Advertisement

SKIP ADVERTISEMENT

Russian Cybercriminal Group Was Behind Meat Plant Attack, F.B.I. Says

Meat processing plants operated by JBS, which handles a fifth of the cattle and hog slaughter in the U.S., were coming back online on Wednesday but were not all at full capacity, union officials said.

A dormant JBS processing plant in Greeley, Colo.Credit...Chet Strange/Getty Images

The perpetrators of a ransomware attack that shut down some operations at the world’s largest meat processor this week was a Russian-based cybercriminal group known for its attacks on prominent American companies, the F.B.I. said Wednesday.

The group, known as REvil, is one of the most prolific of the roughly 40 ransomware organizations that cybersecurity experts track and has been identified as responsible for a coordinated strike against operations in almost two dozen Texas cities in 2019.

The group is among dozens of ransomware groups that enjoy safe harbor in Russia, where they are rarely arrested or extradited for their crimes. REvil, which stands for Ransomware Evil, is known as a “ransomware as a service” organization, meaning it leases its ransomware to other criminals, even the technically inept. One of its previous affiliates was a group called DarkSide, which was responsible for the ransomware attack last month on Colonial Pipeline, a conduit for nearly half the gas and jet fuel to the East Coast. DarkSide is believed to have split off from REvil last year.

REvil is considered one of the most sophisticated ransomware groups and has demanded as much as $50 million to recover data belonging to companies as prominent as Apple. Its attack on JBS, a Brazilian company that accounts for roughly a fifth of cattle and hog slaughter in the United States, temporarily shut down some operations at a time when prices were already surging for beef, poultry and pork.

Some JBS employees arriving to work over the weekend were greeted with a digital ransom note that had been used in previous REvil attacks, people briefed on the attack said. REvil has targeted some 237 organizations since 2020, according to Recorded Future, a cybersecurity firm. The number of victims could be much higher given that many quietly pay their extortionists to spare their reputations and avoid the cost of having to rebuild their data from scratch.

Like the Colonial Pipeline incident before it, the ransomware attack on JBS demonstrates how a single breach of an American business can have wide-ranging impact. It also drew further awareness to ransomware invasions, which have become a digital scourge over the past year. Just days after the attack on Colonial Pipeline triggered jet fuel shortages and panic buying, a different group of cybercriminals held the Irish national health system hostage with ransomware. In just the past week, dozens more organizations have been hit, ranging from the City University of New York, to the Massachusetts Steamship Authority, which runs ferries to Martha’s Vineyard and Nantucket, to the Birmingham Barons, a minor-league baseball team.

“We’re only going to see these ransomware attacks on major, international businesses continue,” said Allan Liska, an intelligence analyst at Recorded Future who is tracking some 38 ransomware groups, the vast majority of which are based in Russia, with a few in Iran and one in North Korea.

Production began to resume at nine JBS beef plants in the United States on Wednesday. Thousands of workers at JBS’s beef, pork and poultry plants in Australia, Canada and the United States were affected as shifts were altered or canceled on Monday and Tuesday. Many of JBS’s pork and poultry plants and a beef plant in Canada were at least partially operational on Tuesday.

Union officials said Wednesday that beef plants were operational but were not at full capacity yet. JBS had said late Tuesday that the “vast majority” of its plants would reopen the next day.

About 400 workers were back on the job at the JBS beef plant in Souderton, Pa., versus about 1,500 who would work in a typical day, said Wendell Young IV, the president of the United Food and Commercial Workers Local 1776, which represents workers at the plant. A JBS beef plant in Cactus, Texas, canceled work for many employees scheduled for one of its shifts on Wednesday, according to a Facebook post meant for workers.

Mr. Young added that the company had told the union that the plant would be running essentially as normal by Thursday, although workers’ start times would be delayed by a few hours.

JBS has not said whether it has paid its attackers and did not return requests for comment.

The disruptions come at a time when prices for beef as well as chicken and pork have been skyrocketing. Meatpacking plants are struggling to meet high demand, largely because of the same labor-shortage issues that restaurants and other industries have struggled with in the pandemic.

“We’ve got this logjam happening at the slaughterhouses, and that’s happening when demand, both domestic and export, has been exceptional,” said Don Close, a senior animal protein analyst at RaboResearch.

