JBS Hackers Took Data From Australia and Brazil, Researcher Says

(Bloomberg) -- The hackers who used ransomware to shut down JBS SA, the world’s largest meat producer, explored the potential attack in February and stole data for several months from the food giant’s locations in Australia and Brazil, according to security researcher SecurityScorecard Inc.

The “reconnaissance” phase of the cyberattack, in which hackers learn about a target and where they might exploit it, began in February, according to a report from SecurityScorecard shared with Bloomberg. The research is based on multiple public and private sources of intelligence, observations on the dark web and investigative tools such as NetFlow -- which tracks digital traffic flows -- according to Ryan Sherstobitoff, vice president of cyberthreat research and intelligence at SecurityScorecard. The company plans to release the report Tuesday.

A spokesperson for JBS USA disputed the findings, saying it was inconsistent with a preliminary investigation conducted by third-party experts.

“We have discovered no evidence that any company data was exfiltrated, and no evidence that Brazil was impacted in any way,” said Nikki Richardson, the spokesperson. “The investigation is ongoing, and it would be irresponsible for us to comment on speculative reports or unfounded rumors.”

“The fact is that the company’s cybersecurity protocols allowed for a quick resolution to this targeted criminal attack, resulting in the loss of less than one days’ worth of production,” she said.

Read more: JBS Rebuffed Call to Boost Cyber Spending, Ex-Employees Say

The ransomware attack late last month forced JBS to stop production at its beef plants in the U.S. -- accounting for almost 25% of American supplies -- and slow pork and poultry operations. The FBI has attributed the incident to REvil, a hacking group that researchers say has links to Russia.

Read more: Russia-Linked Group Behind JBS Attack Revels in ‘Audaciousness’

It is unknown how or where the hackers broke into the San Paolo-based food company, but in March, they began taking data from JBS’s Australia location, according to the researchers. SecurityScorecard found credentials belonging to employees of the company’s Australia branch on the dark web right before the exfiltration began, Sherstobitoff said in an interview.

SecurityScorecard also found evidence suggesting that hackers took data in April and May from a JBS location in Brazil. The company was then hit at the end of May with ransomware, which encrypts data until the victim pays to unlock their systems.

“As with all ransomware operations, the attackers are likely interested in exfiltrating data and potentially leaking it on the dark web if victims do not pay,” according to the report. “Typically, the threat actor exfiltrates data before encrypting files, then uses the data to extort the victim for financial gain.”

SecurityScorecard’s research, however, lines up with private-sector investigations of the attack, said a person familiar with those probes. The attackers began taking large amounts of data from the company’s network in Australia in March and continued until the hack was discovered late last month, the person said. Citing analysis of the hackers’ internet traffic patterns around the stolen data, the person said the attackers appear to have spent an unusually long time stealing information before detonating the ransomware.

©2021 Bloomberg L.P.