The Federal Bureau of Investigation’s cyber division is warning agricultural cooperatives across the country to be wary of possible cyberattacks.
The FBI did not provide details as to why it sent the notification, but the agency shared that historically, “ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss and negatively impacting the food supply chain.”
There were multiple attacks against agricultural cooperatives during the 2021 harvest season. So far this year, two cooperatives have been hit by these criminals. The FBI advisory also went out to cooperatives in Australia and the United Kingdom.
Together, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have seen ransomware incidents against 14 of 16 critical infrastructure sectors in the United States, including food and agriculture, the defense industry, emergency services, government facilities, and information technology sectors.
Two of the most recent attacks against the food and agriculture sector, one in February 2022 and one in March 2022, directly targeted grain processors and feed mills. In the February incident, access was gained by hackers to a company that provides feed milling and other ag services, and a ransomware attack was attempted. That attempt was stopped before encryption could take place. In March, a multi-state grain company fell to a Lockbit 2.0 ransomware attack by hackers. That company provides seed, fertilizer and logistical services.
The FBI did not share the name of either company, nor did it provide additional interviews or background on these issues.
LIVING THE NIGHTMARE
Roger Kienholz, CEO of Crystal Valley, a Minnesota-based grain cooperative, recently shared that organization’s story of being hit by a cyberattack last year.
Crystal Valley has eight grain elevators and total storage capacity of about 25 million bushels. The cooperative was attacked by hackers in September 2021, during harvest season. At the March meeting of the Minnesota Grain & Feed Association, Kienholz recounted how the co-op’s computer systems were infected and said the co-op immediately called the FBI to report the incident. The hackers demanded a ransom, which Kienholz said the co-op did not pay.
Crystal Valley alerted the industry of the attack and issued updates to customers as systems were restored and brought back up. No money was taken during the attack, and the cooperative reported that it was not aware of any data being used inappropriately or that any data was actually obtained, “But we have determined that confidential data could have been viewed by an unauthorized person.” A formal data-breach notification was therefore sent to every customer and company on record with the cooperative.
After the attack, Kienholz said, Crystal Valley was unable to fulfill feed orders for livestock, but local cooperatives in the areas they serve helped out. While systems were slowly brought back up, the cooperative had to do everything by hand.
This was far from the only such attack last fall. DTN reported, also in September, on the attack by the group BlackMatter against Iowa’s NEW Cooperative. At that time, DTN reporters reached out to NEW Cooperative for details on the situation and were provided a statement, which said the cooperative had quickly notified law enforcement and was working with data security experts. The cooperative continued to operate, shifting to paper tickets.
MITIGATING THE THREAT
In alerting the industry to today’s high-priority threat, the FBI outlined steps to help protect businesses moving forward. They included the following:
— Regularly back up data, air gap, and password protect backup copies offline.
— Ensure copies of critical data are not accessible for modification or deletion.
— Implement a recovery plan that includes maintaining/retaining multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location.
— Identify critical functions and develop an operations plan in the event that systems go offline.
— Think about ways to operate manually if that should be necessary.
— Implement network segmentation.
— Install updates/patch operating systems, software and firmware as soon as released.
— Use multi-factor authentication when possible.
— Use strong passwords.
— Regularly change passwords, implement the shortest acceptable timeframe for changes.
— Avoid reusing passwords for multiple accounts.
— Use strong passphrases where possible.
— Disable unused remote access/RDP ports and monitor remote access/RDP logs.
— Require admin credentials to install software.
— Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
— Install and regularly update anti-virus and anti-malware software on all hosts.
— Only use secure networks and avoid using public Wi-Fi networks.
— Consider installing and using a virtual private network (VPN).
— Consider adding an email banner to messages coming from outside your organization.
— Disable hyperlinks in received emails.
— Focus on cyber security awareness and training regularly.
The CISA offers a no-cost self-assessment to help organizations better access how well they are equipped to defend and recover from a ransomware incident. The organization also has cyber hygiene services to help critical infrastructure assess, identify and reduce exposure to threats. The website is: www.cisa.gov.
Anyone who believes they have been the victim of a cyberattack can learn more about how to file a complaint with the FBI and begin the recovery process through the bureau’s Internet Crime Complaint Center IC3, found here: www.ic3.gov.