[BreachExchange] Iowa Grain Cooperative Hit by Cyberattack Linked to Ransomware Group

Tue Sep 21 08:31:57 EDT 2021

https://www.wsj.com/articles/iowa-grain-cooperative-hit-by-cyberattack-linked-to-ransomware-group-11632172945

An Iowa grain co-op said it was hit with a cyberattack that security
researchers are linking to newly launched ransomware group BlackMatter,
which the researchers said demanded $5.9 million to unlock the
organization’s data.

Fort Dodge, Iowa-based New Cooperative Inc. said Monday that it took its
computer networks down after some of its devices and systems recently were
hacked. The organization notified law enforcement and is working with
data-security experts to investigate what happened, it said.

“Out of an abundance of caution, we have proactively taken our systems
offline to contain the threat, and we can confirm it has been successfully
contained,” the co-op said in a statement.

New Cooperative is working to transport grain to livestock and poultry
farms that rely on it for feed supplies, a person familiar with the matter
said. The organization also disabled its soil-mapping platform as a
precautionary measure to protect customers from hackers, the person said.

The farming service provider is the latest victim in a monthslong surge in
cyberattacks against businesses that has pushed the Biden administration to
increase security measures and call for an international crackdown on
hacking gangs. U.S. officials say they are particularly concerned with
attacks on critical infrastructure that could disrupt broader economic
sectors or supply chains.

A recently launched ransomware group known as BlackMatter said on its
website that it had encrypted New Cooperative’s data and stolen 1,000
gigabytes worth of files, including invoices, research and development
documents, and the source code to its soil-mapping technology. The hackers
demanded $5.9 million in cryptocurrency by Sept. 25 for a tool to decrypt
the data, according to cybersecurity firm Recorded Future, which tracks
ransomware attacks but isn’t working with New Cooperative.

New Cooperative warned its attackers in an online chat that they were
targeting critical infrastructure and could face a more forceful government
response as a result, according to screenshots of the conversation taken by
Recorded Future and viewed by WSJ Pro Cybersecurity.

“Do not threaten us, otherwise you will stay without a decryption,”
BlackMatter replied, threatening to double the price.

New Cooperative didn’t respond to a request for further comment.

Cybersecurity experts say BlackMatter bears similarities to DarkSide, the
group that hacked Colonial Pipeline Co. in May and triggered a six-day
shutdown of the largest conduit for gas on the East Coast. DarkSide told
associates soon after that it would cease operations, citing the disruption
of its computer infrastructure. The Federal Bureau of Investigation later
seized a portion of Colonial’s $4.4 million ransom payment.

Cyber researchers say BlackMatter uses similar types of malware and
overlapping cryptocurrency wallets with DarkSide, suggesting the hackers
may have rebranded under a new name to avoid law-enforcement scrutiny.

The Biden administration has urged Russian President Vladimir Putin to
prosecute ransomware gangs, many of which work out of formerly Soviet
states, and push them to avoid targeting critical infrastructure such as
food and agriculture. In June, the meat-processing giant JBS SA paid
attackers $11 million after a hack disrupted its computer systems and
forced it to temporarily halt operations across the U.S.

BlackMatter says on its site that it won’t target critical infrastructure
such as hospitals, pipelines and power plants. Individuals behind the site
didn’t immediately respond to a request for comment.

The Cybersecurity and Infrastructure Security Agency declined to comment on
the incident. The FBI, which earlier this month warned of ransomware
attacks targeting the agriculture sector, said it is aware of the situation
but declined to comment further.

Allan Liska, a senior solutions architect at Recorded Future, said
BlackMatter’s site suggests it hacked New Cooperative on or before Sept.
18. Regardless of whether the co-op is considered critical infrastructure,
he said, attacks on such sectors are likely to draw more pushback.

“That didn’t go so well for DarkSide last time,” Mr. Liska said,
referencing the Colonial Pipeline attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210921/cae39932/attachment.html>