Posted on 04/26/2022 3:24:41 AM PDT by EBH
Summary
The Federal Bureau of Investigation (FBI) is informing Food and Agriculture (FA) sector partners that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain. The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer.
Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the timesensitive role they play in agricultural production. Although ransomware attacks against the entire farm-to-table spectrum of the FA sector occur on a regular basis, the number of cyber attacks against agricultural cooperatives during key seasons is notable.
According to a February 2022 Joint Cybersecurity Advisory1 authored by cybersecurity authorities in the United States, Australia, and the United Kingdom, ransomware tactics and techniques continued to evolve in 2021.
Sophisticated, high-impact ransomware incidents against critical infrastructure organizations increased globally. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including FA, the Defense Industrial Base, Emergency Services, Government Facilities, and Information Technology Sectors.
(4 pages at link)
In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack.
In addition to grain processing, the company provides seed, fertilizer, and logistics
services, which are critical during the spring planting season.
In February 2022, a company providing feed milling and other agricultural services
reported two instances in which an unauthorized actor gained access to some of its
systems and may have attempted to initiate a ransomware attack. The attempts were
detected and stopped before encryption occurred.
Between 15 September and 6 October 2021, six grain cooperatives experienced
ransomware attacks. A variety of ransomware variants were used, including Conti,
BlackMatter, Suncrypt, Sodinokibi, and BlackByte. Some targeted entities had to
completely halt production while others lost administrative functions.
In July 2021, a business management software company found malicious activity on its
network, which was later identified as HelloKitty/Five Hands ransomware. The threat
actor demanded $30 million USD ransom. The ransomware attack on the company led
to secondary ransomware infections on a number of its clients, which included several
agricultural cooperatives.
I really do not trust the FBI much, but our food supply is certainly in crisis.
Frankly, I would not be surprised if the FBI was behind the attacks on food processing plants and cooperatives.
Regardless, tough times are coming.
So many businesses and organizations just leave themselves open to this sort of stuff.
Use MFA.
Shutdown all removable media on workstations.
Scan all attachments to email. Better yet, use a service that uploads attachments to a server so they can be detonated to see if they are malicious.
Restrict Internet at work for workstations. If it is not directly work related, it gets blocked and there is a policy about not using workstations for non-work related business if any kind. No Facebook, Twitter, Pinterest, etc.
With that said, do have an employee wireless network that is airgapped from the rest of the organization. It would be available for phones, tablets etc.
Ransomware could be reduced quite a bit of people would do work… at work.
While I agree with much of what you posted, there is more to be done.
I have been on IR teams for ransomware attacks.
They(Conti et.al. ransomware groups) target high level IT professionals. The reason is they can get the keys to the kingdom.
Once they can get into domain controllers or other profile managers, they can slip in the payload.
Cloud based email with MFA is a good start. Email and text 2fa isn’t enough either. Authenticator apps and password managers are better.
You also need a workstation with an adaptive client that’s looking for zero days. We use Carbon Black.
The most recent IR was where the VP of IT was emailing back and forth with another guy about something they were working on. The communication was back and forth, under probably 20 minutes each way. The other party said “let me look at this, I’ll get back to you”.
3 minutes later, an email arrived that called him by name, discussed some of the detail and had a link. Our VP clicked it and that, was that. Man in the middle attack, executed perfectly.
Conti had compromised the other guy’s home computer and were monitoring the communications in real time. Once the VP clicked the link, it gave them access to the VPs computer and they watched it for about a week until they got the domain password, the rest is history. Quick update to the domain controller’s group policy deployed the ransomware at 2:30am est.
I’m still helping bring systems back, almost 60 days later. The network architecture was rebuilt to prevent a global wipeout, so it broke a billion things.
Wow. Thanks for the insight.
Would a separate home network have helped prevent it?
Keep work computer as work. Closed network?
Dumb questions, but just the average joe not knowing.
Re: 5 - Great info. A couple of our locations use Carbon Black.
We are phasing out all non-authenticator MFA methods June 1. Luckily only a few people still use SMS, but they are the most vocal.
At one of our sites, they put me in Domain Admin group and I told them to take me out of that group. I had no work reason to have such privs.
Social engineering is the one thing that concerns me the most. People are just not, well, skeptical enough of a sob story from a user they think they know to verify the reasons for a password reset. When I worked at DEC, they had a policy at our site - NO password resets over the phone - period. I had to drive to 50 miles one way to verify a person’s credentials before I could reset his password. He was pissed - but I kept my job (he later got reprimanded for being a jerk when he called).
So many threats - and most normal everyday workers just can’t keep their guard up all the time to remain skeptical of the threats. It’s tiring with all the fake SMS messages now, etc.
Is this the FBI’s answer to all the recent mysterious fires at the food distribution centers across the country? Or a tail wagging the dog ?
It looks like it’s an admission something has been going on, long before the fires.
Not sure how that would help. Digital signatures on email would help. Enforced digital signatures is even better, for the high level execs anyway.
I'm not entirely sure how compromised the other guy's machine was...if it was a wide open mess, where the black hat could literally send messages as the real person, then it really doesn't matter. The machine was brought in and wiped, so there was no forensic audit done on it that I ever saw.
I'm super paranoid about links...I will call someone before I click on it. I'll even run them through some testing just to be sure.
Don't click on links unless you expect them, are from someone you know and you've confirmed by some other method that they sent it.
My contribution to a lot of threads lately is saying, “Fifth Generation Warfare.”
FBI is clearly part of the engineered famine.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.