April 29, 2022
The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This PIN was coordinated with DHS/CISA and USDA.
This PIN has been released TLP:WHITE
Please contact the FBI with any questions related to this Private Industry Notification via your local FBI Cyber Squad. www.fbi.gov/contact-us/field-offices
The Federal Bureau of Investigation (FBI) is informing Food and Agriculture (FA) sector partners that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain. The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer. Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production. Although ransomware attacks against the entire farm-to-table spectrum of the FA sector occur on a regular basis, the number of cyber attacks against agricultural cooperatives during key seasons is notable.
According to a February 2022 Joint Cybersecurity Advisory1 authored by cybersecurity authorities in the United States, Australia, and the United Kingdom, ransomware tactics and techniques continued to evolve in 2021. Sophisticated, high-impact ransomware incidents against critical infrastructure organizations increased globally. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including FA, the Defense Industrial Base, Emergency Services, Government Facilities, and Information Technology Sectors.
Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants. Initial intrusion vectors included known but unpatched common vulnerabilities and exploits, as well as secondary infections from the exploitation of shared network resources or compromise of managed services. Production was impacted for some of the targeted entities, resulting in slower processing due to manual operations, while other targeted entities lost access to administrative functions such as websites and email but did not have production impacted.
A significant disruption of grain production could impact the entire food chain, since grain is not only consumed by humans but also used for animal feed. In addition, a significant disruption of grain and corn production could impact commodities trading and stocks. An attack that disrupts processing at a protein or dairy facility can quickly result in spoiled products and have cascading effects down to the farm level as animals cannot be processed.
- In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season.
- In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of its systems and may have attempted to initiate a ransomware attack. The attempts were detected and stopped before encryption occurred.
- Between 15 September and 6 October 2021, six grain cooperatives experienced ransomware attacks. A variety of ransomware variants were used, including Conti, BlackMatter, Suncrypt, Sodinokibi, and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions.
- In July 2021, a business management software company found malicious activity on its network, which was later identified as HelloKitty/Five Hands ransomware. The threat actor demanded $30 million USD ransom. The ransomware attack on the company led to secondary ransomware infections on a number of its clients, which included several agricultural cooperatives.
View the detailed report below.