A Russia-based hacker group victimized JBS Foods, the world’s largest meat producer, in a ransomware hack this week, according to the FBI.
Other hackers, based in Russia and elsewhere, struck the Colonial Pipeline and other infrastructure, water-treatment plants, small businesses, Washington D.C.’s Metropolitan Police Department and even hospitals.
With easily accessible hacking tools and hard-to-trace financing amid the rise of cryptocurrency, cybercrime is soaring around the world, experts say.
Homeland Security Secretary Alejandro Mayorkas said as much last month, adding that ransomware attacks cost victims a combined $350 million last year.
As hackers grow bolder in the scale of their attacks, could their attempts to disrupt, damage and steal be considered a "dry run" for a potentially more devastating future attack?
FOX Business spoke with a number of experts Wednesday to find out.
It’s possible, according to some of them – but it could be too soon to say, and there’s not enough evidence.
"That is an interesting mindset – slightly paranoiac," said Laura Hoffner, chief of staff at Concentric, a Washington-based security and risk management firm. "I think it would actually more so be cyber-actors are catching on to how lucrative this business is."
A real dry run, if proven to be sponsored by a foreign government, would be an act of war, she said.
But hacking groups can hold a system hostage and demand payment in cryptocurrency, causing some chaos in the process but not necessarily wanting to cause widespread calamity.
Still, Hoffner said cybercriminals were becoming increasingly willing to exploit soft targets.
"It used to be, a Red Cross hospital, you don't attack that," she said. "But we saw in the last year the attacks on schools, attacks on hospitals, and now these large-impact attacks such as the pipeline, such as the meat industry – impacting the average citizen indirectly and directly."
Former Virginia Rep. Denver Riggleman, who also served in both military and private intelligence, said it’s important to publicly demonstrate serious repercussions for hackers, regardless of whether they operate on behalf of a government, criminal entity or terror group.
"It doesn't matter if you're shot on accident or shot on purpose, you're still getting shot," he said. "Whether they're building some type of cyberattack plan against us or whether it's criminal elements that are seeing how weak we are in our response, it both adds up to the same thing: And that’s that we have a weak cyberdefense national strategy."
Last month, after the Colonial Pipeline attack left swaths of the Southeast short on gas, Riggleman called for disproportionate retaliation to ransomware attacks.
"We need to pick the first country that f---- with us in a cyber way and bring them to their knees," he said two weeks ago.
On May 12, President Biden signed an executive order outlining new cybersecurity goals. The hacks haven’t stopped, and the former National Security Agency intelligence officer renewed his call for a hawkish response.
"Can you imagine if food, communications and power were taken out all at once in our country for four days?" Riggleman said. "It would be chaos. It would be an absolute zombie apocalypse out there."
Hoffner, speaking in a separate interview, argued against a militarized response, arguing in favor of collaboration between the public and private sectors.
"Similar to how you're dealing with COVID, whatever you do nationally, it's going to be adopted internationally," she said. "And this is an international problem. So there needs to be a lot of collaboration with this."
Even if it’s not a dry-run attack in the eyes of the perpetrator, Riggleman said, the governments sheltering international hacking groups could be using them to garner similar information.
"The issue is that you have Russian criminal, Russian cybercriminal gangs, executing these attacks," Riggleman said. "My guess is they're communicating with the Russian government, and they're building I would say…They're building some type of probably internal document or some type of concept of operations on how to get our critical infrastructure."
Hoffner agreed with that sentiment.
"Not only would it be beneficial for the criminal gangs, but it's, of course, going to be beneficial for the government to get that information from a third party source where they are the ones that are actually getting their hands dirty," she said.
And it’s a lot more difficult to definitively link a foreign government to a cyberattack than a kinetic one involving missiles or combat.
A foreign bomb falls on a U.S. meatpacking plant in an analogy from cybersecurity expert Mark Stamford.
