A man is silhouetted as he walks by the JBS facility on June 4, 2022, in Greeley, Colorado. (Joshua Polson/ Midwest Center for Investigative Reporting)
This story was originally published by Investigate Midwest.
A May 30, 2021, ransomware attack on JBS, one of the world’s largest meat companies, disrupted the company’s operations internationally and ended when the company paid an $11 million ransom to Russian hacker group REvil.
While food production companies are potentially lucrative targets for cyberattacks, JBS was poorly protected against them compared to similar companies, according to cybersecurity experts.
The food and agriculture industry is designated as a Critical Infrastructure Sector by the U.S. Department of Homeland Security, meaning its “incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”
The whole industry is vulnerable to attacks like the one on JBS — and they happen quietly and often, according to John Hoffman, senior research fellow at the Food Protection and Defense Institute at the University of Minnesota.
In the aftermath of the JBS ransomware attack, a representative of cybersecurity risk management firm BitSight told national security officials that JBS had “many many issues” with its computer system.
“Overall rating was poor and outside the typical range for Food Production companies,” wrote BitSight Vice President Jake Olcott in a June 2, 2021, email to Jeffrey Greene, who served as the National Security Council chief of cyber response and policy at the time.
The emails obtained by Investigate Midwest via a public records request shed light on the federal government’s and private industry’s response to the JBS attack.
“We’ve observed a massive number of malware infections on JBS over the last year (including Conficker),” Olcott wrote in the email. “JBS has been extremely slow to remediate these issues.”
Conficker is a persistent malware that infects Windows operating systems.
Greene forwarded Olcott’s report to Eric Goldstein, executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency, or CISA, a division of the DHS.
DHS, CISA and JBS did not respond to multiple requests for comment over the course of several weeks.
Food companies especially vulnerable to attacks
In 2021, months after the JBS ransomware incident, the FBI issued a notice to food and agriculture companies warning of increased cyberattacks on the sector.
“Cyber criminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems,” the FBI warning states.
Industrial control systems — the internet-connected devices like sensors and switches inside a plant — have many vulnerabilities, according to a 2019 report by the Food Protection and Defense Institute.
Any of the devices connected to a company’s network, ranging from temperature sensors to security cameras, represent a potential entry point into the network, Hoffman said.
Those devices often aren’t as up-to-date as other computers within the company, he said.
Many industrial control systems in the food industry were designed before cybersecurity was a major concern, according to the 2019 FPDI report.
“Those devices in their operational technology are still running on computers or operating those old operating systems,” Hoffman said. “That creates vulnerability.”
Experts shed light on details of cyberattack
The more devices a company uses, the larger the “attack surface” for potential security compromises.
Ryan Sherstobitoff, senior vice president for threat research and intelligence at SecurityScorecard, a cybersecurity ratings company, said the attack surface can be compared to a house. Companies like SecurityScorecard observe the house from the sidewalk, noting any potential security issues, like open windows or broken locks, as well as safety precautions, like security cameras.
Using information gathered from their observations, cybersecurity firms compile reports on the cybersecurity risk of various companies.
Analyzing JBS’s attack surface is how BitSight became aware of the poor security rating at JBS, Olcott, its vice president, told Investigate Midwest
“We are continuously and non-intrusively collecting security performance information around the globe,” Olcott said. “We also create views of organizations’ presence on the internet.”
BitSight and other cybersecurity companies like SecurityScorecard sell this information, as well as risk management services, to companies who want to improve their security.
SecurityScorecard contacted CISA in the days after the JBS ransomware attack to provide a pre-publication report detailing how the attack occurred. SecurityScorecard found that the JBS attack began months before the ransomware activated.
Cybersecurity companies frequently share information with law enforcement and government agencies, Sherstobitoff said.
“Private sector companies have a unique vantage point into the threat landscape,” Sherstobitoff said. “We often share not only with the FBI but also CISA a pre-read report of the indicators so that they can enrich their own systems and help respond to those that might be victimized by the same group in the same industry.”
SecurityScorecard’s June 4, 2021, report was redacted in the emails provided to Investigate Midwest, but a public blog post by Sherstobitoff describes how the attack progressed.
SecurityScorecard found that in February 2021, a security breach occurred, resulting in the leaking of several JBS employee credentials to the dark web, Internet networks only accessible with specialized software, which allow users to stay anonymous.
Hackers often breach large websites and social media platforms to take login information, Shertobitoff said. The JBS employee credentials likely leaked because employees used their work credentials as their login information for another site.
Then, in March 2021, hackers broke into JBS’s computer systems and began extricating data.
When attackers extricate data, the hackers can threaten to publish the data online as leverage to demand higher ransom.
“What is remarkable about this attack is how unremarkable it was in both execution and occurrence; it illustrates just how common ransomware attacks have become,” Sherstobitoff wrote in the blog post.
Info on cyberattacks in the food industry hard to come by
It’s hard for researchers and government agencies to quantify how frequently ransomware attacks occur because companies don’t like to share attacks publicly, Hoffman said. A public attack could have a negative impact on consumer acceptance of products or a company’s market price.
“If you’re a company, you’re not going to want to acknowledge it,” Hoffman said. “But the fact is, we’re having attacks across the food sector every day and they’re not being reported.”
The 2021 FBI private industry notification said the average ransom demand doubled from 2019 to 2020. In 2020, the highest ransom payout observed by the FBI was $23 million.
The increase in attacks and demands also has raised the cost of cybersecurity insurance, Hoffman said. A 2021 Government Accountability Office report found that more companies are purchasing cyber insurance, and that a majority of insurance brokers reported 10%-30% increases in premiums in the last quarter of 2020.
Reporting cybersecurity incidents to the government is currently voluntary, but it could be required for critical industries like food production, energy and emergency services under a law passed last year.
In March 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law. The act directs CISA to begin a rulemaking process to gather information on cyberattacks in critical industries, including food and agriculture. The rule should be finalized by the end of 2025, according to the statute.
The act also requires that the agency publish quarterly reports with aggregate, anonymized data on the cyber incident reports.
Government response to JBS attack was inefficient
The Department of Homeland Security’s National Operations Center is the “primary, national-level hub for situational awareness” when it comes to national security and information sharing.
But leaders at the National Operations Center learned about the cyberattack on JBS when they got a call from the White House Situation Room (WHSR), according to emails obtained by Investigate Midwest.
“We had notification from CISA Central at 1529 ET, but we did not discuss it with the WHSR until 1950 ET,” on the day of the attack, wrote Dan DeBree, then-acting operations officer at the DHS office of operations coordination on June 2, 2021. “Additionally, that was because the WHSR called us, not the other way around.”
In 2022, Congress established a Joint Ransomware Task Force in the wake of high-profile cyber attacks like those on JBS and the Colonial Pipeline. The task force is a collaboration between the FBI and DHS meant to reduce the prevalence and impact of ransomware attacks.
CISA also established the Joint Cyber Defense Collaborative last year, a public-private collaboration intended to share information about cyber threats. Participants include the federal agencies involved in cyber issues like the National Security Agency and FBI; international cyber defense organizations; and information sharing and analysis centers, which facilitate information sharing about potential cyber threats and best security practices among companies.
The main barrier to cybersecurity improvement in the food industry is cost, Hoffman said.
“If you’re a board member, and you’re presented with a big six or seven digit number to make a change in the security posture of your IT and OT systems, there better be a (return on investment) that you can relate to if you’re going to approve it,” Hoffman said.
Investigate Midwest is a nonprofit, online newsroom offering investigative and enterprise coverage of agribusiness, Big Ag and related issues through data analysis, visualizations, in-depth reports and interactive web tools.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.