Cisco discloses that Ukraine war highlights weakness to cyberattacks across agriculture sector

The Russian war of aggression in Ukraine has caused massive problems for global food supplies, underscoring the high impact of disruptive events on agriculture entities and related organizations, Cisco Talos identified. Additionally, the challenges to the Ukrainian agriculture sector imposed by the war and global ripple effects have been documented and garnered international attention.

“Ukraine has been a frequent victim of state-sponsored cyber-attacks aimed at critical infrastructures like power and transportation,” Joe Marshall, a senior security strategist ICS at Cisco Talos, wrote in a company blog post. “Russia’s invasion of Ukraine not only increased the risk to these sectors but also effectively sparked a global food crisis, with the war driving rising prices and scarcity of many essential foods desperately needed by consumers around the world.” 

Marshall also focused on the exposed fragility of the global food supply chain that will likely have implications for future cyber threats, as adversaries are notorious for targeting vulnerable sectors with low downtime tolerance and insufficient cyber defenses. Such activity has been seen recently in the wave of ransomware attacks against healthcare entities during the COVID-19 pandemic.

Cisco also pointed out that ransomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during planting and harvesting seasons, when they cannot suffer disruptions. “We judge that the current media spotlight on these issues will motivate cyber threat actors to conduct future attacks on this industry as they realize the consequences of prolonged disruption for related entities and potential leverage they would have over victims.”  

Some of the recent cybersecurity incidents across the food and agriculture sector include a ransomware attack when hackers targeted an identified US farm resulting in losses of approximately US$9 million due to the temporary shutdown of their farming operations last January. Beverage maker Molson Coors’ systems were affected last March by a ransomware attack that disrupted its business operations, including its operations, production, and shipping. Later on, in May, cyber actors using a variant of the Sodinokibi/REvil ransomware compromised computer networks across the U.S. and overseas locations of a global meat processing company, JBS Foods. The attack led to the possible exfiltration of company data and the shutdown of some U.S.-based plants for several days. 

Last July, Sodinokibi/REvil ransomware attackers targeted a U.S. bakery company that halted its production and shipping. Food cooperative NEW Cooperative was also targeted by the BlackMatter ransomware group in September (BlackMatter ransomware comes as a successor to DarkSide, LockBit, and ReVil). The attack was followed by another food cooperative Crystal Valley said ransomware attackers also targeted it. ​

The agriculture sector is evidently highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. Cisco assesses that future threats to the agriculture sector will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs. Additionally, network defenders and leaders should consider their business resiliency in agriculture or adjacent industries.

“While we know that the agriculture sector is vulnerable, the war in Ukraine has exacerbated this threat, clearly demonstrating the global consequences of disruptive activity,” Marshall said. The world is already facing several stresses on the global economy and supply chain, including rising costs of food, inflation, and the ongoing COVID-19 pandemic. He adds that food insecurity, starvation, and additional global unrest are assured as the war in Ukraine rage on.

Ukraine is often referred to as the ‘Breadbasket of Europe,’ and was the sixth-largest exporter of wheat in the world in 2021, accounting for 10 percent of the market share. According to the U.S. Department of agriculture, agriculture also employs 14 percent of Ukraine’s population. The war has left Ukraine with limited access to seaports to export its extensive backlog of wheat and other agricultural products. Furthermore, it led to a lack of grain storage capacity for current harvests, as grain is trapped in silos and there are very poor logistics to export out of the country via methods other than bulk oceanic freight. 

Marshall evaluates that industry-specific instability is seen as enticing, as victims are seen to be more compliant to pay an extortion fee in exchange for their data and network return. “The more unstable and exposed the industry, the more compelling it is to an attacker. Nation states may also see agricultural instability as an opportunistic way to project power and advance national interests,” he adds.

Critical infrastructure, like agriculture, is part of a complex and interwoven network of critical services that let society function. Cyber attacks on that infrastructure will always carry value to a nation-state advanced persistent threat actor. The ability to disrupt or deny critical services is a potent weapon to enforce one nation’s will over another. Even indirect attacks can affect agriculture. Additionally, cyber-attacks launched against energy or water industries can create a ripple effect that impedes the ability of agriculture to produce at optimum. Ukraine has a long history of suffering these kinds of cyber-attacks, including the costly NotPetya attack that was attributed to Russian APTs. 

“There are also mutual interests that criminal ransomware cartels and the Russian government share. Ransomware cartels are not shy about their relationships with Russia,” according to Marshall. Many ransomware gangs also operate within that country’s borders with relative impunity. These groups often act as proxy state-sponsored actors and have financial interests that align with the Russian government. Russia is kinetically targeting agriculture with the express intent of creating additional food chain supply insecurity. Ransomware cartels also want to extort victims and additional food and supply chain disruptions continue to favor Russian interests.  

Much like the Colonial Pipeline ransomware attack, Marshall said there are unintended consequences of a cyber-attack that trickle down how businesses can operate in an industrial environment. As defenders, “we must consider our integrations into industrial operations. Agriculture industries are rapid adopters of industrial automation. The imperative to produce rapidly and deliver to market is driving companies to remove the human element where possible,” he adds.

Marshall calls upon the security community to consider this an opportunity to improve their situational awareness. “By just maintaining awareness of outside events, we can draw a better picture of the current security risks. It can be easy to dismiss global events as having no additional effects on an organization’s cybersecurity posture — we’re under constant attack as it is. Instead, consider not the ‘what’ but the ‘why’ of adversary motivations and how that can affect potential targets. Understanding that could make all the difference in keeping businesses safe and productive,” he adds. 

Another aspect that Marshall addresses is that now is an ‘opportune time’ for executive leadership to evaluate accepted business risks while taking the time to understand how interconnected agriculture operations are to the corporate offices. He also asked questions about whether an organization could function as a business should a ransomware attack affect while also analyzing the investments made to build resilience into operations. 

Cisco suggests a proactive stand and training for climatic events like a cyber-attack, using third-party services to give unbiased evaluations of organizational resiliency and recovery while working on resisting complacency. Cybersecurity threats evolve and shift, as do global events. “Maintaining strong situational awareness could be the critical deciding factor between a crippling costly cyber-attack and a resilient enterprise able to weather any storm. The fate of the world’s agricultural supply chain could rely on it,” the post adds.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.