New Cooperative's Ransomware Attack Underscores Threat to Food & Agriculture

The Iowa grain cooperative took its systems offline in response to a security incident earlier this week.

Kelly Sheridan, Former Senior Editor, Dark Reading

September 21, 2021

5 Min Read
farm field at sunset
Source: Patrick Eden via Alamy Stock

Farm services provider New Cooperative recently suffered a ransomware attack that forced it to take systems offline. The attack follows months of high-level US government debate about how to address ransomware — and occurred days before US officials sanctioned the Suex cryptocurrency exchange.

New Cooperative is a farmer cooperative with 60 operating locations across north, central, and western Iowa. In addition to providing grain, the organization also offers feed, fertilizer, crop protection, and seed resources. The attack struck late last week, just as the US farming sector is preparing for harvest, and the group reportedly behind the attack demanded $5.9 million.

In response, the cooperative says it has reached out to law enforcement and have brought on data security experts to investigate and remediate the attack.

"New Cooperative recently identified a cybersecurity incident that is impacting some of our company's devices and systems," officials say in a statement. "Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained."

The attack is connected to BlackMatter, an attack group that said in a statement on its website that it had stolen New Cooperative data. It claims to have taken financial information, human resources data, research and development data, and source code for New Cooperative's SoilMap product, according to a Bloomberg report.

BlackMatter is believed to be connected with ransomware-as-a-service (RaaS) group DarkSide, an affiliate of which targeted Colonial Pipeline in a major ransomware attack earlier this year. When the newer group appeared in July, after DarkSide shut down its infrastructure and removed its members from criminal websites, it claimed to use the best tools from DarkSide and REvil. Sophos research shows that while factors suggest a connection between BlackMatter and DarkSide, "this is not simply a rebranding from one to another," says researcher Mark Loman.

"In the hands of an experienced attacker, this ransomware can cause a lot of damage without triggering many alarms," he writes in a blog post.

It's becoming increasingly common for ransomware groups to disband and regroup under a different alias as a brighter spotlight shines on ransomware campaigns as a global problem, says Hank Schless, senior manager of security solutions at Lookout.

"These ransomware groups figure out repeatable models so it would make sense that the tactics of an offshoot group are very similar to those of the original organization," he says. "There may nuanced changes to avoid immediate detection under the new group name."

Will The Biden Administration Act?
President Biden met with Russian President Vladimir Putin earlier this year and, as part of that conversation, presented a list of industries that constitute critical infrastructure in the US. If the entities, which included food and agriculture companies, were to be targeted by Russian cybercriminals, it would be considered a serious national security threat. Critical infrastructure also includes the chemical sector, emergency services, energy, critical manufacturing, water, and healthcare.

"Certain critical infrastructures should be off-limits to attack, period, by cyber or any other means," Biden said after the meeting.

BlackMatter is made up of Russian-speaking attackers who code in Russian. The group's blog says it doesn't conduct attacks on organizations in industries that include healthcare, critical infrastructure, oil and gas, defense, nonprofits, and government, Recorded Future reports.

While the US government considers food and agriculture a critical sector, BlackMatter does not, in this case, stating that New Cooperative's production volumes "do not correspond to the volume to call them critical," according to its Dark Web page, Bloomberg reports.

This attack basically dismisses Biden's directive, but it's hardly a surprise to see a group pushback, expert say. Criminals, after all, are expected to lie, steal, and act in their own self-interest. They have a strong incentive to convince law enforcement that they didn't violate a rule.

"To me, this sounds like a mix of BlackMatter playing dumb, trolling the mandate, and showing that they may continue to target smaller groups that fall within the critical infrastructure sectors," Schless says. "It feels like an athlete committing a foul, then putting their hands up as if they didn't do anything wrong." The justification that New Cooperative didn't operate on a large enough scale to fall within the boundaries of Biden's mandate "just doesn't make sense."

It remains to be seen whether the US acts in response to this latest attack. It's one thing to communicate the parameters of a rule; it's another to impose and enforce consequences. If officials don't take action in response to this, it may communicate to attackers that there is no punishment for targeting critical infrastructure, which could invite future attacks.

Designating critical infrastructure attacks as a national security threat is only one step the Biden administration has taken against ransomware groups. News of this attack arrived days before the US Treasury Department sanctioned the Suex cryptocurrency exchange for its role in facilitating transactions for ransomware attackers. It's the first time a digital currency exchange has been sanctioned.

Security Challenges in the Food Supply Chain
The food and agriculture sector struggles with the fact that both modern and decades-old technology exists in each individual operation, and even more so in the larger supply chain. Budgets, technical projects, cybersecurity, and business risk mitigation efforts are all affected.

"Older, larger organizations are often trying to catch up with technical debt across the organization, while trying to keep up with acquisitions of smaller, less secure operations — all while running a fundamentally low-margin business," says Armis CISO Curtis Simpson. He notes smaller operations often outsource their security and technology efforts, with varied results.

Organizations in this sector have a large and complex attack surface and a critical role in food production and distribution, which drives the challenge of remaining safe and operational. The public relies on these businesses to not only supply sufficient amounts of food but to ensure the safety of that supply. Any cyberattack that calls this into question can interfere with trust.

"When we couple the complexity of the food and agriculture industry with the real-world impact these organizations have on the public on a daily basis," says Illumio co-founder and CEO Andrew Rubin, "it makes them a valuable potential target for cyberattacks, and more specifically ransomware."

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights