Ransomware attack on KP Snacks is harbinger of more supply chain woes to come
By Marty Edwards, Tenable vice president of OT security, and Silas Cutler, principal reverse engineer at Stairwell
The global supply chain crisis triggered by the pandemic is causing manufacturing and delivery bottlenecks, supply shortages and revenue impacts across the ecosystem. You are likely very aware of this.
Volatility such as this is exactly the kind of situation cyber-attackers like to take advantage of...and they are. The Conti group of Russian hackers are believed to have launched a ransomware attack on German-based Kenyon Produce, aka KP Snacks, last month, disrupting its manufacturing and distribution operations.
This is just the latest in a string of cyber-attacks on the food industry, a high-value target for hackers aiming to hit companies with deep pockets and millions of customers. Wisconsin-based Schreiber Foods was hit with a ransomware attack in December, leading to a shortage of cream cheese and other dairy products, and a ransomware attack last May on Brazilian-based meat supplier JBS impacted beef supplies across multiple countries. JBS ended up paying the hackers $11 million in ransom. These attacks will continue, and food manufacturers and distributors should be prepared to defend against them.
Conti reportedly displayed samples of stolen KP Snacks data, including credit-card statements, Social Security numbers, employee addresses, and other sensitive data on their private data-leak page, according to a screenshot taken by Bleeping Computer. This post has since been removed, potentially indicating negotiations were underway for decryption of ransomed systems.
Groups like Conti are known to use a two-prong approach when conducting attacks. The first being the ransoming of an organization's data, followed by the private sale or public disclosure of sensitive internal data. By their nature, ransomware attacks cause severe disruptions to an organization's infrastructure; recovery can require weeks for even a well-established IT team to fully recover—even after paying ransom demands and receiving tools to decrypt systems.
Conti is well-known for broadly targeting companies with revenues more than $100 million. Access to these companies is often sold to ransomware-as-a-service (RaaS) providers, like Conti, who handle victim negotiation and in turn share a percentage of the profits with all parties involved. A key challenge with tracking and eventually attributing ransomware attacks is that access brokers will often work with multiple RaaS groups in order to maximize their own profits.
The KP Snacks ransomware attack is yet another reminder of the need for strong security protocols as organizations’ IT and OT networks continue to converge. Most ransomware attacks exploit a lack of cyber-hygiene that threat actors anticipate. Organizations must protect themselves by doing the basics well—beginning with having complete visibility into all assets, including cloud, IT and OT.
Attackers leverage a variety of mechanisms including active-directory misconfigurations or trust relationships, as well as exploiting well-known vulnerabilities that should have been remediated. It is only a matter of time before these typically IT-oriented attacks begin to more dramatically, more directly affect OT systems and more organizations fall victim.
What organizations should learn from this incident is that basic security principles can go a long way. Without implementing them, any business can and should expect disruption of core functions like manufacturing, shipping and more. Having regular backups and practicing disaster-recovery procedures are critical best practices that help organizations respond to these types of threats.
The food industry will continue to be targeted by bad actors, but with proper preparation manufacturers and suppliers can better defend themselves and focus on mitigating pandemic-prompted supply chain issues.