Employees walk at the JBS USA meat packing plant in Greeley, Colorado, the US, April 14 2020. Picture: REUTERS/SHANNON STAPLETON
Employees walk at the JBS USA meat packing plant in Greeley, Colorado, the US, April 14 2020. Picture: REUTERS/SHANNON STAPLETON

The hackers who used ransomware to shut down JBS, the world’s largest meat producer, explored the potential attack in February and stole data for several months from the food giant’s locations in Australia and Brazil, according to security researcher SecurityScorecard.

The “reconnaissance” phase of the cyberattack, in which hackers learn about a target and where they might exploit it, began in February, according to a report from SecurityScorecard shared with Bloomberg.

The research is based on multiple public and private sources of intelligence, observations on the dark web and investigative tools such as NetFlow, which tracks digital traffic flows, said Ryan Sherstobitoff, vice-president of cyber threat research and intelligence at SecurityScorecard.

A spokesperson for JBS USA disputed the findings, saying it was inconsistent with a preliminary investigation conducted by third-party experts.

“We have discovered no evidence that any company data was exfiltrated, and no evidence that Brazil was affected in any way,” said Nikki Richardson, the spokesperson. “The investigation is ongoing, and it would be irresponsible for us to comment on speculative reports or unfounded rumours.

“The fact is that the company’s cybersecurity protocols allowed for a quick resolution to this targeted criminal attack, resulting in the loss of less than one day’s worth of production,” she said.

The ransomware attack late last month forced JBS to stop production at its beef plants in the US — accounting for almost 25% of American supplies — and slow pork and poultry operations. The FBI has attributed the incident to REvil, a hacking group that researchers say has links to Russia.

It is unknown how or where the hackers broke into the San Paolo-based food company, but in March, they began taking data from JBS’s Australia location, according to the researchers. SecurityScorecard found credentials belonging to employees of the company’s Australia branch on the dark web just before the exfiltration began, Sherstobitoff said.

SecurityScorecard also found evidence suggesting that hackers took data in April and May from a JBS location in Brazil. The company was then hit at end-May with ransomware, which encrypts data until the victims pay to unlock their systems.

“As with all ransomware operations, the attackers are likely interested in exfiltrating data and potentially leaking it on the dark web if victims do not pay,” according to the report. “Typically, the threat actor exfiltrates data before encrypting files, then uses the data to extort the victim for financial gain.”

SecurityScorecard’s research, however, lines up with private sector investigations of the attack, said a person familiar with those probes.

The attackers began taking large amounts of data from the company’s network in Australia in March and continued until the hack was discovered late last month, the person said.

Citing analysis of the hackers’ internet traffic patterns around the stolen data, the person said the attackers appear to have spent an unusually long time stealing information before detonating the ransomware.

Bloomberg News. More stories like this are available on bloomberg.com

subscribe

Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.