Dive Brief:
- Weeks after federal authorities warned the agricultural industry about potential ransomware threats, ransomware organization BlackMatter is demanding a $5.9 million payoff from an Iowa grain cooperative. New Cooperative, one of the largest agricultural cooperatives in Iowa, shut down operations in a precautionary move after the attackers accessed its systems.
- "New Cooperative recently identified a cybersecurity incident that is impacting some of our company's systems," the organization said in a statement. "Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained."
- BlackMatter is a newly-formed ransomware gang that emerged after DarkSide went underground following the May attack against Colonial Pipeline. The attack will put President Biden's recently announced red line over critical infrastructure to the test, as the administration vowed retaliation against additional attacks against key industries.
Dive Insight:
The attack appears to be part of a carefully constructed repackaging of the former DarkSide gang, according to security researchers. DarkSide basically disappeared after the U.S. launched a multifaceted, global crackdown against ransomware and other malign cyber activity, as well as the nation-state elements that support such activity.
The Colonial Pipeline attack disrupted fuel supplies to much of the southeast and East Coast of the U.S., causing a spike in gasoline prices and long lines at the gas pump. The Biden administration said it would no longer allow foreign adversaries to conduct operations against key critical infrastructure sectors and threatened retaliatory strikes or other methods to deter future attacks.
The potential impact on the agricultural sector is a serious concern, according to John Hoffman, senior research fellow at the Food Protection & Defense Institute at the University of Minnesota.
"The downstream, cascading consequences are supply chain disruptions, higher consumer prices and significant losses to the firms in the impacted supply chains, not just to the individual firm that is attacked," he said.
Few firms in the agricultural industry are currently prepared enough to have true cyber resilience, according to Hoffman.
The new BlackMatter group has clear links to former DarkSide operations, with similarities to the REvil gang and Lockbit 2.0, Sophos researchers said. BlackMatter has gotten into a dispute with New Cooperative officials about whether the organization is critical infrastructure and should be considered off limits. Some researchers consider that hacking group's assessment of critical a bit of a desperate attempt by the group to evade accountability.
"The recent declaration by BlackMatter that they are operating within their code of ethics by limiting their attack to an Iowa grain processor they don't consider to be critical infrastructure is preposterous at best," Mark Carrigan, cyber VP of process safety and OT cybersecurity, Hexagon. "Is it ok to commit armed robbery at a convenience store but not a bank?"
Carrigan said the U.S. and its allies must take a more aggressive stance to deter and punish criminal enterprises that are targeting businesses and critical infrastructure providers.
"This attack will be the first to test the new U.S. government policy on reporting attacks against critical infrastructure and to [the Cybersecurity and Infrastructure Security Agency] and the Biden Administration's response to an attack," said John Shier, senior security advisor to Sophos.
New Cooperative said after finding out about the attack, it quickly notified law enforcement and is working with data security experts to investigate and remediate the situation. The organization did not provide details of the attack.
"Please know that New Cooperative is treating this matter with the utmost seriousness, and we are using every available tool and resource to quickly restore our systems," the statement said.
