The REvil (Sodinokibi) group, hackers who were attacking the world’s largest meat producer JBS in May this year, have been stealing data from the food giant’s branches in Australia and Brazil for several months.
According to experts from SecurityScorecard, the “reconnaissance” phase of the cyberattack began in February this year. The research refers to multiple public and private sources of information, dark web observations, and research tools such as NetFlow, which monitors digital traffic flows.A spokesman for JBS USA challenged the experts’ findings and said they did not agree with the results of the preliminary investigation conducted by outside experts.
The researchers said they began collecting location data for JBS in Australia in March. Experts revealed the credentials of employees of the Australian branch of the company on the darknet right before the start of the hack.
During its investigation, SecurityScorecard discovered that TeamViewer traffic was directed to an IP address in India. This could mean that the attacker installed TeamViewer in the JBS Australia network environment. This action happened in the same time period as the data theft. The connection could be used to maintain access to the medium. Since TeamViewer supports file transfer, some data could also be stolen in this way.
SecurityScorecard also found evidence of data theft from JBS in Brazil in April and May this year, but it is not known how and where the hackers broke into the San Paolo food company.
Using global analytics, including Netflow, they have identified multiple data transfers from the JBS environment since March 2021.
For example, over 45 GB of data was transferred to the file sharing site Mega between March 1 and May 30, 2021. In addition, the data transfer was split into a dozen smaller transactions over a three-month period. Between March 1 and May 29, 2021, a total of 5 TB of data was transferred to Hong Kong.
Let me remind you that we also said that REvil Developers Made $1 Million Deposit on Hacker forum.
