A string of ransomware attacks, many linked to Russian groups, is worrying farmers
Hackers have begun targeting Canada's food and agriculture industry, where intricate supply chains means even small disruptions can have devastating effects.Albert Leung/CBC
Jonathan Montpetit & Albert Leung Aug. 10, 2024
The oldest piece of equipment on Chris McLaren’s southern Ontario dairy farm is a W4 International, a four-cylinder tractor his grandfather bought in the 1940s.
Among the newest pieces of equipment is an automated calf feeder that reads a chip in each animal’s ear and delivers them preset quantities of heated milk.
ADVERTISEMENT
That data is uploaded to a server, and McLaren receives alerts on his phone if one of his calves isn’t drinking enough. If the machine breaks down, a technician can fix it remotely.
“As farms get bigger and bigger, there gets to be more strain on the time for the owner and operators of the farm. So moving towards technology allows you to manage the cattle better,” said McLaren, whose family has owned the farm for nearly 160 years.
But as farms like McLaren’s increasingly become connected — with reams of farming data uploaded daily to cloud servers — they also become more exposed to cyberattacks, including from groups operating with tacit approval of the Russian government.
“With us moving into robotic milking in the next six to eight months, that becomes even more concerning. It's definitely top of mind right now.”
Ag sector considered ‘low-hanging fruit’ by hackers
Ransomware attacks — where hackers encrypt valuable data until a ransom is paid — have for several years been one of the biggest cyberthreats in sectors such as finance, energy and health care.
More recently, though, hackers have zeroed in on the food and agriculture industry, where intricate supply chains mean even small disruptions can have devastating effects.
An attack on Sobeys in 2022 cost the supermarket chain over $30 million in spoilage, repairs and lost sales.
Ontario Pork was hit by two separate cyber-security incidents last year, according to the dark-web monitoring site RansomLook. This year, dairy data firm Lactanet and dairy co-op Agropur both had their data compromised in similar incidents.
And earlier this summer, Federated Co-operatives, a major food supplier in Western Canada, was hit by a ransomware attack that resulted in several weeks of empty shelves at dozens of member stores.
Canadian intelligence officials have counted 13 ransomware incidents in the agriculture sector so far this year, though they acknowledge the number is likely higher, given that many go unreported.
This may represent a small fraction of the overall number of cyber incidents. In 2022, four per cent of ransomware victims were in the food sector, compared to 18 per cent in manufacturing.
But these figures can obscure how food producers are often affected by attacks in other sectors. A June ransomware incident at the car dealership software company CDK Global, for example, reportedly also disrupted sales of farm vehicles.
And while outages at large companies have received the most attention, smaller agriculture businesses haven’t been spared either.
In March, a veterinarian serving pork and cow farms in southern Ontario had a trove of data leaked online, including lab results and other customer information.
Among hackers, the agri-food industry is considered “low-hanging fruit,” according to Ali Dehghantanha, who holds a Canada Research Chair in cybersecurity and threat intelligence at the University of Guelph.
LISTEN | How institutions are handling a rise in ransomware attacks:
Ali Dehghantanha speaks to The Current guest host Nora Young on how ransomware attacks can be managed.
In the past, that dubious honour might have gone to the health-care sector, Dehghantanha said. But cyber-security standards have improved in response to crippling attacks against hospital networks.
Now, dark-web forums are filled with chatter about the vulnerabilities of smart-agri devices.
“Clearly that shows there is a shift. There is a lot more interest from the attacker's perspective.”
The question of Russia’s role
Determining exactly who is behind a ransomware attack can be difficult, even though many ransomware groups openly claim credit for their exploits on the dark web.
Some ransomware groups make their software — which can exfiltrate and then encrypt data — available to affiliates in exchange for a fee or a share of profits if ransom is paid.
Other hackers, known as initial access brokers, sell network access to ransomware groups, who then deploy their software.
