Almost a year ago in September 2021, New Cooperative was hit by a BlackMatter ransomware attack that encrypted IT systems, crippled operations, caused supply chain issues and led to the loss of nearly 1TB data.
(guest author: Bianka Bálint)
The ransom negotiations have reportedly failed, and the incident was later mitigated, law enforcement and customers have been notified. So, what’s so interesting about this attack then? New Cooperative is an Iowa, US-based company that provides quality feed, fertilizer, crop protection and seed resources as well as precision technology services that support 40% of US grain production and feed schedules for 11 million farm animals. In 2021 the average downtime a company experienced after a ransomware attack was 20 days, but how long can cattle go without food while logistics are rearranged? What happens when an attack hits the IT or operational environment during the busiest harvest and planting seasons? What’s the recovery timeline of an attack that targets digital agriculture services and leads to the destruction of whole crops or even death of livestock?
This article is the first in a series that tackles cyber threats targeting the agriculture and wider food sector.
While the sector struggles with the fact that both modern and decades-old technology exists, digital agriculture can be a solution for farmers affected by the extreme weather conditions and serious droughts, as closer monitoring and precision farming can optimize the use of high-demand resources like fertilizers and lead to more sustainable operational solutions such as precision irrigation systems. The market value of precision farming is expected to grow from approximately seven billion dollars in 2021 to 14.5 billion by 2027 worldwide. Due to quicker development and implementation of data-based technology applied towards agriculture, it’s not surprising at all that in 2020 North America owned 46.81% of the global farm management software and data analytics market which was valued at that time at 1.1 billion dollars worldwide.
Precision agriculture is unique, because of the broader attack surface available to threat actors compared to other connected industries. It supports the wider food network and technically may involve on multiple acres of land everything from smaller IoT devices such as sensors, actuators and drones, to autonomous heavy machinery, an operational technology environment that monitors industrial processes and IT systems managing company processes and data on site and in the cloud. Network protocols and the technology stack used in different environments can be multifarious with very different support and availability needs and has many risks that are not present in other sectors such as GPS signal loss and disruption of precision positioning services that may impact integrated guidance systems thus for example can potentially stop swarms of farm robots in their tracks in multiple countries at once.
The impact of a cyberattack can be devastating to agribusiness and the food network, thus should be treated as a hazard when a decision comes to digitalize or develop infrastructure. Even though the food sector is a critical infrastructure, it has been even overlooked by both editions of the EU Directive on the Security of Network and Information Systems (NIS and NIS2), which aims to improve cyber security across sectors that are vital to EU economies.
Problem is that as always, when left unregulated then the available funds for security solutions are dependent on the consumers and the competitive market. There are multiple parties within the food supply chain often spanning across multiple countries and jurisdictions, potentially operating within different threat environments targeted by cybercrime actors, nation-state sponsored actors and possibly endangered by hacktivists.
Just like any other sector, agriculture has always been targeted by cybercrime actors for financial (and more recently political) reasons; general fraud and business email compromise attacks targeting the leadership and the financial department is not news, and from an operational perspective these types of attacks are not considered as high risk as ransomware that can stop everything, causing long delays. The ransomware operations are not homogeneous; while operators usually have a defined “code of conduct”, affiliates may alternate between programs and could have different resources and motives. Appropriate examples of ransomware affiliate ethics (and the lack of it) are Vice Society attacks targeting hospice services and HIVE hitting hospitals. The BlackMatter ransomware-as-a-service operation has gained reputation over attacking a high number of US companies during its short lifetime between July and November 2021. The group was reportedly a rebrand of the Easter-European DarkSide ransomware service, the operators of which gained much interest from authorities and the US Army Cyberwarfare group after its affiliate hit Colonial Pipeline demanding $4.4 million ransom payment while the attack itself led to the shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States. After successfully deploying ransomware on New Cooperative systems, BlackMatter operators demanded $5.9 million in cryptocurrency and stated during their negotiations that the company’s production volumes "do not correspond to the volume to call them critical", potentially signaling a contradiction in perception, ignorance or a lack of understanding over the magnitude of their own actions.
Actors may use various methods to gain access to their victims' networks, such as unpatched vulnerabilities and phishing, however they also often utilize different dark web services such as initial access brokers, developers and ransom negotiators, money launderers. After initial reporting on the New Cooperative incident, researchers have found 653 available instances of breached credentials; the password "chicken1" was common among the company's 120 employees. Crystal Valley feed mills have also been attacked on the same weekend as New Cooperative, through a server that has been used for migrating email systems multiple years ago, left connected to the internal network. Crystal Valley networks, data and automated systems were inaccessible for weeks, they had to track everything manually and notify 15,000 owners, customers, suppliers and other business partners to let them know sensitive information may have been compromised.
Ransomware does not only target organizations in the US. In November 2022, the production in Spain’s second biggest brewery Damm had been inoperable for hours. AGCO, a worldwide manufacturer and distributor of agricultural equipment and infrastructure, has been working on the mitigation of the production loss since May 5, 2022, when all factories and parts operations stopped due to a ransomware attack. On August 7, 2022, Quebec’s farming association (Union des producteurs agricoles, UPA) was attacked, affecting 160 employees and 23 UPA client organizations, like the union of grain producers.
Disruption to production is still not the worst that could potentially impact an organization in this sector. It should be also added that the ransomware attack on JBS, a Brazil-based meat processing company, disabled its beef and pork slaughterhouses and impacted facilities in the US, Canada, and Australia. However, a malicious actor injecting or releasing false data on diseases, or an unapproved genetic modification could deceive the public and authorities causing real impacts to food security, massive economic disruption and complex foreign trade issues on an even larger scale. Although no such scenario has happened before, Chinese hackers have already reportedly compromised the digital tool used in the US by the government to track and trace animal diseases Animal Health Emergency Reporting Diagnostic System (USAHERDS). While the end goal of this attack is still not known, cyberespionage and intellectual property theft have been known motives for such nation state sponsored actors in cyberspace. BlackMatter also claimed to have access to code for New Cooperative’s MAP precision agriculture service that could potentially indicate further supply chain compromise issues for partners of the company including John Deere. These cases also prove that besides availability, data integrity and confidentiality should also be considered.
Finally, hacktivism needs to be noted, and interestingly in this sector mostly farmers participate in it currently. The right to repair movement’s goal is to make available the diagnostics software to enable farmers to perform traditional maintenance work on their own equipment given that the discontinued tractor lines and other expensive heavy machinery would not be fixed, or repair would be expensive and even unfeasible under certain conditions, such as the limited window for planting seeds. If manufacturers do not provide the appropriate support for farmers, they will likely continue to resort to solutions such as pirated diagnostic software to jailbreak their tractors that could also lead to further serious security incidents such as the deployment of information stealers and other malware.
In summary, the vulnerability and threat research of digital agriculture technologies are still in infancy. Built-in backdoors and design flaws have not yet been widely explored as much as in other critical sectors and the manufacturers are not as invested in security either. As the agricultural sector is also a critical infrastructure, it would be of utmost importance to strengthen information security, especially during the busiest periods such as harvesting. However, everyone has their own role in it, from manufacturers through the entire supply chain to end users, which should be supported and strengthened by the authorities and regional regulations as well.
To close out on a high note, there is a demonstration made by a security researcher ‘Sick Codes’ in his presentation at the cybersecurity conference Defcon this year. He managed to run a crop-harvesting themed version of the computer game DOOM on a John Deere tractor touchscreen. https://twitter.com/i/status/1558878687642402816
(guest author: Bianka Bálint)