We continue with our research and analysis of the food and agriculture (FA) sector and the cyber threat vector as agriculture and food systems and cyber risk have become a central driving force and critical uncertainty – which we recommend all companies and organizations integrate into their foresight strategy, scenario planning, and strategic planning.

April 20th:  FBI Cyber Division Private Industry Notification

In an FBI Private Industry Notification dated April 20th entitled “Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons,”  the agency lays out some of its findings and insights for the food and agriculture (FA) sector:

• The FBI noted ransomware attacks during these [critical] seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer.
• Cyber-actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.
• Initial intrusion vectors included known but unpatched common vulnerabilities and exploits, as well as secondary infections from the exploitation of shared network resources or compromise of managed services.
• Production was impacted for some of the targeted entities, resulting in slower processing due to manual operations, while other targeted entities lost access to administrative functions such as websites and email but did not have production impacted.  (6)

Infosecurity Magazine provided further coverage of the notification:

• US food supply chains are at risk of potentially devastating ransomware attacks…agricultural cooperatives may be viewed as attractive targets during the planting and harvesting seasons.
• Attacks could cause financial loss and operational disruption and impact the food supply chain, given that grain is also used for animal feed. Compromises at dairy or meat processing facilities can lead to delays which result in spoiled products, the [notification] explained.
• The notice listed multiple examples of unnamed agricultural sector firms that have been compromised by ransomware since last year. These include a supply chain attack in which a software company was attacked in July 2021, impacting downstream agricultural clients.
• There is an added urgency for US critical infrastructure organizations to improve their resilience against such threats, given multiple warnings that pro-Russian groups may be about to unleash a salvo of attacks.  (5)

The Recent FA Industry Sector Threat Timeline (per the FBI)

Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants. Initial intrusion vectors included known but unpatched common vulnerabilities and exploits, as well as secondary infections from the exploitation of shared network resources or compromise of managed services. Production was impacted for some of the targeted entities, resulting in slower processing due to manual operations, while other targeted entities lost access to administrative functions such as websites and email but did not have production impacted.

A significant disruption of grain production could impact the entire food chain, since grain is not only consumed by humans but also used for animal feed. In addition, a significant disruption of grain and corn production could impact commodities trading and stocks. An attack that disrupts processing at a protein or dairy facility can quickly result in spoiled products and have cascading effects down to the farm level as animals cannot be processed.

• In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack.  In addition to grain processing, the company provides seed, fertilizer, and logistics
  services, which are critical during the spring planting season.
• In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of its systems and may have attempted to initiate a ransomware attack. The attempts were detected and stopped before encryption occurred.
• Between 15 September and 6 October 2021, six grain cooperatives experienced ransomware attacks. A variety of ransomware variants were used, including Conti, BlackMatter, Suncrypt, Sodinokibi, and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions.
• In July 2021, a business management software company found malicious activity on its network, which was later identified as HelloKitty/Five Hands ransomware. The threat actor demanded $30 million USD ransom. The ransomware attack on the company led to secondary ransomware infections on a number of its clients, which included several  agricultural cooperatives.

More on the Agricultural Manufacturer AGCO Ransomware Hit on May 6th

•  The ransomware attack disrupted AGCO’s operations during the critical planting season. (1)
• AGCO did not name the facilities affected or whether any data was stolen and said it was currently investigating the incident.  There is also currently no indication as to the identity of the attackers. (1)
• Upon further research, attribution of the attack has not been announced by any major law enforcement or cybersecurity research outlets.
• Reuters reported that the attack had led to tractor sales stalling during a critical period in the year for the agricultural industry. It quoted Tim Brannon, president, and owner of B&G Equipment Inc in Tennessee, who said: “We just have to trust that it will be over as soon as possible because we are coming into our busiest time of the year and it will be very damaging to our business and customers.” (1)  (2)

