(Bloomberg) -- After a furious run of ransomware attacks in the first half of the year, President Joe Biden in July warned his Russian counterpart, Vladimir Putin, that Russia-based hacking groups should steer clear of 16 critical sectors of the U.S. economy.
In recent days, a Russia-linked ransomware group called BlackMatter attacked a grain cooperative in Iowa, an incident that appears to test Biden’s terms since “food and agriculture” is one of the protected sectors.
In messages with Bloomberg News, however, BlackMatter said it has rules for how it operates its ransomware operation, a sort of ethical playbook for an illegal enterprise. Hospitals, the defense industry and the government sector are off-limits, according to details on the group’s dark web page. The hack on Iowa’s New Cooperative, however, didn’t violate Biden’s mandate, the group says.
“The volumes of their production do not correspond to the volume to call them critical,” BlackMatter said in messages via its dark web page. The group said it has refrained from attacking dozens of companies that are “really critical” like “companies associated with oil, minerals and many others much more serious.”
“We don’t see any critical areas of activity,” the group said. “Also this company only works in one state.” New Cooperative operates in Iowa, which produces the most corn in the U.S. and the second most soybeans.
The White House didn’t immediately respond to a request for comment, and the U.S. Cybersecurity and Infrastructure Security Agency declined to comment.
Cybersecurity experts have previously warned that claims in which ransomware groups appear to take the high ground should be taken with a grain of salt. Other groups have previously vowed to steer clear of hospitals and medical facilities. “It is nice that an uneducated backwoods Russian can decide what does and doesn’t count as critical infrastructure,” said Allan Liska, senior threat analyst at the cybersecurity firm Recorded Future Inc.
The attack occurred on or around Friday, and BlackMatter is demanding a $5.9 million ransom, Liska said.
New Cooperative said they had contacted law enforcement and were working with data security experts to investigate and remediate the situation.
“New Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems,” according to a statement from the cooperative. “Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained.”
New Cooperative has communicated with its feed customers and is working to create workarounds to get feed to animals while its systems are down, a person familiar with the matter said. Farmers told Bloomberg News that grain delivery, normally a digital process, has gone old school. Workers are using paper tickets to take down truck weight and grain moisture content by hand, slowing down the process considerably, the farmers said.
Based in Fort Dodge, Iowa, New Cooperative has over 50 locations across Iowa and is among the larger crop buyers from its farmer members. The cooperative, which in July announced a merger with MaxYield Cooperative, also distributes fuel and crop chemicals.
BlackMatter is believed to be linked to the ransomware group DarkSide, which attacked Colonial Pipeline Co. earlier this year, triggering fuel shortages along on the East Coast. The Colonial hackers attempted to publicly distance themselves from the real world impact of the hack, claiming their operation was strictly financially motivated. But within months, the DarkSide operation’s infrastructure disappeared from the dark web, and the FBI had clawed back a chunk of Colonial’s $4.4 million ransom payment.
BlackMatter’s hackers are native Russian speakers and their code is in Russian, Liska said.
According to a post on BlackMatter’s website, the ransomware group has stolen New Cooperative’s financial information, human resources data, research and development information and source code for its “SoilMap” product, a technology platform for agricultural producers. A message on SoilMap’s website says the product is currently unavailable.
While BlackMatter says it has rules for hacking, they don’t apply to victims who it considers fair game, including New Cooperative.
“They will pay or have nothing,” the ransomware group said in a message Monday.