The cybercriminal group REvil (Sodinokibi), which attacked the world’s largest meat producer JBS in May this year, has been stealing data from branches of the food giant in Australia and Brazil for several months.
According to experts from SecurityScorecard, the “reconnaissance” phase of the cyberattack began in February this year. The research draws on multiple public and private sources of information, dark web observations, and research tools such as NetFlow, which monitors digital traffic flows.
A spokesman for JBS USA challenged the experts’ findings and stated that they did not agree with the results of the preliminary investigation conducted by outside experts.
“We did not find any evidence of theft of company data or that the Brazilian subsidiary was affected by the attack. The investigation is ongoing, ”said company spokesman Nikki Richardson.
The researchers said they began collecting location data for JBS in Australia in March. Experts revealed the credentials of employees of the Australian branch of the company on the darknet right before the start of the hack. During its investigation, SecurityScorecard discovered that TeamViewer traffic was directed to an IP address in India. This could mean that the attacker installed TeamViewer in the JBS Australia network environment. This action happened in the same time period as the data theft. The connection could be used to maintain access to the medium. Since TeamViewer supports file transfer, some data could also be stolen in this way.
SecurityScorecard also found evidence of data theft from JBS in Brazil in April and May this year, but it is not known how and where the hackers broke into the San Paolo food company’s networks.
“As with other ransomware operations, attackers are likely interested in stealing data and possibly publishing it on the darknet if the victim doesn’t pay. Typically, hackers steal data before encrypting files and then use it to extortion, ”the researchers explained.
Using global analytics, including Netflow, they discovered multiple data transfers from the JBS environment since March 2021. For example, more than 45 GB of data was transferred to the file-sharing site Mega between March 1 and May 30, 2021. In addition, the data transfer was split into a dozen smaller transactions over a three-month period. Between March 1 and May 29, 2021, a total of 5 TB of data was transferred to Hong Kong.
Catch up on more articles here
Follow us on Twitter here