In recent months, reopened restaurants began putting in orders for beef, pork and poultry again and people began gathering and grilling outside as vaccination levels rose and the weather became warmer. The increase in demand, combined with the hiring challenges, has caused wholesale beef prices to shoot up 49 percent since mid-March and prices of steak cuts to skyrocket 64 percent, according to the Department of Agriculture.

“Everyone suddenly woke up to the reality that we didn’t have enough product around,” said Altin Kalo, the head economist at Steiner Consulting Group, which analyzes and creates forecasts about the protein industry.

Mark Lauritsen, the international vice president who oversees meatpacking for the food workers union, said that many meatpacking plants in the United States have been about 10 to 20 percent below full staffing levels but that the situation was gradually improving as the union negotiated wage increases with companies like JBS.

In the wake of the closure of JBS plants on Monday and Tuesday, the Department of Agriculture estimated a drop-off in the number of cattle and hogs slaughtered across the country that Mr. Kalo said roughly correlated with JBS’s market share.

A big chunk of beef produced by a meatpacker like JBS on any given day is earmarked for standing orders for large, national grocery store chains like Kroger or restaurants like McDonald’s, Mr. Kalo said. A smaller portion is available each day for purchase in the “spot market” by smaller grocery store or restaurant chains, he said.

The shutdown at JBS could cause that supply to further tighten, with the meatpacker likely to fulfill the big, standing orders first, leaving less for the smaller buyers.

“That supply is where you’ll see a spike — a spike in wholesale beef prices over the next few days or even through the end of the week,” Mr. Kalo said.

Higher wholesale beef prices are often being passed along to consumers, albeit at smaller price increases. So far this year, the price of beef in the grocery store is 6 percent above what it was at this time last year, according to NielsenIQ.

The attack highlighted concerns about the vulnerability of critical American businesses. Jen Psaki, the White House press secretary, urged companies on Wednesday to increase their cybersecurity measures, saying it was “up to a number of these private-sector sector entities to protect themselves.”

Ms. Psaki declined to say whether the U.S. government was planning to retaliate. “We’re not taking any options off the table in terms of how we may respond, but of course there is an internal policy review process to consider that,” she said.

Among REvil’s other victims are E. & J. Gallo, the winemaker, which was hit this year, and Quanta Computer, an Apple supplier. In April, REvil held Quanta Computer hostage, then demanded $50 million from Apple in exchange for not releasing proprietary product plans. REvil eventually dumped confidential schematics for Apple laptops and a new Apple watch online on April 20, the day of a major Apple product announcement, but later scrubbed them from its site. The group also hit 23 cities in Texas in a coordinated ransomware attack in 2019 that froze up courts, law enforcement, real estate transactions and water bill payments.

REvil’s ransomware, like DarkSide’s, screens victims based on what languages they speak and goes out of its way to avoid infecting computers that belong to Russians, Syrians and those in post-Soviet states.

Typically, the group publishes stolen data on a website it calls its “Happy Blog,” but as of late afternoon Wednesday none of JBS’s data had appeared online. That suggested that perhaps REvil had not stolen the data it had held hostage, or that the company was still in negotiation with the group, said Mr. Liska of Recorded Future. JBS has said it believes none of its data had been stolen.

Ms. Psaki said Wednesday that the administration was in direct contact with the Russians and that President Biden would bring up the issue of cyberattacks with President Vladimir Putin of Russia when they meet in two weeks.

“Responsible states do not harbor ransomware criminals,” she said.

Nicole Perlroth is a cybersecurity and digital espionage reporter. She is the bestselling author of the book, “This Is How They Tell Me The World Ends,” about the global cyber arms race. More about Nicole Perlroth

Noam Scheiber is a Chicago-based reporter who covers workers and the workplace. He spent nearly 15 years at The New Republic magazine, where he covered economic policy and three presidential campaigns. He is the author of “The Escape Artists.” More about Noam Scheiber

Julie Creswell is a New York-based reporter. She has covered banks, private equity, retail and health care. She previously worked for Fortune Magazine and also wrote about debt, monetary policy and mutual funds at Dow Jones. More about Julie Creswell

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: F.B.I. Names Cyber Group Behind Meat Sector Attack. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT