IOTW: JBS Recovers Quickly from a Ransomware Attack
Add bookmark
Major international beef and pork producer JBS was hit with a ransomware attack in late May that affected its U.S., Australian and Canadian plants, albeit for only a few days. Its operations in Mexico and the UK were not impacted.
According to CNN, the U.S. Department of Agriculture tried to alleviate the potential supply chain impacts by asking other meat processors to accommodate additional capacity.
Like the Colonial Pipeline attack, there was speculation about the impact of the incident on supply and product pricing. If the impact of the JBS attack did not last long, wholesale prices were expected rise but retail prices were not. If the downtime lasted a matter of weeks, then both wholesale and retail meat prices would spike since JBS processes one-quarter of the U.S. beef supply and one-fifth of the U.S. pork supply.
JBS apparently told U.S. government officials that the ransom demand likely came from REvil a criminal organization with ties to Russia.
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
The Facts
On Sunday, May 30, JBS USA discovered it was the victim of a cyber attack that affected some of the servers supporting its U.S., Australian and Canadian IT systems. The company suspended all affected systems, then contacted law enforcement and third-party consultants so they could work with internal IT to resolve the situation. JBS's backup systems were unaffected.
By June 1, the company was starting to bring systems online and it was able to ship product from nearly all of its facilities to supply customers. On June 2, the company stated that it had substantially recovered from the attack and that all facilities would resume operations the next day.
On June 3, JBS USA CEO Andre Nogueira issued a statement saying that the company was able to recover quickly with the help of government entities and consultants. He also said the hackers failed to breach core systems, which reduced the potential impact.
Lessons Learned
JBS was transparent about its attack, unlike Colonial Pipeline. Specifically, JBS issued press releases on May 30, June 1, June 2, and June 3 to keep customers and the public apprised of the status of the incident. That fact, coupled with fast remediation, probably stunted the potential for widespread panic about meat shortages and meat hoarding.
The U.S. Department of Agriculture exercised considerable wisdom in asking other meat processors to help ensure that supply remained plentiful. That sort of industry network support will likely become increasingly critical as more U.S. businesses face operational disruptions caused by cyber terrorists.
Quick Tips
- When a breach is detected, the affected systems should be shut down, as here, to stop malware from spreading.
- Engage the appropriate government entities and third-party consultants who can assist with the forensic and mediation work.
- Patch software in a timely manner.
- Harden the edge with endpoint security.
- Double check permissions and authorizations to ensure they're up to date.
- Use behavioral analytics to monitor applications, users and the network so it's easier to pinpoint anomalous behavior faster.
- Don't discount the possibility of inside threat actors.
- Ensure third parties are complying with security policies.
- Update security policies and the security fabric as necessary to minimize the likelihood of a similar attack.