While last year’s ransomware attack on one of the world’s biggest meat processing companies, JBS (which paid $11m in ransom to resolve the cyber attack), was covered widely by many news outlets, consistent with the FBI threat timeline, our research has surfaced two seminal ransomware attacks from 2021 which were direct precursors to the AGCO attack:

• 9/20/21:  “President Joe Biden in July warned his Russian counterpart, Vladimir Putin, that Russia-based hacking groups should steer clear of 16 critical sectors of the U.S. economy  In recent days, a Russia-linked ransomware group called BlackMatter attacked a grain cooperative in Iowa, an incident that appears to test Biden’s terms since ‘food and agriculture is one of the protected sectors.
  In messages with Bloomberg News, however, BlackMatter said it has rules for how it operates its ransomware operation, a sort of ethical playbook for an illegal enterprise. Hospitals, the defense industry, and the government sector are off-limits, according to details on the group’s dark web page. The hack on Iowa’s New Cooperative, however, didn’t violate Biden’s mandate, the group says.  ‘The volumes of their production do not correspond to the volume to call them critical,’ BlackMatter said in messages via its dark web page. The group said it has refrained from attacking dozens of companies that are ‘really critical’ like ‘companies associated with oil, minerals and many others much more serious.   “We don’t see any critical areas of activity,” the group said. “Also this company only works in one state.” New Cooperative operates in Iowa, which produces the most corn in the U.S. and the second most soybeans. (3a) (3b)
• 9/22/21: “Crystal Valley, a Minnesota-based farm supply and grain marketing cooperative, has become the second U.S. agriculture business to be hit with a ransomware attack this week.  The company released a statement about the attack on its website on Tuesday afternoon, but as of Wednesday afternoon, the site had been knocked offline and was still down.  Crystal Valley confirmed in a Facebook post that it had been alerted to the attack on Sunday afternoon, Sept. 19.” (4)

“Sophisticated attacks” are defined here as a scale and scope “under the volumes of production” which correspond to the volumes to call these operations “critical infrastructure.”   Cyber attackers will continue to play games with this sliding scale of ‘scope’ of critical infrastructure targets to their ends strategically.

What Next?

FBI Recommendations

• Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement a recovery plan that includes maintaining and retaining multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Identify critical functions and develop an operations plan in the event that systems go offline. Think about ways to operate manually if it becomes necessary.
• Implement network segmentation.
• Install updates/patch operating systems, software, and firmware as soon as they are released.
• Use multi-factor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts and use strong passphrases where possible.
• Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Require administrator credentials to install the software.
• Audit user accounts with administrative or elevated privileges, and configure access controls with the least privilege in mind.
• Install and regularly update anti-virus and anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
• Consider adding an email banner to messages coming from outside your organization.
• Disable hyperlinks in received emails.
• Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e. ransomware and phishing scams).

OODA Recommendations

In light of the Russia-specific source of many of these attacks,  CISA, the FBI, and security researchers and journalists point back to the April 20th Five Eyes Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, for which we provided an analysis here.

In the current climate created by the viable threat of a Russian cyberattack on the U.S., if you are preparing your organization or your individual household to mitigate risk please see OODA CTO Bob Gourley’s Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory.  In the post, Bob itemizes OODA recommendations for:

• Large Businesses/Large Federal Government Agencies
• Small To Mid-Sized Businesses/State and Local Governments;  and
• Individuals

Bob’s most recent post is also prescriptive:  Four Urgent Actions For The C-Suite To Prepare For High End Cyberattacks

OODA is here to help.  OODA members can contact us by replying to any of our emails or using this form.

If you want to use this specific risk awareness as an opportunity for innovation in company-wide and employee cyber security awareness and training, OODA Loop recently ran a series on the topic:

• People, Culture, Organizations, Cybersecurity, and Technology (Insights from Masha Sedova and  Bryson Bort)
• Is Your Insider Threat Risk Management Program Ripe for Innovation? Part 1
• Is Your Insider Threat Risk Management Program Ripe for Innovation? Part 2

Stay Informed

It should go without saying that tracking threats are critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community