Very little about the slaughter of animals is digital.
In the case of cattle, the animals are herded single-file up a ramp at industrial meatpacking plants and within minutes they are stunned, bled, skinned, split and packaged into fresh and frozen cuts. They are then transferred almost immediately into articulated lorries to be transported to supermarkets and restaurants.
Yet even this raw, labour-intensive industry this week fell victim to cyber attack. For almost three days, the global operations of JBS — the world’s largest meat processor — were hobbled by a ransomware attack targeting the company’s IT systems.
With programmes for tracing and sorting animals paralysed, the Brazilian company — which operates 230 factories in 15 countries — was forced to temporarily close the majority of its plants across the US, Canada and Australia, standing down thousands of employees.
Just weeks after the Colonial pipeline incident — when a similar ransomware attack took down a key oil artery on the US east coast — the JBS hack intensified security concerns in Washington, this time over the nation’s food supply. According to a US Department of Agriculture estimate, 94,000 head of cattle were processed at the peak of the attack on Tuesday — down from 121,000 the same day last week.
“With the consolidation of cattle processing, when there is a disruption at one company it can have major downstream effects on the whole sector,” says Mike Stranz of the US National Farmers Union, which has criticised JBS’s market dominance over a quarter of the country’s beef processing and a fifth of its pork.
The São Paulo-headquartered group has remained mostly silent on the incident, releasing only a couple of statements to comply with its obligations as a listed company. By Thursday, its operations had been restored.
But the incident has echoed through Washington, with the Biden administration publicly laying the blame on a criminal organisation in Russia, as it did for the Colonial attack. The White House said President Joe Biden intends to rebuke Russian president Vladimir Putin when the two leaders meet at a summit in Geneva on June 16.
“Harbouring criminal entities that are doing harm to the critical infrastructure in the US is not acceptable,” Jen Psaki, the White House press secretary, said this week. “We’re not going to stand by. We will raise that and we are not going to take options off the table.”
Beyond the political posturing, analysts and cyber security experts say companies, government and other entities must treat the hack as an overdue wake-up call to not only develop adequate defences but also to develop a unified approach to dealing with the soaring number of attacks.
“Once again, the notion that ransomware is a national security threat is ringing true — and we need a fundamentally different approach to security,” says Sanjay Aurora, Asia-Pacific managing director for Darktrace, a British AI company.
Luca Belli, head of the Centre for Technology and Society at the Getúlio Vargas Foundation in Rio de Janeiro, puts it more starkly: “Cyber crime is like climate change turbocharged.”
“It is something that affects everyone, that no one is prepared for and that we only deal with after a major disaster,” he says. “And it is something we can only solve or mitigate with co-operation. Otherwise we are screwed.”
The alleged perpetrators of the JBS attack have long been known to cyber security experts. Since February alone, the Russia-linked REvil group has been connected to almost 100 targeted ransomware attacks, according to cyber security specialists ZeroFOX.
The gang adopts a “double extortion” approach with its targets — as well as locking up sensitive data and crippling systems, the group makes it clear that refusal to engage can result in the stolen data being published on its website, the “Happy Blog”.
“REvil were one of the first to start a dark web blog where they would leak data of companies that didn’t comply with demands,” says Peter Marzalik from ZeroFOX. He says his team has logged about 25 similar extortion blogs in active use this year, detailing instances of hundreds of victims.
Extortion and ransomware attacks have soared in popularity in recent years, partly because the business model works. In the Colonial pipeline case, the company paid $4.4m to regain access to its own infrastructure.
“If you pay a ransom, this is evidence to cyber criminals that their model works very well,” says Belli. “It is an open invitation to find other juicy corporations. The secret is asking for ransom that is not so high as to represent a huge burden.”
It is impossible to know the true scale of these types of attacks, but cyber experts estimate they numbered in the hundreds last year. Data show the ransoms demanded are also getting bigger.
“In 2021, the highest demand we’ve seen is $50m — up from $15m in 2019 and $30m in 2020,” says Sam Rubin, vice-president of an intelligence threat team at US cyber security group Palo Alto Networks.
