Claroty Named a Strong Performer in The Forrester Wave™: Operational Technology Security Solutions, Q2 2024
Download the Report
Claroty Toggle Search

Blog / 5 min read

Cyber Attack Overview: JBS Foods Ransomware Incident

Grant Geyer
/ April 3rd, 2023
Cyber Attack: JBS Foods Ransomware Incident Overview

The Brazilian food company and world's largest meat distributor, JBS Foods, was compromised by an "organized cyberattack" on their North American and Australian IT systems that forced a shutdown of some of its plants and meat distribution. To put an end to the attack — which led to the closure of five meat processing plants for the duration of three days — the company paid an equivalent of $11m (£7.8m) in ransom. The JBS Foods cyber attack provided a serious warning to not only the meat production industry, but to the wider manufacturing supply chain of the rapidly evolving cyber threats to critical industries. In this blog, we will discuss the legacy problems in the food and beverage industry, and how organizations can protect their cyber-physical systems (CPS) from future attacks like the JBS breach. 

Ransomware as a Service (RaaS) Reportedly to Blame

There are several similarities between the JBS Foods cyber attack and the ransomware incident that forced Colonial Pipeline to take its industrial networks offline less than a month prior — which impacted fuel delivery up and down the East Coast. In both cases, IT systems were compromised forcing the companies to shut down industrial networks in order to contain the attacks. The critical service delivery of fuel and meat were temporarily impacted, causing immediate anxiety on Wall Street and with consumers. Additionally, in both attacks Russian-speaking threat actors were singled out by the White House as the perpetrators.

According to Bloomberg, four people familiar with the attack attributed it to the REvil group, also known as Sodinokibi. REvil, much like the DarkSide group blamed for the Colonial Pipeline attack, is a ransomware-as-a-service operation known for demanding large payments from victims, and threatening to leak stolen data to the public if ransom demands are not met.

Following the attack, White House Press Secretary Jen Psaki stated that the Biden administration is not taking any options off the table in terms of response from the U.S., and that Russia's alleged harboring of ransomware operators will be a topic of discussion between President Biden and Russian President Vladimir Putin at a scheduled face-to-face meeting between the two leaders. 

In the meantime, the food and beverage industry is the latest to feel the pain of a cyberattack, putting further emphasis on managing cyber-related risks in manufacturing environments and critical infrastructure where vulnerable legacy technology rules the day, and downtime is unacceptable. Production environments such as JBS Foods, which control 20% of the country's slaughtering capacity for beef and pork production and one-fifth of its daily cattle harvest, are 24/7 operations. Taking down servers or network equipment for patch testing and deployment is a major task, and any downtime or compatibility issues could cost millions — contributing further to the food and beverage cybersecurity risks faced by many organizations.

A Legacy Problem in Food and Beverage

Threat actors who have long ago moved away from spray-and-pray types of ransomware attacks clearly understand this dynamic and are adept at targeting organizations intolerant of interruptions — like what was seen during the JBS hack. The food and beverage industry is the latest high-profile sector to fall victim, fulfilling the attackers' ransom demands in order to restore facilities to operational status again, and highlighting the widespread supply chain security issues. Colonial Pipeline, similar to that of JBS Foods, reportedly paid close to $5 million in Bitcoin for a decryption key to restore its systems. Some media reports, however, said the process was so slow that Colonial restored many of its systems from backup. 

Another challenge faced by food and beverage companies is that many of their production sites run on legacy operational technology (OT), which was never designed to be connected to the internet. OT networks predate the internet, and with digital transformation leading many food and beverage companies to automate parts of the manufacturing processes, OT is suddenly being exposed to a whole host of new cyber threats lurking the web. Claroty's Biannual ICS Risk & Vulnerability Report points out more researchers and threat actors are looking at vulnerabilities in IT and OT systems running in food and beverage plants. The report said there was a 56% increase in industrial control system vulnerabilities from 2019 to 2020 after relatively few reports prior to 2019.

Within the food & beverage industry, this problem is particularly acute among meat processing plants, which typically have a very low level of maturity when it comes to their cybersecurity programs. Despite the Livestock industry being one of the biggest contributors to Australia's economy, ($32 billion in 2019-20 according to the ABS), many companies are blind to cyber risk — a factor which makes meat processing plants a target for cyber attackers seeking financial gain.

Recommendations to Keep Supply Chains Safe

  • To protect themselves, producers, manufacturers, and anyone involved in the food and beverage supply chain, companies should ensure that they have complete visibility into all of their systems and processes and make sure to continuously monitor for any threats that could result from a targeted or opportunistic attack — like the JBS hack. An accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate.

  • Network segmentation is also a critical strategy to impede attackers' lateral network movement. OT networks are no longer air-gapped and network segmentation compensates for this by preventing attackers from using stolen credentials or compromising Active Directory and other identity infrastructure in order to move from system to system stealing data and-or dropping malware or exploits.

  • Strategically, organizations should also regularly test incident response plans, and conduct tabletop exercises to put those plans into motion without impacting production environments. Training and testing improves response, and ensures business continuity.

The JBS Foods cyber attack has shown the world that securing the future of the food and beverage supply chain and the large manufacturing ecosystem is now more important than ever. Cyber threats to critical infrastructure organizations are emerging rapidly as hackers are capitalizing on an expanded attack surface and vulnerability shift — becoming bolder, more sophisticated, and damaging in their attacks. As a result, food and beverage companies must assess their cybersecurity strategy and ensure they have the right tools to achieve cyber and operational resilience.

Stay in the know

Get the Claroty Newsletter

Featured Articles

Interested in learning about Claroty's Cybersecurity Solutions?

LinkedIn Twitter YouTube Facebook