UPDATE: June 3, 2021: The FBI attributed the JBS USA ransomware attack to Russia-based cybercriminal gang REvil on Wednesday. "We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable," the law enforcement agency said in a statement. "A cyberattack on one is an attack on us all."
President Joe Biden "will discuss" recent cyberattacks with Russian President Vladimir Putin in an upcoming summit, Press Secretary Jen Psaki told reporters Tuesday, before the FBI made its statement. "Of course, there's an internal policy review process to consider that. We're in direct touch with the Russians, as well, to convey our concerns about these reports," she said during Wednesday's press briefing.
JBS and Pilgrim are "on schedule to resume production at all their facilities" Thursday, the company said Wednesday. The meat producer anticipates its North America- and Australia-based operations to reach full capacity Thursday, after pork, poultry and prepared foods facilities resumed operations Tuesday.
- The White House and the Department of Agriculture have "offered assistance" to JBS USA following its ransomware attack Sunday, Deputy Press Secretary Karine Jean-Pierre said in a press gaggle on Air Force One Tuesday.
- JBS USA, a subsidiary of Brazil-based meat supplier JBS S.A., suspended all affected systems, though its backups were not impacted, the company said in its disclosure Monday. The company is responsible for more than 61 million daily 4 ounce-servings of beef, one of the top beef producers in the country, close to Tyson Foods.
- JBS made "significant progress" toward restoration, the company said Tuesday. "Our systems are coming back online … Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow," Andre Nogueria, JBS USA CEO, said in the announcement.
JBS notified the White House of the attack Sunday, and said the cyberattack was likely Russia-based. In response, the administration is "engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Jean-Pierre said. JBS did not immediately return a request for comment.
The Biden administration has been out front with cyberattacks, following the Colonial Pipeline ransomware attack that also caused consumer-facing delays.
"Combating ransomware is a priority for the administration," said Jean-Pierre. President Joe Biden has laid out a number of strategic efforts to combat ransomware, including:
- Disrupting ransomware infrastructure in partnership with the private sector
- Developing an international coalition to handle cybercriminals in safe haven countries
- Expanding cryptocurrency analysis to trace ransom-related transactions
- Reviewing the government's ransomware policies
Geopolitics play a role in cyberspace, making attribution a sensitive matter. In 2020, an average of at least 10 cyberattacks per month were attributed to nation-state actors, according to a study by Dr. Michael McGuire and sponsored by HP, published in April.
It is unusual for the White House to engage with a country based on a cyberattack victim's sense of attribution, said Austin Berglas, global head of professional services, at BlueVoyant and former assistant special agent in charge of cyber at the FBI. Attribution is typically based on analysis gathered from indicators of compromise and tactics, techniques, and procedures (TTPs), "some of which are often classified."
"Law Enforcement and the intelligence community will not recommend attribution without a high level of confidence — publicly attributing without the appropriate due diligence could have meaningful negative geo-political impact," he said. Before the federal government acts, it wants reassurance from its investigators.
Berglas and Marcus Fowler, director of strategic threat at Darktrace and former department chief with the CIA, agreed that early attribution requires a delicate balance. "If a public attribution is found to be incorrect, it undermines future ability to reliably attribute attacks to specific nation-states," Fowler said.
While JBS is headquartered in Brazil, the ransomware attack is disproportionately impacting North American and Australian IT systems and operations. The company is working with the FBI for the investigation, which is coordinating with the Cybersecurity & Infrastructure Security Agency (CISA) to aid in JBS' technical recovery, said Jean-Pierre.
CISA encourages global companies to engage with the agency, but like domestic companies, they're not required to include CISA. While the expectation to contact CISA is not established for all industries, there are exceptions. Companies with critical infrastructure are mandated to work with federal agencies in their cybersecurity — food and agriculture are considered one of CISA's critical infrastructure sectors.
JBS' North American-based slaughterhouses were closed Sunday, and if the recovery is prolonged, consumers could expect an increase in meat prices.
It's the second time in a month Americans are seeing real-world impacts of cyberattacks. "We witnessed skyrocketing gas prices just a few weeks ago, will higher food prices be next?" said Fowler.
As the investigation continues, experts warn of disclosing too much too soon. While regulatory bodies or state laws might expect companies to be transparent about an attack, Berglas warns public announcements can have an adverse effect on investigations. They might "alert the criminals and prompt them to clean up," therefore hurting monitoring efforts.