How many alarm bells need to ring and disruptions occur before companies realize that, no matter the industry or position in the supply chain, they aren’t beyond the reach of motivated cybercriminals and must shore up their defenses? In the latest wake-up call, a “criminal organization likely based in Russia” sent meatpacking giant JBS USA Holdings a ransom demand during a weekend ransomware attack, prompting the U.S. to contact Russia’s government, a White House spokeswoman told reporters Tuesday.
“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” Karine Jean-Pierre said during a White House press briefing.
The company said in a statement its backup servers “were not affected” in the organized attack that “affected some of the servers” that support its North American and Australian IT systems. “The company took immediate action, suspending all affected systems,” JBS said in a statement.
“The latest cyberattack targeting JBS once again reminds us how fragile the supply chain industry is today, especially when companies are highly dependent on IT systems,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.
That the company’s backup systems appear to be unaffected by the ransomware attack is good news, because it “shows that they have followed some industry best practices and have an incident response plan,” Carson said.
But, he cautioned, those steps don’t prevent cyberattacks. “They do make companies more resilient,” he explained. “Let’s hope this sets an example for other companies [of] the importance of backup systems and network segmentation.”
While “forcing a production shutdown may or may not have been” the attackers’ intention, Christoph Hebeisen, director, security intelligence research at Lookout said, “the impact of this compromise makes it clear that strong protections for IT infrastructure are becoming a business-critical imperative for all industries, including those whose core business does not have an immediately obvious data component.”
The company said it has no evidence thus far that customer, supplier or employee data was compromised in the attack or had been misused. But JBS did warn customers and suppliers to expect delays in certain transactions until the incident is resolved.
JBS, which is based in Brazil, paused processing at five plants in the U.S., which Bloomberg said handles 22,500 cattle daily. That alone would erase about 20% of meatpacking production in the U.S. Australian processing was reduced, as well.
The attack is one in a string of disruptive cybersecurity incidents recently attributed to hackers affiliated with Russia, including the attack on the Colonial Pipeline that prompted its shutdown for several days and led to fuel shortages across the southern U.S. and up and down the Eastern seaboard.
“Observations that various dimensions of critical infrastructure and supply chain are vulnerable isn’t breaking news, and the degree of impact in this case is still to be seen,” said Tim Wade, technical director, CTO team, Vectra.
“It’s the backdrop that this attack was conducted against that’s more interesting, and it includes at least two factors: first, threats that have always been active are increasingly adopting a disruptive impact component to the attack to add another angle for monetization–so attacks that would have gone unreported will come to light,” he said. “Second, tradecraft to executive sophisticated attacks is always being simplified and commoditized, broadening the base of bad actors who have the capability to act maliciously.”
Those factors, Wade explained, “combine to create a higher volume of generally more public, disruptive attacks and, for legacy networks entrenched with technical debt, it will be very difficult for those attacks to be prevented.”
Oliver Tavakoli, CTO at Vectra, warned that overreacting to such attacks can have long-term effects, stymying the efforts to build resilience. “A single supplier of meat going offline for a few days should not create a panic,” he said.
“The practical result of such attacks is that we need to balance the desire to have a lean (and highly profitable) supply chain with the need to have a resilient one,” said Tavakoli. “The economic incentives for valuing resilience are hard to imagine as long as ransomware attacks are treated like black swan events.”