks
“Attacks like this one highlight the vulnerabilities in our nation’s food supply chain security, and they underscore the importance of diversifying the nation’s meat processing capacity,” said US Senator John Thune of South Dakota, the Senate’s second-most powerful Republican.
There have been more than 40 publicly reported ransomware attacks against food companies since May 2020, said Allan Liska, senior security architect at cybersecurity analytics firm Recorded Future.
Federal agencies including the USDA and Department of Homeland Security are closely monitoring meat and poultry supplies, a White House official said. The agencies are also working with agricultural processors to ensure no price manipulation occurs as a result of the cyberattack, the official said.
Affected Systems Suspended
JBS said it suspended all affected systems, notified authorities and that backup servers were not affected. A representative in Sao Paulo said there was no impact on Brazilian operations.
The company said Sunday’s cyberattack affected its North American and Australian IT systems and “resolution of the incident will take time, which may delay certain transactions with customers and suppliers”.
US beef and pork prices are already rising as China increases imports, animal feed costs rise and slaughterhouses face a dearth of workers. Any further impact on consumers will depend on how long JBS plants remain closed, analysts said.
JBS Beef in Cactus, Texas, said on Facebook that there would be no production for fabrication, slaughtering or rendering on one shift on Wednesday. Another shift will have regular start times for employees.
An early shift was also cancelled on Wednesday at JBS’ beef plant in Greeley after the cyberattack, but a later shift was scheduled to resume normally, representatives of the United Food and Commercial Workers International Union Local 7 said in an email.
A pork plant in Ottumwa, Iowa, will have no “harvest production” on its first or second shifts on Wednesday, according to a Facebook post that said the company was “continuing to work through our IT issues”. Some other aspects of the plant are operating, according to the post.
JBS Canada said in a Facebook post that it operated a shift at its beef plant in Brooks, Alberta, on Tuesday, after cancelling shifts earlier in the day and on Monday.
The United States Cattlemen’s Association, a beef industry group, said on Twitter that it had reports of JBS redirecting livestock haulers who arrived at plants with animals ready for slaughter.
Last year, cattle and hogs backed up on US farms and some animals were euthanised when meat plants were shut during coronavirus outbreaks among workers.
Over the past few years, ransomware has evolved into a pressing national security issue. A number of gangs, many of them Russian speakers, develop the software that encrypts files and then demand payment in cryptocurrency for keys that allow the owners to decipher and use them again.