According to Danilo Doneda, a Brazilian data privacy expert: “In the case of JBS, we know what happened because factories were closed. But most of the time security problems remain the invisible part of the iceberg,” adding that it often only took a lowly employee opening a malicious attachment to jeopardise an entire company.
Experts are quick to point out that cyber criminals have found ripe pickings in recent efforts by governments and companies to digitise infrastructure. These investments, however, have not always been matched with adequate security protocols. The energy, water and healthcare sectors are all thought to be acutely vulnerable.
“Hospitals are a key target and can be easily disrupted because they rarely have strong cyber security. And they are most willing to pay because they cannot afford to have people die,” says Belli.
Solano de Camargo, a Brazilian cyber law expert, laments what he considers a universal lack of foresight: “Our culture is to invest in locks only after the doors have been blown off.”
JBS declined to say whether it had paid a ransom and the precise mechanics of the hack are still unclear, including any details as to the “attack vector” — the point of vulnerability that allowed hackers to gain access. The company has insisted that no customer, supplier or employee data was compromised.
According to analysis by Boston-based Cybereason, REvil ransomware uses a sophisticated and largely automated process for extracting money. A “readme” file installed on infected machines points to a page on the dark web that details the ransom amount.
An increase is threatened if a deadline is missed. On the same site, useful links to buying and sending bitcoin can be found, and victims can communicate with the hackers via instant messaging software.
Far from operating in the shadows, REvil courts publicity as a means of growing its reach and profitability, says Marzalik. But even for cybercriminals, there can be the wrong kind of attention. Recent high-profile attacks are making some groups reluctant to go after targets that would cause geopolitical ripples or attract heavy scrutiny.
“Following the Colonial Pipeline attack, and shutdown of [hacking group] DarkSide, REvil did attempt to place new restrictions on the type of industries and sectors that would be targeted,” says Marzalik. “One of those restrictions was around this idea of not targeting companies or organisations that could have some large social consequence.”
As the world’s largest meatpacker — processing more than 75,000 cattle, 115,000 pigs and millions of chickens every day — JBS plays a central role in supplying food to a considerable chunk of the globe’s increasingly carnivorous population. By 2050, global meat consumption is forecast to reach 520m tonnes — twice as high as in 2008 — with much of the demand being driven by Asia and the Middle East.
JBS, however, is not without its share of controversy. At home in Brazil, the company was embroiled in the country’s “Car Wash” corruption scandal. More recently, it has been the target of ire from environmentalists, who accuse it of fuelling deforestation in the Amazon rainforest by allowing cattle raised on cleared land to enter its supply chain.
For many activists in Brazil, JBS is far from a model corporate citizen. But Marzalik says “all ransomware groups are mercilessly opportunistic”, adding: “Any target they think that they could make a quick buck from they’re going to go after.”
As the number of high-profile attacks mount, the US government is under pressure to show an effective response.
Chris Krebs, the former US government cyber security chief, has called for the military to target organised criminal gangs of hackers and suggested “hack back” efforts could include tactics such as doxing — the publication online of the gangs’ private details.
The approach is a controversial one, given the potential for retaliation and escalation. What most cyber security experts have agreed on, however, is the need for sustained political pressure on Russia to hold hackers accountable. The White House has pledged to take up the issue with Putin at the upcoming Geneva summit, although few expect the Russian leader will change course.
“This is not state-sponsored, but state-ignored. By ignoring the gangs and letting them work without any legal implications, [the Kremlin] is giving them the OK to operate,” says Lior Div, chief executive of Cybereason.
“Just Putin saying publicly that it’s not allowed, or that he’s against it, will change the trajectory of these groups,” Div adds.
Experts recommend companies and governments follow two paths. The first is technical: keep good backups, use up-to-date software and hardware and teach staff not to open suspicious emails or plug in compromised USB sticks.
The second is educational: to raise awareness of the threats to the highest echelons of politics and business and create a coherent framework to counter attacks.
Rubin from Palo Alto Networks says the important thing is to make “it clear to ransomware operators that law enforcement will track them down and put them to justice — no matter where they are”.
“We’re in uncharted waters here.”