Skip to content

Ransomware Disrupts Meat Plants in Latest Attack on Critical U.S. Business – The New York Times

A cyberattack on the world’s largest meat processor forced the shutdown of nine beef plants in the United States on Tuesday, according to union officials, and disrupted production at poultry and pork plants. The attack could upset the nation’s meat markets and raises new questions about the vulnerability of critical American businesses.

The company, JBS, said the majority of its plants would reopen on Wednesday. But even one day’s disruption at JBS could “significantly impact” wholesale beef prices, according to analysts at Daily Livestock Report.

The breach at JBS was a ransomware attack, the White House said — the second recent such attack to freeze up a critical U.S. business operation. Last month, a ransomware attack on Colonial Pipeline, which transports gas to nearly half the East Coast, triggered gas and jet-fuel shortages and panic buying.

JBS, which is based in Brazil and accounts for one-fifth of the daily U.S. cattle harvest, said in a statement late Tuesday that it had made “significant progress resolving the cyberattack.”

“Our systems are coming back online, and we are not sparing any resources to fight this threat,” Andre Nogueira, the chief executive of JBS USA, said in the statement.

The Department of Agriculture said Tuesday that it was working with other producers to help minimize any shortages.

All nine JBS beef plants in the United States were shut down on Tuesday, according to the United Food and Commercial Workers International Union, which represents workers at JBS’s beef and pork factories. The company’s poultry and pork plants in the United States posted on Facebook that they had canceled shifts or altered production scheduled for Monday or Tuesday, with some of them citing “I.T. issues.”

In addition to the company’s U.S. plants, the shutdowns affected 2,500 workers at a beef plant in Brooks, Alberta, according to Scott Payne, a spokesman for United Food and Commercial Workers Local 401 in Canada. “All shifts were canceled yesterday,” he said on Tuesday. “The morning shift was canceled today. But the afternoon shift has been rescheduled to operate today.”

Even as the plants started to come on line, at least one beef plant delayed the start of production on Wednesday and another altered one of its shifts, according to posts from the plants.

As restaurants and retail customers have started buying beef heading into summer, the wholesale market has been “extremely tight,” the analysts for Daily Livestock Report wrote in a report released on Tuesday. They noted that a small restaurant in southern Utah had started to charge an extra $4 for dishes that contained carne asada.

“Retailers and beef processors are coming from a long weekend and need to catch up with orders and make sure to fill the meat case,” the analysts wrote. “If they suddenly get a call saying that product may not deliver tomorrow or this week, it will create very significant challenges in keeping plants in operation and the retail case stocked up.”

An extended disruption, the analysts warned, “could add gasoline to an already large flame.”

JBS has said that it was the target of an “organized cybersecurity attack” that affected systems in North America and Australia, that its backup servers were not affected and that it did not expect that any customer, supplier or employee data was exposed.

Karine Jean-Pierre, a White House deputy press secretary, told reporters on Air Force One on Tuesday that JBS had told the Biden administration that it was a ransomware attack, and that the ransom demand had come from “a criminal organization likely based in Russia.”

The Federal Bureau of Investigation was investigating the hack, and the Cybersecurity and Infrastructure Security Agency was also involved, Ms. Jean-Pierre said.

“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” she said.

In two weeks, President Biden is scheduled to meet the president of Russia, Vladimir V. Putin, in Geneva for a summit in which a variety of cyberattacks, many emanating from Russia, are high on the American agenda.

One recent breach leveraged software called SolarWinds to infiltrate more than 250 federal agencies and businesses. It has been considered the most serious attack because it got to the question of whether the United States can trust its supply chain of software. SolarWinds, the United States has said, was the work of the S.V.R., one of Russia’s premier intelligence agencies.

Last week, the S.V.R. was blamed for a breach that hijacked the company that distributes emails on behalf of the United States Agency for International Development, sending links containing malware to organizations that have been critical of Mr. Putin.

But ransomware attacks have taken on additional urgency after hackers hit Colonial Pipeline last month. The pipeline’s operator shut down its systems after the attack, triggering price surges, panic buying and jet-fuel shortages. The company later acknowledged paying $4.4 million to recover its data.

The Colonial Pipeline attack was the work of a ransomware operator called DarkSide, which Mr. Biden said was based in Russia.

The culprit behind the JBS attack has not been publicly identified. Cybersecurity specialists said Tuesday that blogs and online channels frequented by major ransomware groups had gone quiet — most likely, they said, because the group responsible was waiting to see whether JBS would pay.

The U.S. government has been at a loss for how to address the attacks, given that many of the groups responsible operate from Russia, where they largely enjoy safe harbor. Russia has refused to extradite its hackers, and it frequently taps them for sensitive intelligence operations.

Mr. Biden said after the Colonial Pipeline attack that Russia was partly to blame even though there was no evidence that the government was involved.

“We have been in direct communication with Moscow for the imperative for responsible countries to take decisive action against these ransomware networks,” Mr. Biden said. “We’re also going to pursue a measure to disrupt their ability to operate.”

He did not rule out the possibility that the United States would carry out a retaliatory cyberattack against the criminals responsible for the pipeline attack. After Mr. Biden’s remarks, DarkSide’s criminals said they would shut down, though cybersecurity experts cautioned that they were likely to rebrand and resurface.

David E. Sanger and William P. Davis contributed reporting.