BlackMatter ransomware hits the US food supply chain

September 21, 2021

Published with permission from CyberTalk

EXECUTIVE SUMMARY:

In Iowa, over this past weekend, an agrarian business that plays a critical role in the American food supply chain experienced a cyber attack. The Fort Dodge New Cooperative began operations in 1973, and is a member-owned farm cooperative that maintains 60 operating locations across the state. 

Launched by the BlackMatter ransomware group, the attack could have massively disrupted grain, chicken and pork availability within the US. Within the grain business alone, the company is involved in operations such as running grain storage elevators, selling fertilizer, purchasing grain from farmers and providing agricultural enterprises with new technologies. “About 40% of grain production runs on our software,” said a New Cooperative spokesperson.

The National Security Agency’s elite cyber team believes that the BlackMatter threat actors may have electronically mistook the New Cooperative group for an IT firm. The New Cooperative produces a SoilMap software product, which may have contributed to a case of mistaken identities. 

The BlackMatter ransom demand

The BlackMatter group demanded $5.9 million in a New Cooperative ransom payment. In exchange, attackers would provide a decryptor key. Further, if a ransom were not paid by a Saturday deadline, the group would publish 1 terabyte of proprietary data, supposedly stolen from the New Cooperative group. 

Since the attack, New Cooperative took systems offline. IT experts successfully contained the threat. In addition, the group has notified law enforcement and continues to work with information security professionals to investigate and remediate the attack. 

Questions have also been asked regarding the duration of time for which the ransomware group lingered in systems ahead of actually launching the attack. At present, this information remains unknown, although it is under investigation. 

The BlackMatter group’s hidden identity

Experts remain divided over whether the BlackMatter group is a “rebrand” of the REvil group or the DarkSide group. The REvil gang “disappeared” earlier this summer, and the DarkSide group vanished from the dark web shortly after the Colonial Pipeline attack. Or is BlackMatter an entirely independent gang?

High-profile ransomware attacks 

This attack represents the fourth significant and high-profile cyber attack directed towards US critical infrastructure entities in recent months, according to former CIA cyber official, Marcus Fowler. 

The Biden Administration intends for 16 different industry sectors to remain “off-limits” within nation-state backed hacking attempts. Biden has called for cyber crime gangs and politicians to stop the blitz of attacks on critical industry. However, this food and farmland attack indicates that Biden’s talks and warnings may have fallen on deaf ears. 

When addressing the BlackMatter threat actors about this issue, BlackMatter responded by saying that they did not agree with the assessment of agrarian enterprises as ‘critical industry’. The FBI reports that food and agricultural groups are active targets of cyber threats. Downstream effects could impact retail groups, hospitals, restaurants, and the average consumer