Cyber attackers told JBS ‘don’t panic, we’re in business not war’

FASCINATING insight into the cyber attack which shut down JBS meat processing plants in the United States and Australia has been revealed at a special US congress hearing into strategies for disrupting hackers.

The Biden administration launched an investigation into ransomware in June, overseen by the House of Representatives Committee on Oversight and Reform, in the wake of unprecedented cyber attacks this year.

The investigation focussed on three big attacks – that on JBS in May, the one which occurred just weeks earlier on Colonial Pipeline Company and one in March on CNA Financial Corporation, one of the largest insurance companies in the US.

A memo from the committee released at the hearing said the investigation found these attacks often stemmed from minor security lapses, even at companies with seemingly robust cyber security.

In the case of JBS, the attackers gained access to an old network administrator account that had not been deactivated and was protected only by a weak password, according to the memo.

The investigation also found companies faced substantial pressure to pay ransoms quickly, and concluded that was making it harder to stop these attacks.

The committee’s chairwoman Carolyn Maloney said a tipping point had now been reached, as cyber attacks had become more common and potentially more damaging.

“Several recent attacks have used a type of malicious software known as ransomware, which encrypts a victim’s system and demands a payment in exchange for restoring access or refraining from publishing stolen data,” she said.

“This is especially dangerous because it can shut down an entire system and can cause chaos in a community, an industry, or even the entire country. And cyber criminals are now demanding, and receiving, more money than ever.”

JBS plants across Australia were shut down for the best part of a week, while in the US they were out of operation for a day. JBS paid the US$11 million ransom in bitcoin to unlock their system.

CNA reportedly coughed up the largest known ransomware payment ever, a staggering $40m and Colonial $4.4m. The US Department of Justice was able to recover some of the Colonial payment.

The FBI have attributed the JBS attack to a Russian hacking group known as REvil, or Sodinokibi.

Ms Maloney said given the uncertainty over how quickly systems could be restored using backups, and whether any sensitive data was stolen, the companies appeared to have strong incentives to pay the ransom quickly.

“This pressure was compounded by attackers’ assurances that payment of the ransom would resolve the situation and avoid negative publicity for the company,” she said.

“For instance, after the initial hack of JBS, REvil told the company: ‘We can unblock your data and keep everything secret. All we need is a ransom’.”

The memo said JBS explained to the committee that in addition to the cost of rebuilding its systems from backups, if it did not pay the ransom, it faced other pressing concerns and potential costs, including obligations to customers and employees, as well as the need to process meat carcasses in its facilities, potentially totalling tens of millions of carcasses per day.

The memo also said despite launching cyber attacks on the companies, the attackers attempted to cast themselves as business partners with, or even consultants to, the companies.

“REvil told JBS not to panic, that it was ‘in business, not in war’ and offered the company a host of supposed benefits along with the decryption tool,” the memo said.

“The REvil attackers even provided recommendations of exchanges where the company could buy cryptocurrency, highlighting that one exchange had no need for verification.”

The memo said the companies made the decision to pay the ransom despite having at least some system backups that were not affected by the attacks.

Indeed, JBS later revealed that at the time of payment, the vast majority of its facilities were operational.

Colonial and CNA also had cyber insurance policies.

The memo revealed JBS had explained it paid the ransom to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

During the attacks, the cyber criminals also provided certain assurances that they would follow through with promises to provide a decryption key and delete their copies of the stolen data if a ransom was paid, the memo said.

They made the point it was in their interests to do as agreed.

In the case of JBS, the REvil attackers never delivered on their promise to provide the company with proof that they had destroyed all copies of the data they stole, the memo said.

Source: Farm Online