Researchers Believe NEW Cooperative Targeted By BlackMatter Gang
NEW Cooperative Inc., an Iowa-based farm services co-op, has reportedly been targeted by the BlackMatter ransomware gang, which is demanding a $5.9 million payment from the organization, according to security researchers and published reports.
The attack itself appears to have happened on Friday and might be the work of a Russian-speaking cyber gang called BlackMatter, according to Allan Liska, an intelligence analyst at Recorded Future. And while the BlackMatter gang is relatively new, several security researchers believe the group is a reconstituted version of an organization called DarkSide, which targeted Colonial Pipeline Co. in May and disrupted fuel deliveries along the U.S. East Coast (see: BlackMatter Ransomware Appears to Be Spawn of DarkSide).
In a statement given to several media outlets, NEW Cooperative confirmed that it’s investigating a “cyber incident” that is affecting some of its IT systems and devices and that the organization is working with law enforcement to investigate.
“Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” according to the statement. A NEW Cooperative spokesperson tells Information Security Media Group on Monday that it hopes to publish more information soon.
A spokesperson for the U.S. Cybersecurity and Infrastructure Security Agency referred all questions back to NEW Cooperative.
The Fort Dodge, Iowa-based NEW Cooperative was founded in 1973 and is a member-owned farmer cooperative with 60 operating locations throughout north, central and western Iowa. Its granaries are where farmers take their crops for further distribution.
In a reported conversation between the cooperative and BlackMatter published by security researchers on Twitter, NEW Cooperative tells the gang that it is considered part of the country’s critical infrastructure that supplies food throughout the U.S. and that CISA would be asking questions about what is happening.
BlackMatter #Ransomware group just ransomed another food critical infrastructure in the US, The ransom demand is 5,900,000$ for now
— DarkFeed (@ido_cohen2) September 20, 2021
Since the ransomware attack against Colonial Pipeline took place in May, vulnerabilities in U.S. critical infrastructure have become one of the top cybersecurity priorities of the White House. When President Joe Biden met Russian President Vladimir Putin in June, Biden warned the Russian government about cybercriminal gangs operating within its borders and detailed 16 critical infrastructure sectors, including food supply and agriculture, which should be off-limits (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
The Russian government has denied allowing cybercriminals and ransomware gangs to operate freely within its national boundaries.
Liska notes that if BlackMatter did target NEW Cooperative, and if the organization has difficulty moving grain and other supplies, the U.S. government would likely respond.
“What will be interesting to find out going forward is how long BlackMatter was in the network before they launched the attack,” Liska says. “If – and this is a big if because BlackMatter is not known for their planning and forethought – they were in the network for a while and waited to deploy the ransomware to disrupt harvest, that is going to make this attack much worse in the eyes of the U.S. government, and BlackMatter is fully aware of what happens when the U.S. government decides you are a threat.”
If NEW Cooperative was hit by the BlackMatter ransomware gang, the cybercriminal group follows what security firm Cybereason calls a “quadruple extortion” racket. Quadruple extortion includes the gang not only crypto-locking files with malware and stealing data but then also threatening to release the information publicly or sell it to a competitor. This scheme also involves threatening victims if law enforcement, data recovery experts, or negotiators are contacted.
In screenshots of BlackMatter’s non-public site obtained by Bleeping Computer, the gang claims to have stolen about 1TB of data from the cooperative, including source code for the soilmap.com project, R&D results, sensitive employee information, financial documents, and an exported database for the KeePass password manager.
Jake Williams, formerly of the National Security Agency’s elite hacking team, suspects that the BlackMatter gang may have mistaken the NEW Cooperative organization for an IT company or software firm before initiating the attack.
“The threat actors may view NEW Cooperative as an IT company, possibly owing that distinction to the SoilMap software product,” Williams, who is now the CTO and cofounder of BreachQuest, says. “Ironically, this distinction would be meaningless to the administration since the information technology sector is also considered critical infrastructure under the designations from Department of Homeland Security and CISA.”
The reported ransomware attack against NEW Cooperative is the second time a major organization within the U.S. food supply and agriculture this year.
In May, a ransomware attack disrupted operations at meat processing giant JBS for nearly a week, which exposed numerous cybersecurity shortcomings within the U.S. agricultural sector. It also raised questions about what these large-scale security incidents could mean for the nation’s food supply chain (see: Where’s the Beef? Ransomware Hit Highlights Cyber Problems).
Chris Morgan, a senior cyber threat intelligence analyst at security firm Digital Shadows, says U.S. agriculture and food suppliers are already under stress from the COVID-19 pandemic, and incidents such as the one affecting NEW Cooperative are likely to add to that burden.
“The attack also comes at a time where COVID-19 has resulted in global shortages of truck drivers, which is impacting food supply chains,” Morgan says. “The risk posed by ransomware groups targeting food and beverage and agricultural sectors was highlighted by the FBI in early September, who stated that the systems used by agriculture – including industrial control systems and smart technologies – were being actively targeted by ransomware groups.”