Regardless of who sent it – terrorists, criminals, a hostile government – American industry is under attack, and it could have broader impacts on the economy beyond physical damage to the plant and lost profits. Inflation could jack up the cost of beef – or startups could see unexpected new barriers to entry related to the costs of must-have cyberdefenses.
"The people who are attacking you, it’s their business to do this," Stamford said. "They make profit by spending their time to get into your network…It’s hard for companies to deal with, because everyone else is trying to make profit by selling services, and you don’t want to spend on cybersecurity as you possibly should."
The bomb itself cost money and resources to make, and additional money and resources to transport to its target. Then, after it detonated, it was gone.
But tools used by cybercriminals to force a similar outcome, disrupting food production or shutting down a company’s systems, can be used more than once. And freely copied.
So they are spreading and attacks are on the rise, according Stamford, the CEO of cybersecurity firm OccamSec.
"If I launch a cyberattack against you, [if] anyone else is able to somehow get a copy of that attack that I use, they can go and use it as well," he said. "So I think that what's happened is, you've got this proliferation of bad stuff. And once it's out there, everyone else gets it, rebadges it and pushes it back out there – which doesn't happen in the in the physical world."
Further complicating the matter, he said, is that going after the bad guys in retaliation isn’t always so simple, if bad actors cover their tracks or use other people’s compromised systems to launch their attacks.
Stamford’s firm OccamSec probes clients’ networks for faults and has them fixed, but he’s also calling for greater collaboration between the government and companies that rely on the Internet to do business – even while opposing government regulations on security measures, which he said criminals could just look up and learn to abuse.
"The government is by far the best organization that collects intelligence," he said. "The government apparatus for that is massive. But I think that if we had the government share their intelligence on bad guys with every company, not just the biggest ones…I think that would massively help us."
And he said companies and governments need to stop looking at cyberdefense as something similar to physical defense and envision a new format of site-specific defense plans.
In addition to the Russia-based groups, a hacking group with suspected links to the Chinese government broke into the Metropolitan Transportation Authority earlier this year, according to a new New York Times report. The MTA serves millions of customers a day in and around New York City. And it had been breached at least two other times by foreign hackers in recent years.
"Ransomware attacks from non-state actors are not necessarily politically driven," said Manoj Mahajan, a cybersecurity expert and former defense officer with a PhD in technology, policy and innovation. "I view these attacks as targets of opportunity for monetary gain."
On the other hand, ransom attacks don’t have to always be motivated by a desire to collect ransom, according to Waterfall Security Solutions CEO and co-founder Lior Frenkel, whose firm offers one-way connectivity that he says makes certain types of external intrusions impossible.
"The fact that there is an attack, the fact that operations were impaired, even the fact that there was a ransom request – doesn’t mean for 100% that this is a ransom attack," he said. "It might be a terror attack in this case."
It might be a dry run, or "balloon test" to see how the U.S. would respond, he said. But he added that he has not seen evidence forecasting an impending larger scale, more serious attack.
"I still believe that these are criminal motivations," he said. "These guys want to get a lot of money. They saw that two weeks ago Colonial paid $4.5 million. You know, ‘Why not us?’"
With each new attack comes a renewed attention on existing cybersecurity deficiencies, but not all businesses and infrastructure sites are adopting stronger defenses, even though they exist on the market today.
"The Colonial Pipeline incident last month was unprecedented, and it is almost unfathomable that it occurred – despite warnings and longstanding fears about this very type of critical infrastructure incident," said Emil Sayegh, a cybersecurity expert and CEO of the cloud-computing firm Ntirety. "Now we have another attack that paralyzed meat-processing activities in the U.S. and Australia. We have arrived at this position of vulnerability even though experts long warned about this, while government and industry did little to build up our cyber-defenses."
Possible solutions include multilayered cyberdefenses, redundant fail-safes, threat detection and vulnerability assessments from white-hat hacking firms – good guys who use bad guy methods to find and fix flaws before they can be exploited.
And the mom-and-pop restaurant down the street could stick with an old cash register rather than an Internet-linked point of sale system, if network security drives up costs too much.