Agriculture in the crosshairs of nation-state sponsored hackers (3/5)

If you want to overcome your adversaries you must know both yourself and your enemies, and fully understand your enemies’ intentions. Hunt & Hackett has observed an discerning increase of activity of Advanced Persistent Threat groups (APTs) in the agricultural sector. In this series of blogs, the threat posed by APTs to agriculture industries is analyzed and it is explained what motives lie behind these cyber-attacks. In this and the  next part of the series, the strategic motives of the most active nations are scrutinized along with their APTs key statistics, starting off with China and Russia.

The Democratic Republic of China is well underway of becoming the global hegemon, challenging the United States who currently hold this position. To succeed in its catch-up, China has active policy in place to acquire foreign technology and know-how. The policy consists of a multifaced plan that is meant to perform an upgrade to China’s economy and overall power. Modernizing the agricultural industry is a vital part of the plan. Feeding 1.4 billion people is not an easy task, given the fact China has only a relatively low percentage of land fit for agriculture and is facing increasing desertification and deforestation, further reducing their amount of agriculture land. Western technology and knowledge would surely increase the resilience of the Chinese food system and the efficiency of their farming practices.

China has many partnerships, regulatory strategies and corporate practices in place to overcome the innovation gap between them and the global West. Although a lot of information is exchanged, Western states and companies are not quite eager to share their most valued secrets, as one can imagine. In order to acquire precisely these kinds of secrets, the Chinese government has a known record of deploying their vast cyber apparatus. The Chinese APTs carry out numerous attacks all around the globe. In the agricultural industry, espionage and information theft have been singled out as their main motives. This illustrates clearly that APTs are being used to support China’s modernization efforts and play an important role in achieving its strategic goals (see also figure 1).

China's strategic goals

Figure 1 - China's multipronged approach to its innovation driven economic growth model.

An example of a Chinese APT active in agricultural and industrial sectors is APT 41, also known as WICKED PANDA. This hacker group, which has also been observed in the Netherlands1, became known to the public after they hacked Bayer, the largest agricultural supply company in the world. Bayer claims that they have found no evidence of information theft, fortunately2.

Hunt & Hackett outsmarts hostile APTs by tracking and anticipating their preferred attacking methods (TTPs) and the Tools they use. Hunt & Hackett is aware of 33 APT-groups, which have been attributed to China, which are targeting agriculture or related industries now and in the past. Do note that some of them aren't active anymore, or at least have not been noticed by other security vendors in the past couple of years. Of these 33 APT-groups, 489 TTPs and 490 Tools leveraged by Chinese APTs are known to Hunt & Hackett.

  Key Stats China: Agriculture and Related Industries
APTs 33
Names of APTs APT1; APT10; APT15; APT17; APT18; APT19; APT20; APT23; APT26; APT27; APT3; APT40; APT41; APT5; BlackTech; Blue Termite; DragonOK; Ice Fog; etc.
Level of Sophistication High
Main Motives Information Theft; Espionage
TTPs 489
Tools 490

Table 1 - Key statistics on APTs originating from China, and the TTPs and Tools they use in the agricultural and related industries as observed by Hunt & Hackett.

In the aftermath of the downfall of the USSR, Russia fell into chaos transforming from a state led market to an open and free economy. The first ten years, there was hardly any progress if not a set-back. Under President Putin, order was restored, and efforts to modernize the former leading Soviet nation could begin. For the agricultural sector, this was and still is a difficult task, given the fact that heavy industry had been prioritized over agriculture for the greater part of the 20th century.

That Russia is moving up the agricultural industry on their agenda is illustrated by several Food Security strategies being released in the last ten years. In the strategy documents, it is underlined that Russia needs to move towards self-sufficiency and away from dependency of other nations. It is also discussed how Russia’s food industry should cope with the threat of enduring international sanctions by stimulating the domestic (bio)technology- and scientific sector3.

Russia has never shied away from using illicit methods for the nation’s economic benefit. Not in the past, not in the present and not in the future. Making use of their highly skilled and sophisticated APTs in support of modernization efforts has been a key part of Russia’s strategic planning. Shopping abroad what you lack domestically seems to be the motto of Russia’s modernization strategy. This was also the conclusion of the Dutch general intelligence service, the AIVD, as they wrote in their 2020 yearly report4. In terms of activity, Russia is not the most dangerous adversary. In terms of quality, however, there are few countries that can trump Russian offensive cyber skills.

A very recent example of Russian cyber-aggression was a Russian APT  exploiting a vulnerability in popular and widely used software by the American company SolarWinds.

The state-backed hackers hid a backdoor in an update package, so when users would update their software the Russian gained access. By doing so, Russian state-backed hackers could access the systems of around 18.000 SolarWinds clients (see also figure 2).


How the Solarwinds hack took place

Figure 2 - How the Solarwinds hack took place.


A total of 18 Russian APT-groups (now and in the past) that have been active in agriculture or related industries are known to Hunt & Hackett. To counter and to be prepared for their cyber-attacks in the future, Hunt & Hackett tracks the TTPs and Tools they have employed in the past. At this moment, Hunt & Hackett has encountered 423 TTPs and 339 Tools used by Russian APTs in the relevant industries.

  Key Stats Russia: Agriculture and Related Industries
APTs 18
Names of ATPs Anunak; APT28; APT29; ELECTRUM; Hades; Inception Framework; INDRIK SPIDER; OldGremlin; Operation BugDrop; TA505; TeamSpy Crew; TEMP.Veles; Turla Group; UNC1878; Union Spider; VENOM SPIDER; etc.
Level of Sophistication High
Main Motives Information Theft; Financial Gain; Espionage
TTPs 423
Tools 339
Table 2 - Key statistics on APTs originating from Russia, and the TTPs and Tools they use in the agricultural and related industries as observed by Hunt & Hackett

This part of the Hunt & Hackett series of blogs on agriculture dealt with the strategic motives of two of the most active attacking nations: China and Russia. The next part of the series will take a closer look at two other countries that don’t shy away from using their APTs for cyber-espionage in the agricultural industry: Iran and North Korea.



Keep me informed

Sign up for the newsletter