Of the publicly reported ransomware attacks against the Canadian agriculture sector since 2020, most have been claimed by Russia-based groups, according to a review by CBC News of cyber-security publications and materials posted on the dark web.
“There is compelling evidence to suggest that some of these ransomware groups are operating within the confines of receiving some level of state support from the Russian government,” said Ryan Westman, director of threat intelligence at eSentire, a cyber-security firm.
The ransomware attack of Federated Co-ops, for instance, was claimed by a group known as Akira, which was also behind a recent series of disruptive attacks in Finland and Sweden.
"While we are aware of a claim made online allegedly related to this incident, to our knowledge, there has not been any consumer or employee data publicly posted to date,"the co-operative said in a brief statement to CBC News.
Akira is widely believed by cyber-security experts to be an extension of a disbanded group called Conti, which chat logs leaked in 2022 indicated had ties to the Russian secret service.
“The relationship between nation-states and ransom groups, I would say, is a dotted line at times,” said Sami Khoury, who heads the Canadian Centre for Cyber Security, a branch of the Canadian Security Establishment.
“These ransomware groups operate with some impunity … that is sanctioned by the Russian government. That's the reality of what we are facing.”
Citing security reasons, Khoury declined to speak about specific groups, during an interview at the centre’s nondescript headquarters in Ottawa.
But he reiterated the Five Eyes intelligence community’s assessment, first issued in 2022, that Russia could use cyberattacks to retaliate against Ukraine’s allies.
“Since Russia's illegal invasion of Ukraine, we have been concerned about cyber activities that Russia has used in Ukraine and the risk of these malicious code, or malicious malware, making its way into Canada,” Khoury said.
In May, the Canadian Centre for Cyber Security joined U.S. intelligence agencies in issuing a warning about pro-Russian hackers gaining remote access to food and water infrastructure.
That warning mentions a water utility in Texas, where a pro-Russia group reportedly hacked a pumping system and caused a tank to overflow. The group is sponsored by a Russian military intelligence unit, according to cyber-security firm Mandiant.
Protecting the food supply
With a few notable exceptions, Canadian law enforcement hasn’t been able to successfully prosecute foreign perpetrators of ransomware attacks, largely due to a lack of co-operation.
Canadian authorities, though, say they are taking an increasingly active role in trying to disrupt ransomware actors.
The RCMP was part of an international effort earlier this year to take control of a website run by a group called LockBit, which claimed credit for hacking the Indigo bookstore chain in 2023.
The Liberal government is also seeking to expand CSE’s power as part of legislation aimed at better protecting critical infrastructure from cyberattacks.
But the bill, C-26, makes no mention of the food and agriculture sector.
By way of comparison, a bipartisan bill introduced earlier this year in the U.S. Congress — the Farm and Food Cybersecurity Act — would require periodic reviews of the agriculture sector’s cybersecurity.
In April, the U.S.’s Cybersecurity and Infrastructure Security Agency organized a war games-like exercise to test the industry’s readiness to face cyberattacks.
Dehghantanha, the Guelph cyber-security professor, says no similar effort has been undertaken for the farming industry in Canada.
When such exercises were done for the financial sector, they revealed that if 15 per cent of Canadian credit cards were compromised, the financial system would collapse.
But there is little understanding how cyberattacks on Canadian farms would affect the country’s food supply, Dehghantanha said.
“There is a big need that we conduct cyber range exercises for the ag and food sector so we can better understand how an adversarial nation might plan an attack here,” he said.
McLaren, the dairy farmer from Drumbo, Ont., wants policymakers to recognize the urgency in boosting the industry’s cyber-security standards.
“It's a growing problem and we need to put steps in place right now with the industry experts so that it doesn't become a big problem,” he said.
“It's food security, it's animal welfare and it's the financial sustainability of farms that are at risk.”
Editing & layout by Hanna Lee
CBC's Journalistic Standards and Practices | About CBC News
Corrections and clarifications| Submit a news tip
About the Authors