Full Report
Reports said the dairy company Sayanmoloko's plant in Semyonishna was attacked with LockBit ransomware, possibly because of its support for Russian troops in Ukraine. Company printers reportedly churned out leaflets.
Analysis Summary
# Incident Report: LockBit Ransomware Attack on Siberian Dairy Plant
## Executive Summary
The largest dairy processing plant in southern Siberia, Semyonishna, was compromised in early December by an unidentified hacker group using LockBit ransomware. The attack utilized remote access software to deploy the malware across systems that lacked adequate antivirus protection, leading to printing leaflets condemning the plant's support for the Russian military and disruption of product labeling systems. Operations for milk processing ultimately returned to normal, but the incident highlights severe vulnerability in industrial control systems supporting strategic national interests.
## Incident Details
- Discovery Date: Shortly before reporting in early December (exact discovery date not specified)
- Incident Date: Earlier in December
- Affected Organization: Semyonishna plant (owned by Sayanmoloko)
- Sector: Food Processing/Dairy
- Geography: Khakassia Republic, Southern Siberia, Russia
## Timeline of Events
### Initial Access
- Date/Time: Early December (unspecified)
- Vector: Remote Access Software (AnyDesk)
- Details: Attackers leveraged AnyDesk to likely spread the ransomware across the network. The targeted system reportedly lacked antivirus protection.
### Lateral Movement
- Details: Attackers used AnyDesk to spread the LockBit ransomware across the company’s network.
### Data Exfiltration/Impact
- Impact: Systems encrypted with LockBit ransomware. Printers were hijacked to print leaflets condemning the company's financial support for the Russian army in Ukraine. Disruption to the government-run system for labeling products (used for counterfeit tracking and product safety). Milk processing operations were reportedly not affected in the long term.
### Detection & Response
- Detection: Confirmed by the plant's director and commented on by the regional FSB office.
- Response Actions: Operations for milk processing returned to normal (stated by the director). Specific containment/eradication details were not released, though previous reports suggest the company recovered.
## Attack Methodology
- Initial Access: Compromise via Remote Access Software (AnyDesk).
- Persistence: Not explicitly detailed, but implied by the deployment of LockBit ransomware.
- Privilege Escalation: Not detailed.
- Defense Evasion: Exploited the lack of antivirus protection on targeted systems.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Spread via AnyDesk remote access tooling.
- Collection: Focused on system control and disruption capabilities (printing, labeling systems).
- Exfiltration: Not explicitly mentioned, though ransomware deployment suggests data encryption/theft may have occurred.
- Impact: Encryption (LockBit), operational disruption (labeling), and defacement/propaganda release (printing leaflets).
## Impact Assessment
- Financial: Not disclosed (ransom demand/payment status unknown).
- Data Breach: Encrypted systems; contents of data exfiltration unknown.
- Operational: Disruption to product labeling systems; processing capacity recovered.
- Reputational: Significant negative public exposure due to politically motivated propaganda leaflets printed on-site.
## Indicators of Compromise
- Network indicators: Mention of use of AnyDesk for malicious distribution (Defanged: AnyDesk usage pattern).
- File indicators: LockBit ransomware strain used.
- Behavioral indicators: Mass printing of custom, politically charged leaflets across the network.
## Response Actions
- Containment Measures: Not detailed, but implied necessary measures were taken following the encryption event.
- Eradication Steps: Implied successful removal of ransomware to restore processing; the company website remains non-functional at the time of reporting.
- Recovery Actions: Milk processing operations returned to normal.
## Lessons Learned
- Criticality of basic security hygiene: The targeted system completely lacked antivirus protection, enabling easy deployment of established ransomware.
- Supply chain/third-party reliance: Reliance on remote access software (AnyDesk) can serve as a viable vector for widespread network compromise.
- Geopolitical risk: Critical infrastructure, even in the food sector, is susceptible to politically motivated cyberattacks linked to international conflicts.
## Recommendations
- Immediately implement and mandate up-to-date, comprehensive endpoint detection and response (EDR) or antivirus solutions across the entire network, especially industrial control systems environments.
- Review and strictly control the use of remote access tools like AnyDesk, enforcing strong access controls, MFA, and continuous monitoring for unusual remote sessions.
- Isolate and segment OT (Operational Technology) networks from corporate IT networks to prevent lateral movement from affecting core production systems.
- Perform regular security audits focusing on system hardening benchmarks for all production-critical assets.